Skip to main content
Skip table of contents

How to sign RA scripts on MAC device

Question:

How do I sign RA scripts and package it on MAC devices?

Steps:

Keep in mind, for the production environment, we recommend using code signing certifica”
For test purposes, "Let me override defaults" can be left unchecked.

  1. Click Create, Done sequence. The certificate is generated.


Sign and package a remote action script

  1. Signing.

    Remote action scripts should be signed using the standard macOS codesign utility.

    CODE
    codesign -s <your certificate identity> --timestamp --prefix=<code signature identifier prefix> --force <script file name>


    Parameters:

    CODE
    -s <your certificate identity>

    The identity of your code signing certificate in the Keychain. Usually, it's a certificate subject common name or a certificate hash. See the codesign manual page for the full description.

    CODE
    --timestamp

    Generate a trusted timestamp for a signature.

    CODE
    --prefix

    A prefix to a code signature identifier. Attaches your company identity to an identifier and helps to make an identifier unique. See the code signature identifier generation rules in the codesign manual page.

    CODE
    --force

    Forces to rewrite a code signature if it's already existing.

    The example for our test certificate and example_ra_script.sh RA script we do:

    CODE
    codesign -s "RA scripts code signing certificate" --timestamp --prefix=com.my-organisation.remote-action.macos. --force example_ra_script.sh


    The signature for our script file is generated in the file system extended attributes associated with the file. We can use the codesign utility to get the code signature details and validate the signature:


  2. Packaging.
    A remote action script should be packed into a tar archive with gzip compression. The extension ".tar.gz" is mandatory.

    CODE
    tar -czvf ./<your script name>.tar.gz ./<your script name>.sh

If the script file is signed, the tar utility will pack its extended attributes as well. This way, a code signature can be transported along with a script file.

Please note the following limitations:

  • Only one script can be put into one archive

  • A script file should be put into the root package folder (./myscript/myscript.sh is not correct)

  • A script should have .sh extension

  • A script filename should be UTF-8 encoded (default on macOS)

The example for the test.sh script:

CODE
tar -czvf ./example_ra_script.tar.gz ./example_ra_script.sh

The resulting example_ra_script.tar.gz is the RA script file.

The script to sign and pack a remote action script

We recommend using this script to simplify the signing and packaging process.

CODE
#!/bin/bash
#
# script_signing.sh
# 
# Copyright (C) 2020 by Nexthink S.A., Switzerland. Any usage, copy or partial copy of
# this code without the explicit agreement of Nexthink S.A. is prohibited and will be
# pursued to the full extend of the law.
#
# The arguments for the script:
# - input script filename
# - output archive filename
# - Certificate owner
# - Prefix
#
 
 
# Error handling
set -euo pipefail
trap "echo unrecoverable error !" ERR
 
 
# Check codesign
if [[ ! -x /usr/bin/codesign ]]
then
    echo "Error: this script requires that codesign is installed"
    exit 2
fi
 
# Check tar
if [[ ! -x /usr/bin/tar ]]
then
    echo "Error: this script requires that tar is installed"
    exit 2
fi
 
 
# Check arguments
if [[ $# -lt 4 ]]
then
    echo "Usage: script_signing.sh inputScriptFilename outputArchiveFilename CertificateOwner prefix"
    echo "Example: ./script_signing.sh script.sh script.tar.gz \"John Doe\" com.john.remote-action.macos."
    exit 1
fi
 
/usr/bin/codesign -s "$3" --timestamp --prefix="$4" --force "$1"
/usr/bin/tar czf "$2" "$1"

Exporting code signing certificate to install on endpoints

If you have your code signing certificate in the Keychain and want to install its public version on endpoints, you need to export it first.

Choose the "Certificate (.cer)" File Format for a public certificate.

Importing a code signing certificate to the Keychain on endpoints

Your code signed certificate should be imported into the system keychain to use remote action scripts with a "Trusted Publisher" execution policy.

To do it manually, it's enough to double click a .cer file and choose the "System" option for the Keychain.

After you type a root password, the certificate will be imported.

If the certificate is self-signed, it should also be trusted for code signing.

Double click the Keychain Access utility certificate and choose "Always trust" for the Code Signing option.

For automation of these tasks, you can use the security utility or your automation framework.

Check that the code signing certificate is properly imported to an endpoint

Copy and unpack your signed remote action script to the endpoint.

CODE
tar -xzvf example_ra_script.tar.gz

Verify your signature.

CODE
codesign -vvvv -R="certificate leaf trusted" example_ra_script.sh

If the signature is properly imported, you should see the output as on the screenshot:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.