This repository has been archived by the owner on Feb 24, 2023. It is now read-only.
Verify pkg signer #9
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The goal here is to provide a second level of security related to #8 by checking the downloaded packages are signed.
Consider:
pkgutil --check-signature $PKG_INSTALLER_NAMEPackage "macos-rtools.pkg": Status: signed by a certificate trusted by Mac OS X Certificate Chain: 1. Developer ID Installer: James Balamuta (LNVWJ4S7DC) SHA1 fingerprint: 4B CF 66 88 56 AC 73 E8 70 14 5C 2C 7E BA E2 67 90 3C 85 BF ----------------------------------------------------------------------------- 2. Developer ID Certification Authority SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60If status is not "signed by a certificate trusted by Mac OS X", then an exit is triggered.
Thus, we likely will want to verify the Developer ID (full name + ID):
The following extract out the name and the ID
In Simon's case, we have:
pkgutil --check-signature ~/Downloads/clang-6.0.0.pkgPackage "clang-6.0.0.pkg": Status: signed by a certificate trusted by Mac OS X Certificate Chain: 1. Developer ID Installer: Simon Urbanek (VZLD955F6P) SHA1 fingerprint: 7B 6B 81 12 E6 26 8C 16 F8 D4 0F 94 E4 3E 62 69 2E 92 22 81 ----------------------------------------------------------------------------- 2. Developer ID Certification Authority SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60Alternatively, we probably should verify just the SHA1 fingerprint
The text was updated successfully, but these errors were encountered: