Apparency

Release History

The table below summarizes the released versions of Apparency, and what fixes and enhancements were made to each version. You can determine the version you have installed from Apparency > About Apparency.

Release History for Apparency
Version Changes
2.0 (426) Released on May 24, 2024
  • You can now use AppleScript to automate Apparency. Read about what you can do with AppleScript and Apparency, or use Help > Open Scripting Dictionary to browse Apparency's terminology, along with many example scripts.
  • Improved performance when opening components, especially for large or complex apps. Apparency now does more of its analysis in the background, which means the window will open more quickly, and the app shouldn't SPOD while doing analysis. Also, the top-level component is now given priority to start signature verification, so that this most-likely-to-be-interesting information is shown as soon as possible.
  • When opening a Developer ID-signed app, Apparency will now request an updated notification ticket from Apple servers before evaluating the Notarization and Gatekeeper status. This is to avoid a misleading Unnotarized Developer ID status on an app that actually is notarized, but that wasn't “stapled” and hasn't been launched yet. [Read More]
  • Made searching of de facto “code places” more obvious: Apparency now shows a Look in De Facto Code Places button at the bottom of the component browser, which will find and analyze any components in these non-standard locations — without having to close and re-open the window, or having to re-start signature verification for previously-found components.
  • Added option to Always look for components in de facto “code places” under Apparency > Preferences > General. In most cases, this doesn't detract much from the performance of analyzing the app. But for especially large or complex apps (like Xcode), it can still be noticeable, which is why we don't enable this by default. (You can always enable this on a per-app basis, either via the mechanism above, or using the File > Open options.)
  • Added a status bar under the component browser, showing the total number of components, the current selection count, and the progress of loading and verifying the component code signatures.
  • Enhanced File > Open System Component to look for system apps and executables in standard paths like /usr/bin, /usr/libexec and /System/Library/CoreServices. This provides an easy way to open system components from locations that are difficult or laborious to reach from the File > Open dialog.
  • Added Apparency > Preferences > Locations, for configuring where Apparency finds system components for the File > Open System Component command, as well as for customizing which string literal sections Apparency searches in Mach-O executables (for both the File > Open System Library with String Literal command and the Component > Show String Literals from Executable inspector).
  • Added Component > Analyze Executable Using Hopper Disassembler with Architecture, which allows you to start Hopper analysis on something other than the current (active) architecture. This can be handy where you're better versed in the other instruction set, or where Hopper produces better disassembly or decompilation results for that architecture. Alternatively, add the Control key to the usual shortcut — that is, Control-Shift-Command-D — to quickly analyze the inactive architecture from an executable (at least where there is only one inactive).
  • Worked around a macOS bug (reported as FB13681128) that would prevent dragging from the Apparency-generated Quick Look preview in the Finder's Preview pane. [Read More]
  • Fixed a bug where a component that has different hardened runtime versions for different architectures would show a Conflicting signatures status for Hardening. This was accurate but confusing; now it will simply show that hardening is enabled, without any version info. (This usually won't occur for apps built with the Xcode toolchain, because the runtime version is based on the SDK in use, but other build tools can produce this situation.)
  • Fixed a bug where the app might show a Conflicting signatures status, but the Quick Look preview showed a different (non-conflicting) status. In such cases, the app was correct about the conflict; the preview was erroneously showing the status for only the active architecture. Now the preview will also show any conflicts, consistent with the app.
  • The appy CLI tool can now be used to open multiple components with a single command.
1.8.1 (346) Released on February 29, 2024
  • Deliver results faster when typing in the Open System Library with String Literal window.
  • Fixed a bug where a visionOS component was reported as requiring a version of watchOS.
  • Fixed a bug that would cause some macOS-defined launchd jobs to be missing from the Launch Information inspector, when the associated component was opened — which could be particularly confusing if you got there by using Open System Component and matched on a launchd job definition.
1.8 (342) Released on February 11, 2024
  • Added File > Open System Component (Control-Cmd-O), which allows you to open a component of macOS itself, by searching for a specific name (or portion thereof). This can be used to open:
    • system frameworks (including those in PrivateFrameworks);
    • system dylibs, even those moved into the DYLD shared cache and not actually on disk; and
    • system executables started as launchd jobs.
    After typing a name, simply pick the desired component from the list to open it. [Read More]
  • Added File > Open System Library with String Literal (Shift-Control-Cmd-O), which also allows you to open a system framework or dylib, but by searching for a specific string embedded in the library. This is similiar to searching the output of strings(1), at least in concept, but it works on (the vast majority of) system libraries that have been moved into the DYLD shared cache. [Read More]
  • Added Component > Analyze Executable Using Hopper Disassembler (Shift-Cmd-D), which points Hopper at the selected component's executable, and automates through the various Hopper loading option dialogs. This even works for system frameworks that have been moved into the DYLD shared cache, thanks to Hopper's ability to read that cache — and support for using AppleScript to automate it. [Read More]
  • From the Executable Information inspector, you can now directly open any of the system frameworks or libraries in a new Apparency window. Under Dynamically Linked Libraries, select a library and choose Open Library in Apparency — or just double-click. This works only for libraries that are referenced by an absolute path (not @rpath or other DYLD variable paths, which are probably somewhere else in the current window anyway).
  • Ability to open system dylibs that have been moved into the DYLD shared cache, and thus don't even exist on disk, such as /usr/lib/libobjc.A.dylib. Although you can't use the File > Open dialog for these — there's nothing to choose! — there are several other ways to open these:
    • use File > Open System Component and type the base name of the library, such as “libobjc”: you can then select the library to open;
    • if you have an opened component that uses that library, open the Executable Information inspector and double-click on the library; or
    • if you know the canonical path for the library, use the appy command line tool.
    Whichever way you open the dylib, you can see its linked libraries, examine its embedded strings (see below) and/or pass it to Hopper for reverse engineering.
  • Added Component > Show String Literals from Executable (Shift-Option-Cmd-X). This inspector shows the constant strings that are built into the Mach-O executable. This is similar to what you'd get by running strings(1), although Apparency doesn't look for strings as aggressively (or heuristically) as strings(1). Apparency searches only in Mach-O sections that are declared to contain NULL-terminated C strings. You can filter and sort the list of strings in various ways, which can be helpful when you are reverse engineering an executable. Importantly, you can use this inspector on a framework or dylib that has been moved into the DYLD shared cache. [Read More]
  • Enhanced the File > Open > Look for components in de facto “code places” option to be more aggressive about finding bundles and/or code in non-standard places. This mode is a tradeoff between completeness and performance, but we may have overstressed performance in the past. Now, in addition to searching the Resources folder, it will also search non-standard directories at the top-level of the bundle Contents. Whether there are any such places varies with the app: most have none, some have a few, Xcode has many. Note that if you enable this option on a particularly large and complex app (like Xcode), you may experience a delay before the Apparency window appears (one reason that we don't turn this on by default).
1.7 (316) Released on November 5, 2023
  • Enhanced the Launch Information inspector to show implicit launch constraints, which are those associated with the components of macOS itself. Open a macOS component in Apparency, and use Component > Show Launch Information to see the constraints that apply. Use Window > Implicit Launch Constraints to see all of the implicit constraints defined by macOS. Props to Csaba Fitzl for reverse-engineering and documenting this mechanism.
  • Improved the handling of components that are ad hoc-signed by the macOS linker. The linker does this signing to meet the Apple Silicon requirement that all executables have a code signing digest, or cdhash. This used to be shown as having Conflicting signatures, which was technically accurate (because the Intel code is usually unsigned) but was nevertheless confusing. Now, in the most typical case of linker signing, the Signed By will be Linker (Ad-Hoc).
  • Enabled the Show Code Signature button (on the toolbar or the info pane) for more cases of Conflicting signatures, especially those involving ad-hoc signatures. This allows you to see the details for each processor architecture. For example, this can be useful on certain apps exported by Script Debugger's Export Run-Only command.
  • For macOS Sonoma “web apps” — created in Safari using File > Add to Dock — Apparency now shows a Kind Detail of “Safari Web App” in the info pane.
  • Fixed a bug where certain macOS frameworks wouldn't open correctly, showing the error bundle format is ambiguous (could be app or framework). This could happen after a macOS update, if the framework now resides on a a “cryptex” rather than on the Signed System Volume. (This can happen with Rapid Security Response updates, but also with updates like Safari, which installs new versions of WebKit and related frameworks.) Apparency will now correctly recognize the special status of macOS system frameworks, even on the cryptex volume.
  • Fixed a bug where opening a component using the “appy” command-line tool could silently fail, especially if the given path happens to be a symbolic link, such as /Applications/Safari.app (which links to a path on a “cryptex” volume). Apparency will now properly open the target of the symlink — or will show an error if it can't do so.
  • Removed support for macOS 11 (Big Sur).
1.6.1 (294.3) Released on October 20, 2023
  • Fixed a bug that could cause Apparency to crash on startup, if you happened to have an installed launchd job in which the definition plist has a Program key with an unexpected type. Apparency reads all of the launchd job definitions to associate them with components, for showing in the Launch Information inspector. However, it dealt badly with some technically-out-of-spec keys that don't seem to bother launchd. Now Apparency is more circumspect.
1.6 (294) Released on September 23, 2023
  • Compatibility updates for macOS 14 (Sonoma).
  • Added new Launch Information inspector, which shows:
  • The info pane now shows the number of Launchd Jobs that reference the selected component; if there are any, you can click the link button to open the Launch Information inspector for more details.
  • Improved the Kind Detail (in the info pane) for a number of newer App Extension types, and fixed a few types that had been incorrectly described.
  • When inspecting an Info Property List, Entitlements or a Launchd Job Definition, you can Control-click on an item (dictionary key or array item) to copy various bits to the clipboard: the key, the value or a new property list with just that item, in XML format. For Info Property List files, you can also copy the plutil(1) or PlistBuddy(8) command that would extract that value from the property list, for pasting into Terminal or using in scripts.
  • When searching an Info Property List, Entitlements or a Launchd Job Definition, recent search terms will now be preserved across components and app launches.
  • Added support for opening an xcframework: this allows you to inspect the code signature on the xcframework itself (encouraged with Xcode 15 workflows), and examine the individual frameworks that it contains for each platform.
  • When generating Quick Look previews, Apparency will now skip verification of the code signature if it might take any meaningful amount of time. Previously, the Quick Look preview used the same heuristics as the app, but it is just too easy to trigger an unwanted preview request for a large app, just by clicking around in the Finder or an Open panel. You might click away immediately, but macOS doesn't notify us that the preview was cancelled, and so our Quick Look Preview extension process — which, in Activity Monitor, might be called Open and Save Panel Service (Apparency) or Apparency (Finder) — can churn through a lot of CPU to produce a preview that nobody wants! This might result in some Quick Look previews — ones that you do want — showing Skipped verification due to size; if this occurs, click Open with Apparency to see the verification results in the app.
1.5.1 (285) Released on April 4, 2023
  • Added the required (minimum) macOS version to the info pane (and also to the Quick Look preview). This is extracted from the Info.plist, or failing that, the Mach-O binary deployment target version. If there are different requirements for different architectures, Apparency will show the oldest supported version: if you require more detail, you can use Component > Show Info Property List, and/or Component > Show Executable Information. [Read More]
  • Improved explanation for a code signature with an expired certificate: we no longer claim the certificate is “not trusted by macOS” since it clearly is (for some purposes), but instead explain that macOS mostly doesn't care. We also show the expiration date more prominently.
  • Added Component > Open Component With Archaeology, for when you need a lower-level view of a bundle or Mach-O executable.
1.5 (277) Released on October 22, 2022
  • Compatibility updates for macOS 13 (Ventura), including:
    • Recognize new bundled helper daemons and agents (managed via the new SMAppService API) If Apparency finds launchd plists in Contents/Library/LaunchAgents or Contents/Library/LaunchDaemons, it will ensure that the referenced helper binary is shown as a component, with a kind of “Background app service agent” or “Background app service daemon.” If you select such a component, you can use Component > Show Launchd Configuration to view the associated launchd job definition plist.
    • Fix a problem where opening a system framework (whose binary has been moved to the DYLD Shared Cache) would produce a “bundle format is ambiguous” message. (Apple changed the bundle structure of these system frameworks again, so that now instead of missing a top-level binary symlink, as on Big Sur and Monterey, they have a broken symlink at that location.)
    • Stubbornly refuse to let our Preferences menu item be renamed to “Settings.” Sure, it's very generous of Apple to to automatically change this one string for us, but the menu item is referenced in dozens of other places in our alerts and documentation, and we just don't see the value in changing every one of those and having them be wrong for users on Monterey and Big Sur...
  • Fixed a bug where a code signature might have been incorrectly reported as valid if the executable was corrupted (or tampered with) only for an inactive processor architecture. For example, if you were running Apparency on an Apple Silicon Mac, and select a component that has both Apple Silicon — 64-bit and Intel — 64-bit support, and if the Apple Silicon part was valid but the Intel part was corrupted, Apparency would show the signature as verified. Now it will properly report Can't verify signature in this case. Use Component > Show Code Signature to see details for each architecture.
  • Fixed a bug where a code signature from an expired certificate was properly shown as such, but the Gatekeeper status was evaluated as if the signature was trusted, which was confusing. Now the Gatekeeper status is shown as Can't evaluate in such cases.
  • Added Component > Quick Look Component to show an inline preview of the selected component. Although this isn't especially useful for bundles and Mach-O executables (where it tends to produce a preview generated by Apparency itself), it can be useful when an app contains script components that are previewable as text. (You might need to enable searching in de facto “code places” in order to see such scripts.)
  • When requesting Quick Look previews, Apparency tries to “convince” macOS to choose a better preview extension for some files, by making a temporary copy with an adjusted file name. For example, a Perl script named installcli might be uselessly previewed as a Unix Executable File, but Apparency knows it's a Perl script (from the #! directive) and will ask Quick Look to preview it as installcli.pl instead -- thus showing the actual source text of the script. When this trick is used, Apparency will show a pencil icon next to the file name at the top of the preview: click this for details about the file kinds that Apparency inferred and how it renamed the temporary copy.
  • When holding down Option to use Component > Show Executable in Finder, or Edit > Copy Path for Executable, the executable path for a framework will be resolved of symlinks, so that one gets directly to the versioned executable.
  • Tweaked the validation of App Store receipts so that the Receipt Verified status — shown in Component > Show App Store Receipt — more closely matches the result of modern Apple sample code.
  • Removed support for macOS 10.15 (Catalina).
1.4.1 (218) Released on March 14, 2022
  • Added File > Show Entitlements for All Executables (Command-Control-A) to show a single “merged” view of all entitlements across all components of an app. You can also select an entitlement and copy the identifying information for all components that request it, in a form that can be pasted directly into a PPPC Profile. [Read More]
  • Tries harder to avoid showing “stale” component information — especially version strings — when an app has been recently updated. This was an issue with macOS caching of bundle information. The Quick Look preview was especially susceptible, since the lifetime of our app extension process is completely under the control of the Quick Look mechanism. We believe that stale info is less likely to appear now, but there may still be circumstances where Quick Look previews themselves are cached.
  • Make the Quick Look preview activate for more file kinds, including App Extensions (such as those for sharing, photo editing or widgets), Network Extensions, Endpoint Security Extensions and DriverKit Extensions. These are mostly only buried inside app bundles, but it can still be useful to Quick Look them from Suspicious Package.
  • Find components in Contents/Library/LaunchServices — these are usually “privileged helper tools,” which the app can install (with password authorization) via the ServiceManagement framework. If such a component has an embedded launchd plist — as is required by ServiceManagement — this can be viewed using Component > Show Launchd Configuration.
  • Find components in Contents/Applications as an additional de facto “code place”.
  • More standard Info.plist and entitlement keys are linked to Apple documentation, via Open Apple Documentation for Key button.
  • Recognize apps with TestFlight signatures as Apple-signed code, akin to App Store signing.
  • Addition of “appy” command-line tool, for quickly opening an item in Apparency from the Terminal. See Help > About the Command-Line Tool for installation instructions.
1.4 (175) Released on December 7, 2021
  • Make the Quick Look preview activate for more file kinds, including standalone (old-style) Quick Look generators, (old-style) Spotlight importers, generic bundles and kernel extensions. [The latter works only on macOS 11 (Big Sur) or later, since kernel extensions finally got a system-defined UTI in the same release that deprecated them!]
  • Show the component Kind in the Quick Look preview, and fix several issues around the display of the icon, executable information and sizing for certain standalone executable types, such as Mach-O dylibs and shell scripts.
  • Various fixes to make Quick Look previews from Suspicious Package more clear and useful, and to ensure that items exported from a package are presented properly, even if found in a temporary directory -- as will be the case for items auto-exported by Suspicious Package for previewing, and then opened in Apparency proper.
  • Added an option to look for components in de facto “code places”.
  • The attributes on the info pane are more universally selectable and copyable. [Read More]
  • Improved handling when opening the main executable of a bundle directly, e.g. opening X.app/Contents/MacOS/X instead of X.app.
  • Improved handling of certain Apple-signed software where the code signature couldn't be verified due to “custom omit rules.”
  • Additional detail for Component > Show Notarization Ticket, including the actual notarized hashes and how they map onto architecture-specific components within the app.
  • Removed support for macOS 10.14 (Mojave).
1.3 (130) Released on August 28, 2021
  • Compatibility updates for macOS 12 (Monterey), including:
  • In the info pane, allow the Identifier, Version and Signed By values to be selected and, therefore, copied.
  • Fixed a bug where an app's main executable might show up as a separate component. (This would happen only when the app was on the data volume of a system volume group other than the booted one.)
  • Fixed a bug where the Edit and Component menu items related to shared app group containers might not be visible through the Accessibility interface — which could also impact apps such as Many Tricks Menuwhere.
  • Fixed a bug where the search field in the Entitlements inspector could stop working after changing processor architectures.
  • More quickly stop any running code signature verification when closing an Apparency window. Unfortunately, the code signing API limits how efficiently we can stop verification that is already under way, but Apparency is now better about not starting irrelevant verification work after the window is closed.
  • Squashed some memory leaks in the determination of Gatekeeper policies.
1.2 (118) Released on March 7, 2021
  • Runs natively on Apple Silicon Macs.
  • Improved compatibility with macOS 11 (Big Sur), including:
    • Adopted the new “unified” style for the toolbar, and updated the icons to fit in better with the general Big Sur “design language” — especially when the toolbar is configured for Icon Only mode.
    • Updated to a new iOS-style Big Sur-style app icon. We're still not fans, but since our app icons were all circles before, we can't get too snotty about them all being “squircles” now. Having every icon on the system be the same shape seems a dubious improvement to macOS, but our icons aren't going to change anything.
    • Fixed other display and icon issues throughout the app.
  • Added Component > Show Provisioning Profile, which will be enabled for certain apps that use iCloud or other services and features that Apple restricts more tightly, at least outside of the App Store. (A provisioning profile is also used to restrict an app to running on specific devices, but this much less likely for macOS apps than for iOS ones.)
  • Where an app has a provisioning profile, Components > Show Entitlements will show which entitlements are provisioned and which are not (and which do not require provisioning). This appears as an icon in the last column.
  • Added Component > Show App Store Receipt, which will be enabled for any app installed from the Mac App Store. This allows you to see attributes of the receipt, including original purchase attributes, and to examine the validity of the receipt and the Apple signature thereon. If a receipt is found, File > Show in App Store will show the product page for the app in the App Store.
  • Added handling of a notarization ticket, where one is “stapled” to the main app bundle. Where this is found and verified, you'll see the Notarization given as Granted — Stapled Ticket for the component called out in the ticket. You can also use Component > Show Notarization Ticket to examine the Apple signature on the ticket.
  • Added Component > Show App Container in Finder, and Edit > Copy Path for App Container, for apps and other components that use the App Sandbox. The app container can also be revealed using the new Show Container toolbar button.
  • Added Component > Show Group Container in Finder, and Edit > Copy Path for Group Container, for components that opt into shared app groups.
  • Added recognition of System Extensions (such as Network Extensions and Endpoint Security extensions) as components that can exist inside an app bundle, and improved determination of the Kind Detail for various extension kinds.
  • Improved checking and reporting of the trust associated with code-signing certificates. Component > Show Code Signature now describes the category of certificate, from amongst the various types that can be issued or used by Apple, as well as other signature- and certificate-related attributes. It also more clearly shows when certificates have expired (in the absence of a verified signing time).
  • From the Executable Information sheet, allow Edit > Copy of a selected Dynamically Linked Library, Runtime Search Path or DYLD Environment row. (For a library, the original library install path is copied.)
  • Made the Signature column more clear for certain cases, such as where Gatekeeper would reject a verified (but insufficient) signature.
  • Made the Quick Look preview more usable from the Finder's preview pane, i.e. View > Show Preview. Since the preview pane is typically much smaller, and since some information is shown directly by the Finder at the bottom of that pane, Apparency now uses a more compact format here. When using View > as Gallery, or the classic separate window of File > Quick Look Item, Apparency still creates a larger preview. Unfortunately, Apple provides no proper way for us to detect what context we're being shown in, so there's a bit of guesswork involved here, but we think it at least works better than it did.
  • Fixed some bugs in the handling of the toolbar, including the fact that changes made via View > Customize Toolbar did not get saved, and that items pushed into the trailing “overflow” section of the toolbar did not get enabled properly.
1.1.1 (75) Released on November 6, 2020
  • Updated for general compatibility with macOS 11 (Big Sur) — albeit with some caveats.
  • On Big Sur, when opening a system framework on the new sealed system volume, Apparency finds the executable in the DYLD shared cache so that the Executable Information is still available. Also, Apparency no longer shows a bunch of errors about the now-broken code signature on such system frameworks. See more info here.
  • If a component is signed by a now-revoked certificate, allow Show Code Signature, so one can see the details of the certificate and/or export it for further analysis. (In this situation, codesign(1) does not provide useful certificate details nor allow it to be exported.)
  • Enable a standalone Mach-O binary to be opened even if it lacks an executable bit, at least via drag-and-drop or from another app — like Suspicious Package, which intentionally strips the executable bit from Mach-O binaries in the installer scripts but still ought to be able them in Apparency!
1.1 (66) Released on August 21, 2020
  • Enhancements for opening “universal” apps that support more than one processor architecture, such as an app updated for the new Apple Silicon Macs, or an older one that still has 32-bit support.
    • Added the Executable type to the Info pane: this shows the supported processor architectures. Click on this text to see the underlying symbolic names for the architectures, such as x86_64 or arm64.
    • Enhanced the Executable Information sheet to show the processor architecture, and to allow choosing from among the architectures provided by the app or component.
    • Show the new Apple Silicon processor architecture where supported, in both the info pane and the Executable Information sheet. [This doesn't mean that Apparency itself is a “universal” app: see more info here.]
    • Enhanced code signature handling to examine every supported architecture — there is a distinct signature for each one — and flag any differences between them: see more info here.
    • Added the supported architectures to the Quick Look preview on macOS 10.15 (Catalina) and beyond.
  • Added Downloaded details to the Info pane, when available: click to cycle amongst the download date, app and kind.
  • Enhanced Executable Information sheet to show the target platform, which is usually simply macOS but can sometimes be something else, like UIKit for Mac (“Catalyst”).
  • Added option in Preferences > General to show the code signing options in the Info pane.
  • Added Edit > Copy Code Signing Identity (Cmd-Ctrl-C) to copy the designated requirement of the component, such as for pasting into a PCCC profile.
  • Improved handling of components with non-Mach-O executables (such as interpreted scripts).
  • Enhancements in performance and responsiveness, especially when opening large apps.
  • Added an Internet Access Policy to Apparency: this is a mechanism defined by Objective Development, the makers of Little Snitch. If you use Little Snitch, you'll get more useful information about Apparency's network connection attempts — which are for one purpose only: the periodic checking for an updated version of the app.
1.0 (43) Released on June 27, 2020
  • Initial release of Apparency.