santa icon indicating copy to clipboard operation
santa copied to clipboard

Published 20 hours ago verified publisher icon google

Support pkg file with santactl fileinfo

Open kenchan0130 opened this issue 5 years ago • 1 comments

This is an enhancement request.

Do you think it would be possible to support pkg file with santactl fileinfo?

Currently this command can not parse signature of pkg file. Therefore, we have to use pkgutil --check-signature command.

kenchan0130 avatar Feb 28 '19 10:02 kenchan0130

We've looked into this before for a different feature; unfortunately unlike code signature verification, Apple doesn't provide a public API for verifying package signatures. Signature verification in packages is handled by the private PackageKit framework. It isn't that difficult to use PackageKit to extract signatures but without documentation it's difficult to know that the data we're returning is (and will remain) correct, e.g. does the archiveSignatures method return signatures even if they're invalid? Also, the API can change without notice and without a lot of error handling any change may cause us to crash.

Having said that, I'm open to looking into it but I first have to ask: have you tried Suspicious Package?

russellhancox avatar Feb 28 '19 15:02 russellhancox