santa
santa copied to clipboard
Use SecTaskGetCodeSignStatus for Platform Binaries
Every now and then, there's an Apple-supplied, system binary that isn't signed. (Currently: looking at you, RemotePairingDataVaultHelper)
Naturally, Santa blocks these, but it doesn't have to be this way: SecTaskGetCodeSignStatus will query AMFI and report if the binary in question is from the system: https://github.com/apple-oss-distributions/xnu/blob/main/osfmk/kern/cs_blobs.h#L68