How to sign RA scripts on MAC device
How do I sign RA scripts and package it on MAC devices?
Keep in mind, for the production environment, we recommend using code signing certifica”
For test purposes, "Let me override defaults" can be left unchecked.
Click Create, Done sequence. The certificate is generated.
Sign and package a remote action script
Remote action scripts should be signed using the standard macOS codesign utility.
codesign -s <your certificate identity> --timestamp --prefix=<code signature identifier prefix> --force <script file name>CODE
-s <your certificate identity>CODE
The identity of your code signing certificate in the Keychain. Usually, it's a certificate subject common name or a certificate hash. See the codesign manual page for the full description.
Generate a trusted timestamp for a signature.
A prefix to a code signature identifier. Attaches your company identity to an identifier and helps to make an identifier unique. See the code signature identifier generation rules in the codesign manual page.
Forces to rewrite a code signature if it's already existing.
The example for our test certificate and example_ra_script.sh RA script we do:
codesign -s "RA scripts code signing certificate" --timestamp --prefix=com.my-organisation.remote-action.macos. --force example_ra_script.shCODE
The signature for our script file is generated in the file system extended attributes associated with the file. We can use the codesign utility to get the code signature details and validate the signature:
A remote action script should be packed into a tar archive with gzip compression. The extension ".tar.gz" is mandatory.
tar -czvf ./<your script name>.tar.gz ./<your script name>.shCODE
If the script file is signed, the tar utility will pack its extended attributes as well. This way, a code signature can be transported along with a script file.
Please note the following limitations:
Only one script can be put into one archive
A script file should be put into the root package folder (./myscript/myscript.sh is not correct)
A script should have .sh extension
A script filename should be UTF-8 encoded (default on macOS)
The example for the test.sh script:
tar -czvf ./example_ra_script.tar.gz ./example_ra_script.sh
The resulting example_ra_script.tar.gz is the RA script file.
The script to sign and pack a remote action script
We recommend using this script to simplify the signing and packaging process.
#!/bin/bash # # script_signing.sh # # Copyright (C) 2020 by Nexthink S.A., Switzerland. Any usage, copy or partial copy of # this code without the explicit agreement of Nexthink S.A. is prohibited and will be # pursued to the full extend of the law. # # The arguments for the script: # - input script filename # - output archive filename # - Certificate owner # - Prefix # # Error handling set -euo pipefail trap "echo unrecoverable error !" ERR # Check codesign if [[ ! -x /usr/bin/codesign ]] then echo "Error: this script requires that codesign is installed" exit 2 fi # Check tar if [[ ! -x /usr/bin/tar ]] then echo "Error: this script requires that tar is installed" exit 2 fi # Check arguments if [[ $# -lt 4 ]] then echo "Usage: script_signing.sh inputScriptFilename outputArchiveFilename CertificateOwner prefix" echo "Example: ./script_signing.sh script.sh script.tar.gz \"John Doe\" com.john.remote-action.macos." exit 1 fi /usr/bin/codesign -s "$3" --timestamp --prefix="$4" --force "$1" /usr/bin/tar czf "$2" "$1"
Exporting code signing certificate to install on endpoints
If you have your code signing certificate in the Keychain and want to install its public version on endpoints, you need to export it first.
Choose the "Certificate (.cer)" File Format for a public certificate.
Importing a code signing certificate to the Keychain on endpoints
Your code signed certificate should be imported into the system keychain to use remote action scripts with a "Trusted Publisher" execution policy.
To do it manually, it's enough to double click a .cer file and choose the "System" option for the Keychain.
After you type a root password, the certificate will be imported.
If the certificate is self-signed, it should also be trusted for code signing.
Double click the Keychain Access utility certificate and choose "Always trust" for the Code Signing option.
For automation of these tasks, you can use the security utility or your automation framework.
Check that the code signing certificate is properly imported to an endpoint
Copy and unpack your signed remote action script to the endpoint.
tar -xzvf example_ra_script.tar.gz
Verify your signature.
codesign -vvvv -R="certificate leaf trusted" example_ra_script.sh
If the signature is properly imported, you should see the output as on the screenshot: