Unsigned and suspicious files in /Library/Apple/Library/Bundles/InputAlternatives.bundle — possible system compromise?

Question

elleesse Author

Level 1

4 points

Unsigned and suspicious files in /Library/Apple/Library/Bundles/InputAlternatives.bundle — possible system compromise?

Hello everyone,

I’m looking for technical clarification about some unexpected files found on my MacBook Air.

While inspecting my system via Terminal, I discovered the following directory:

/Library/Apple/Library/Bundles/InputAlternatives.bundle/Contents/Resources/

Inside this folder there are hundreds of .plist files with names that appear to come from unrelated iOS or Android apps/games, such as:

com.alphapotato.pawnshopmaster.plist

com.colorfultails.KetchupMaster.plist

com.outfit7.talkingtomgoldrun.plist

com.ketchapp.stack.plist

I ran a code signature check using:

codesign -dv /Library/Apple/Library/Bundles/InputAlternatives.bundle

and got this output:

Identifier=com.apple.InputAlternatives

TeamIdentifier=not set

Signed Time=21 Jul 2025 at 01:25:54

So:

The bundle is not signed by Apple (TeamIdentifier not set);
The contents (hundreds of unrelated .plist files) seem completely inconsistent with the legitimate InputAlternatives.bundle, which should only contain keyboard/input resources.

When I try to delete the folder using sudo rm, I get Operation not permitted, even though I’m running with SIP enabled.

Could these files possibly belong to any legitimate macOS component or update?
If not, is it safe or recommended to disable SIP temporarily to remove them manually?
Is there an official Apple method or tool to verify or restore modified system bundles?

The system was recently formatted and updated to the latest version of macOS Tahoe.

I’d like to confirm whether this is a harmless anomaly or a potential security issue.

Thank you in advance for any clarification or official reference.

MacBook Air 15″, macOS 15.7

Posted on Nov 7, 2025 2:07 AM

Reply

Answer 1

Top-ranking reply

Servant of Cats

Level 7

33,053 points

Nov 7, 2025 4:26 AM in response to elleesse

I checked that file on my system, which is running Sequoia. It had all of those entries.

I'm not certain, but /Library/Apple/Library/Bundles/InputAlternatives.bundle might be apart of the signed, sealed system volume. If so, there might not be a signature simply because everything in that volume is protected in a different way.

The Eclectic Light Company – Big Sur’s Signed System Volume: added security protection

There is a game called Pawn Shop Master in the App Store that you can download to Apple Silicon Macs. (It's an iPad game that has not been verified for macOS.). Likewise there is a Ketchup Master, that was designed for the iPhone, but that can be downloaded to Apple Silicon Macs.

I wonder if Apple threw in a bunch of Property List files containing input alternative settings for a bunch of third-party games – say, at the request of the game developers, or as a result of processing App Store submissions.

Reply

Answer 2

Nov 7, 2025 4:30 AM in response to elleesse

elleesse wrote:

When I try to delete the folder using sudo rm, I get Operation not permitted, even though I’m running with SIP enabled.

If this file is on the signed, sealed system volume, the Mac is going to be running off a read-only snapshot of the volume – not directly off the main copy.

If that is the case, and you figure out a way to modify the file anyway, the cryptographic signature on the volume won't be correct - and the next time you go to start up your Mac from that volume, the Mac will refuse to do it. It will think (correctly) that the volume has been "tampered with", and it will not realize that you tampered in a fairly harmless (if counterproductive) fashion. It will react as though the system had been modified by malware.

Reply

Answer 3

Tom Gewecke

Level 10

121,872 points

Nov 7, 2025 4:33 AM in response to elleesse

See this earlier discussion of the same thing here a few years ago:

Is it normal for there to be a bunch of r… - Apple Community

Reply