This week VMware released Fusion
11.5 . Fusion is VMware’s virtualisation software for macOS. The update, among other things, addresses a bug which would cause the code signature of the VMware Fusion application bundle (
.app) to be broken after applying updates.
To upgrade to Fusion
11.5 you’ll need to download a package from VMware, you can’t update via the builtin software updated because it suffers from the bug. You can get the
11.5 installer from vmware.com/go/getfusion.
When upgrading Fusion, Fusion would download updated files from the update server and combine them into a new
VMware Fusion.app. Adding these new files breaks the code signature.
On Christmas Eve 2018 I was writing a bash script to check the code signing status of every application bundle on my system.
The script gets a list of all application bundles by
system_profiler SPApplicationsDataType, for each application it checks their code signature by executing
I noticed that it was reporting VMware Fusion 11 (
11.0.2) as not being properly signed, specifically
pkgutil gave the following error.
Package "VMware Fusion.app": Status: package is invalid (checksum did not verify)
I assumed this was an error with
pkgutil or that I’d accidentally modified
VMware Fusion.app and broken the signature. I decided to see if it was reproducible so I went on to Abertay Ethical Hacking Society’s Slack and jumped in the #mac channel.
Ninji was kind enough to attempt to reproduce it for me. They ran the
pkgutil command and the signature was fine. They then realised that they had Fusion
11.0.0 so they updated to
11.0.2 and reran the
pkgutil command and sure enough the signature was broken.
I had a very positive experience disclosing this issue to VMware. They were prompt in their replies and happy to share technical details of what they learned about the bug and their fix.
In an email on January 26th VMware indicated that the fix wasn’t straightforward and would be shipped in the next major release. They asked me to wait until the fix was available before publicly disclosing which I agreed to.
The bug is listed in the “Resolved Issues” section of the
11.5 release notes.
- December 24th - Discovered and reported
- December 25th - Report acknowledged
- January 26th - Bug confirmed by VMware
- May 10th - VMware confirmed the bug would be fixed in the next major release in September
- September 6th - VMware confirm the major release is out in the second half of September
- September 16th - Update is released
- September 21nd - I publicly disclose the bug