A Quick Update on Zoom Code Signing
A quick update to my previous post on Zoom security.
Per @scotteh and @patrickwardle, you can still unsign the app and load any dylibs you like:
Sure!
— patrick wardle (@patrickwardle) April 16, 2020
a) Unsign (via --remove-signature)
b) Load any dylibs 🤭
e.g.
DYLD_INSERT_LIBRARIES=zoomzoom.dylib /Applications/zoomzoom.us .app/Contents/MacOS/zoom.us
You'll have to (re)grant access to mic/webcam and notarization would be an issue if you (re)distribute though... pic.twitter.com/RReUqvXF6S
Maybe I don’t understand code signing, spctl or Gatekeeper well enough.
Gatekeeper is on, spctl says rejected, but Zoom still opens after removing the signature… 🧐
james@Jamess-iMac: ~
$ spctl --status -v
assessments enabled
developer id enabled
james@Jamess-iMac: ~
$ spctl --assess --verbose=4 /Applications/zoom.us.app/
/Applications/zoom.us.app/: accepted
source=Developer ID
james@Jamess-iMac: ~
$ sudo codesign --remove-signature /Applications/zoom.us.app/
james@Jamess-iMac: ~
$ spctl --assess --verbose=4 /Applications/zoom.us.app/
/Applications/zoom.us.app/: rejected
source=no usable signature
james@Jamess-iMac: ~
$ o /Applications/zoom.us.app/
james@Jamess-iMac: ~
$ echo $?
0