Apple: Developers Should Validate Their Copy of Xcode

Xcode iconIf you use Xcode to write apps for any Apple device, the company wants you to validate your version of Xcode and make sure that you never download a copy from anywhere else. Rocket Yard readers are probably aware of recent news stories that a counterfeit version of Xcode known as XcodeGhost was injecting malicious code into apps that ended up on the App Store. As a result, Apple had to remove over 5,000 malware-laden apps from the App Store.

To keep this from happening again, Apple recommends that developers download Xcode directly from the Mac App Store or Apple Developer website, and also leave Gatekeeper enabled on all systems to protect against software that has been tampered with.

To validate a copy of Xcode, there’s a simple command that can be run in Terminal on a system that has Gatekeeper enabled:

spctl --assess --verbose /Applications/

/Applications/ is the directory where you have Xcode installed, so you may need to change this. Running this check can take several minutes, after which a result of “accepted” should be visible in Terminal:

Validating Xcode in Terminal

If a result other than “accepted” or a source other than “Mac App Store”, “Apple System” or “Apple” appears, delete Xcode and download a new copy from the Mac App Store or Apple Developer