Chapter 12. Keychain Scripting and Apple Verifier

Mac OS 9 ships with a number of applications and files that help users protect their files, folders, and passwords from intruders. Apple Computer groups these technologies under the Apple Data Security umbrella term. These software tools include:

• The Apple Verifier program, which verifies files that have been digitally signed

• Apple File Signer software for applying digital signatures to files (this is only available in the Security Software Developers Kit)

• Apple File Security, which you can use to encrypt and decrypt files

• The Keychain Access control panel and Keychain Scripting, which involve the storage of passwords in a secure repository or database called a keychain file

• Several extension files in the startup disk:System Folder:Extensions folder, including Security Cert Module, Security Library, Security Manager, Security Policy Module, Security Storage Module

Look in the startup disk:Applications:Security folder and you will find the Apple File Security and Apple Verifier programs. Apple File Security allows you to encrypt and decrypt files using a passphrase of five or more characters that you create. You must remember this password unless you have used Keychain Access with the file encryption, which is explained later in this chapter. Encryption mathematically scrambles the file data into a hodge-podge of nonsensical ASCII characters that look like Example 12-1, which is part of this paragraph after it was encrypted. It is extremely difficult, if not impossible (if they do not have your passphrases), for unintended or malicious recipients to break the code and decipher encrypted files.

Example 12-1. A Sample Portion of an Encrypted File

_!Åm¿__-#8_ÁÎ>°CºE_$ëBj,/Z.·,©._fnB,"VS'íu,>…£1Ë-_éSI_{_ÇRôY] *oe}g_
Z2<Ú¯e)EifÍ3&bEa_Ü__E,â#@aÍ'ÌÌ·k_m].¿__'__AQHuè·Ë…e>>é¤>/_>¯>Ø>_>=_>S>
N-

Just open a file from Apple File Security's File menu, and it will prompt you for a password before encrypting it. You can also encrypt a file from the Finder's File menu in Mac OS 9. Finally, just drag the file over the Apple File Security icon and it displays the dialog window that Figure 12-1 shows. If you checked the "Add to Keychain" checkbox when you encrypted the file (see Figure 12-1), then you can just double-click the file later to decrypt it (return it to its readable and insecure state). If you did not add the passphrase to a keychain then you haveto recall the password to decrypt it. Otherwise, no one (including Apple's engineers) will be able to help you decrypt the file. So do not encrypt that email exonerating you and your company from abusing a software monopoly unless you plan to remember the passphrase.

Figure 12-1. Apple File Security adds an encrypted file passphrase to a keychain

Apple File Security is not scriptable with Mac OS 9, but another security program that works closely with Apple's encryptionmethod can be used with AppleScript—Keychain Access. This is a control panel, but its scripting functions are accessible through the Keychain Scripting software tucked away with the scripting additions in the startup disk:System Folder:Scripting Additions folder. Figure 12-1 shows the checkbox that allows you to add a passphrase for an encrypted file to a keychain. Again, in Mac OS 9, a keychain is a password file or database that is stored in encrypted form in startup disk:System Folder:Preferences:Keychains. You can have one or more keychains as long as you give them unique names. The keychain is designed to provide automatic passwords for:

• Logging on to an AppleTalk or AppleShare IP server (i.e., a computer that you are connected to via Ethernet)

• Decrypting a file that has been encrypted using Apple File Security

• Logging in to a remote web site

• Usage by a software program

• Accessing a digital certificate that you have added to a keychain

Not all of this functionality (e.g., using Keychain Access with web sites) was widely available by Winter 2001, but keychains are very useful with files and AppleShare servers.For example, once you have added an AppleShare key to a keychain, then you can mount the specified volume simply by clicking a button (it says "go there") in Keychain Access's Get Info window for that AppleShare key. Again, Keychain Access is a control panel that is located in startup disk:System Folder:Control Panels.

Apple Verifier is the other scriptable security application that this chapter describes. Another part of Apple Data Security services is Apple Code Signing. Apple Code Signing is a new Mac OS 9 technology that allows developers to digitally sign applications, plug-ins, and content. Digital certificates are unique IDs that you can apply to software (such as a program that you have coded) so that the software's recipients can be sure that it came from you (and so that you cannot deny that it came from you!). Apple Code Signer is another security program that is only distributed with the Apple Security Software Development Kit. Software security and crytography are very interesting but large subjects, so I recommend that you try external information sources to learn more about them.

Pretty Good Privacy is freeware software for strong encryption (there is a commercial version also). There is a Macintosh version that will work with your email program to encrypt email. The PGP international site has some good documentation on software encryption at http://www.pgpi.org/doc/. Apple Computer's security site is http://developer.apple.com/macos/security.html. You can obtain the Apple Security SDK at ftp://ftp.apple.com/developer/Development_Kits/Security_SDK.sit.hqx. The following sites describe and tell you how to obtain digital certificates: http://www.thawte.com and http://www.verisign.com.

This chapter will describe AppleScripting with Keychain Scripting and Apple Verifier, which is Apple Computer's program for checking the digital signatures of files or programs that you download from some potentially insecure source such as the Web.