New Simian and signed plists

[John Meyers]

The latest (and maybe final?) merge of Simian seems to support a signed plist feature.  All of my packages now say:

Plist is Not Signed - This package will not be served to users with plist signature verification turned on.

Does anyone know how one signs them?  I'm not seeing anything obvious in the docs.  How is the signature verification controlled on the client?

John

[Edward Eigerman]

It's just looking for signature key-value pairs. This allows you to sign all the scripts that Munki can execute (as well as the hash of the dmg itself) so that they can't be meddled with on the server.

You'd have to implement the checking in Munki, as well as to distribute the public key for the signatures. Let me see if I can share the code we used to do that (it's pretty simple).

Ed

--
You received this message because you are subscribed to the Google Groups "Simian Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Edward Eigerman | Mac Sys Admin | eige...@google.com

[John Meyers]

Thanks!

[John Meyers]

Ed,

We both dropped this.  I'm still interested in signing and would be grateful if you could share these scripts, or at least point me in the right direction of how to do it.

Happy new year!

John

On Thursday, October 11, 2018 at 12:08:00 PM UTC-4, Edward Eigerman wrote:

[John Meyers]

Ed,

I know you guys have moved away from Simian and I'd very much like not to loose the wonderful work you've done.  I've scoured the Munki code top to bottom for any reference to the plist signature key-value pairs I see in the Simian code, and I can't find a single reference anywhere.  Before this gets lost to eternity, I would be grateful if you would still be willing to post the details.  Good luck with your next tool.  Simian was and remains awesome.

John

On Thursday, October 11, 2018 at 12:08:00 PM UTC-4, Edward Eigerman wrote: