Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 107 lines (81 sloc) 2.48 KB
#!/usr/bin/env bash
# macos-scripts/signature_check
# signature_check
# Check for applications which are not code signed
# Check for apps that are notarized
# Execution time approximately 5 to 10 minutes
set -uo pipefail
# -u prevent using undefined variables
# -o pipefail force pipelines to fail on first non-zero status code
IFS=$'\n\t'
# Set Internal Field Separator to newlines and tabs
# This makes bash consider newlines and tabs as separating words
# See: http://redsymbol.net/articles/unofficial-bash-strict-mode/
### Define Colours ###
tput sgr0;
# reset colors
readonly RESET=$(tput sgr0)
readonly BOLD=$(tput bold)
readonly RED=$(tput setaf 1)
readonly GREEN=$(tput setaf 64)
### END Colours ###
function ctrl_c {
echo -e "\\n[❌] ${USER} has chosen to quit!"
exit 1
}
function main {
trap ctrl_c SIGINT
# Detect and react to the user hitting CTRL + C
declare -a apps
declare -a notarized
declare -a no_signature
declare -a untrusted_certificate
declare -a broken
while IFS=$'\n' read -r app; do
apps+=("${app}");
done < <(system_profiler SPApplicationsDataType \
| grep "Location: " \
| awk -F ': ' '{print $2}')
for app in "${apps[@]}"; do
if ! pkgutil --check-signature "${app}" >/dev/null; then
output="$(pkgutil --check-signature "${app}")"
if echo "${output}" | grep -q "no signature"; then
no_signature+=("${app}");
elif echo "${output}" | grep -q "untrusted certificate"; then
untrusted_certificate+=("${app}");
elif echo "${output}" | grep -q "invalid"; then
broken+=("${app}");
fi
elif spctl --assess -v "${app}" 2>&1 | grep -q 'Notarized' ; then
notarized+=("${app}");
fi
done
if [ ${#notarized[@]} -gt 0 ]; then
echo "${GREEN}Notarized (${#notarized[@]}):${RESET}"
for app in "${notarized[@]}"; do
echo " ${app}"
done
fi
echo
if [ ${#no_signature[@]} -gt 0 ]; then
echo "${RED}Not Signed (${#no_signature[@]}):${RESET}"
for app in "${no_signature[@]}"; do
echo " ${app}"
done
fi
echo
if [ ${#untrusted_certificate[@]} -gt 0 ]; then
echo "${RED}Signed with untrusted certificate (${#untrusted_certificate[@]}):${RESET}"
for app in "${untrusted_certificate[@]}"; do
echo " ${app}"
done
fi
echo
if [ ${#broken[@]} -gt 0 ]; then
echo "${RED}Broken Signature: (${#broken[@]}):${RESET}"
for app in "${broken[@]}"; do
echo " ${app}"
done
fi
}
main "$@"