If you use Xcode to write apps for any Apple device, the company wants you to validate your version of Xcode and make sure that you never download a copy from anywhere else. Rocket Yard readers are probably aware of recent news stories that a counterfeit version of Xcode known as XcodeGhost was injecting malicious code into apps that ended up on the App Store. As a result, Apple had to remove over 5,000 malware-laden apps from the App Store.
To keep this from happening again, Apple recommends that developers download Xcode directly from the Mac App Store or Apple Developer website, and also leave Gatekeeper enabled on all systems to protect against software that has been tampered with.
To validate a copy of Xcode, there’s a simple command that can be run in Terminal on a system that has Gatekeeper enabled:
spctl --assess --verbose /Applications/Xcode.app
/Applications/ is the directory where you have Xcode installed, so you may need to change this. Running this check can take several minutes, after which a result of “accepted” should be visible in Terminal:
If a result other than “accepted” or a source other than “Mac App Store”, “Apple System” or “Apple” appears, delete Xcode and download a new copy from the Mac App Store or Apple Developer
Xcode 6.2 (6C131e) on OS X 10.9.5 freshly downloaded from App Store today:
rejected
source=obsolete resource envelope
I have a same probrem.
Xcode 6.2(6C131e) on OS X 10.10.5 downloaded from App Store on March, 2015.
rejected
source=obsolete resource envelope
Then, I downloaded the same version (Xcode 6.2(6C131e)) from Apple Developer site and installed.
That’s OK.
accepted
source=Apple System
What’s different?
It’s really strange that so many paying developers would be downloading Xcode from sources other than Apple Developer Connection website.
Agreed. I was surprised to see that, too.
This is not surprising in China since the Internet is slow there and people are use to copying-pirating software from sites other than the official site.
Apple should mandate in OSX that gatekeeper be on for Xcode to run. This way it can block modified versions of Xcode immediately.