Unsigned executable in PrivateFrameworks/RemotePairing.framework: RemotePairingDataVaultHelper

Question

Created Oct ’23

Replies 1

Boosts 0

Participants 2

I have discovered this executable, RemotePairingDataVaultHelper, is not validly signed. This was brought to my attention while experimenting with Google's Santa (https://santa.dev). Has anyone else come across this or something similar? I want to know if this executable can be trusted or if it should be suspected of corruption. Malwarebytes and ClamXAV do not report a virus within the RemotePairing.framework. I am running macOS 14.0 (23A344) on a Mac Studio 2023 with an Apple M2 Ultra processor.

Here is what I get with codesign:

(python-3.11)zsh % codesign -v /Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper /Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper: invalid Info.plist (plist or signature have been modified) In architecture: arm64e

(python-3.11)zsh % codesign -dvvv /Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper Executable=/Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper Identifier=com.apple.CoreDevice.RemotePairingDataVaultHelper Format=Mach-O universal (x86_64 arm64e arm64) CodeDirectory v=20400 size=1290 flags=0x0(none) hashes=29+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=8976226501f2cbf161e3d7559b3ccb038e83669a CandidateCDHashFull sha1=8976226501f2cbf161e3d7559b3ccb038e83669a CandidateCDHash sha256=5afa3b8c21c1c48d725fde5c039ecb0a98c12627 CandidateCDHashFull sha256=5afa3b8c21c1c48d725fde5c039ecb0a98c126276fab3d55a5b28d29c72c7158 Hash choices=sha1,sha256 CMSDigest=23c24570be68e98aa95c9152004324d5ea81e85705bc747ac42cbb7e02bef9be CMSDigestType=2 CDHash=5afa3b8c21c1c48d725fde5c039ecb0a98c12627 Signature size=4493 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist=not bound TeamIdentifier=not set Sealed Resources=none Internal requirements count=1 size=100

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’23

Well, that’s certainly weird. I recommend that you report it as a bug

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0