santa
santa copied to clipboard
google
Use SecTaskGetCodeSignStatus for Platform Binaries
Every now and then, there's an Apple-supplied, system binary that isn't signed. (Currently: looking at you, RemotePairingDataVaultHelper)
Naturally, Santa blocks these, but it doesn't have to be this way: SecTaskGetCodeSignStatus will query AMFI and report if the binary in question is from the system: https://github.com/apple-oss-distributions/xnu/blob/main/osfmk/kern/cs_blobs.h#L68
We're discussing this. I don't think we have need for SecTaskGetCodeSignStatus as ES already tells us if a binary is a platform binary but we've been hesitant to fully rely on that previously (for reasons I can't recall). This may be enough impetus to start using it.
I'm also assuming that this will be fixed before Sonoma is properly released; the mentioned binary is signed, it's just that each architecture in the binary has a slightly different Info.plist.
Got it - thanks!
On Tue, Jul 11, 2023, at 11:56, Russell Hancox wrote:
We're discussing this. I don't think we have need for SecTaskGetCodeSignStatus as ES already tells us if a binary is a platform binary but we've been hesitant to fully rely on that previously (for reasons I can't recall). This may be enough impetus to start using it.
I'm also assuming that this will be fixed before Sonoma is properly released; the mentioned binary is signed, it's just that each architecture in the binary has a slightly different Info.plist.
— Reply to this email directly, view it on GitHub https://github.com/google/santa/issues/1124#issuecomment-1631083985, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAKRUDFZKHH5GT25OWFGNLXPVZT7ANCNFSM6AAAAAA2CIMTVM. You are receiving this because you authored the thread.Message ID: @.***>
-- Edward Marczak b: https://www.radiotope.com/blog
"I'm also assuming that this will be fixed before Sonoma is properly released; the mentioned binary is signed, it's just that each architecture in the binary has a slightly different Info.plist."
Narrator: It wasn't.
