r-macos-rtools icon indicating copy to clipboard operation
r-macos-rtools copied to clipboard

Published 20 hours ago verified publisher icon coatless-mac

Verify pkg signer

Open coatless opened this issue 7 years ago • 0 comments

The goal here is to provide a second level of security related to #8 by checking the downloaded packages are signed.

Consider:

pkgutil --check-signature $PKG_INSTALLER_NAME

Package "macos-rtools.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: James Balamuta (LNVWJ4S7DC)
       SHA1 fingerprint: 4B CF 66 88 56 AC 73 E8 70 14 5C 2C 7E BA E2 67 90 3C 85 BF
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

If status is not "signed by a certificate trusted by Mac OS X", then an exit is triggered.

Thus, we likely will want to verify the Developer ID (full name + ID):

1. Developer ID Installer: James Balamuta (LNVWJ4S7DC)
1 %     2   % 3%  4       %  5  %    6   %     7

The following extract out the name and the ID

PKG_AUTHOR=`pkgutil --check-signature $PKG_INSTALLER_NAME | awk /'Developer ID Installer/{print $5" "$6}'`
PKG_DEV_ID=`pkgutil --check-signature $PKG_INSTALLER_NAME | awk /'Developer ID Installer/{print $7}'  | tr -d '()'`

In Simon's case, we have:

pkgutil --check-signature ~/Downloads/clang-6.0.0.pkg 

Package "clang-6.0.0.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Simon Urbanek (VZLD955F6P)
       SHA1 fingerprint: 7B 6B 81 12 E6 26 8C 16 F8 D4 0F 94 E4 3E 62 69 2E 92 22 81
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

Alternatively, we probably should verify just the SHA1 fingerprint

if pkgutil --check-signature $PKG_INSTALLER_NAME | grep 'SHA1 fingerprint: 4B CF 66 88 56 AC 73 E8 70 14 5C 2C 7E BA E2 67 90 3C 85 BF'; then
    echo 0
else
    exit 1
fi

coatless avatar Jun 07 '18 02:06 coatless