Signing remote action scripts on Mac (classic)
The following is a step-by-step guide to signing remote action scripts on a Mac device.
For the production environment, we recommend using a code signing certificate.
Create your certificate
Launch Keychain Access on your Mac device.
Go to Keychain Access > Certificate Assistant > Create a Certificate…
Enter the name of your certificate.
Choose Code Signing for the Certificate Type.
For testing purposes, you can leave Let me override defaults unchecked.
Click Create and Done. The system has generated the certificate.
Signing and packaging a remote action script
Signing
Sign the remote action scripts using the standard macOS codesign utility.
Parameters:
The identity of your code signing certificate is in the Keychain. Generally, it is a certificate subject common name or a certificate hash. See the codesign manual page for a full description.
A trusted timestamp for a signature.
A prefix to a code signature identifier. It attaches your company identity to an identifier and helps to make an identifier unique. See the code signature identifier generation rules on the codesign manual page.
This forces a code signature to be rewritten if it already exists.
Example
Example of a test certificate for example_ra_script.sh remote action script:
The signature for the script file is generated in the file system extended attributes associated with the file. Use the codesign utility to get the code signature details and validate the signature:
Packaging
Package the remote action script with a .tar archive and .gzip compression. The extension ".tar.gz" is mandatory.
If the script file is signed, the tar utility will pack its extended attributes as well. This way, the system can transport the code signature along with a script file. Limitations
Only one script can be put into one archive.
A script file should be put into the root package folder, the
./myscript/myscript.sh
path is not correct.A script must have the .sh extension.
A script filename must be UTF-8 encoded, which is the default on macOS.
Example
Example of packaging the test.sh
script:
The resulting example_ra_script.tar.gz
is the remote action script file.
Signing and packaging a remote action script
Nexthink recommends using this script to simplify the signing and packaging process.
Exporting a code signing certificate to install on endpoints
If you have your code signing certificate in the Keychain and want to install its public version on endpoints, you need to export it first.
Choose the Certificate (.cer) file format for a public certificate in the pop-up window.
Importing a code signing certificate to the Keychain on endpoints
Import your code-signed certificate into the System keychain to use remote action scripts with a Trusted Publisher execution policy.
Double-click a .cer file and choose the System option in the Keychain drop-down menu.
Enter the root password to import the certificate.
If the certificate is self-signed, it should also be trusted for code signing.
Double-click the Keychain Access utility certificate and choose Always trust for the Code Signing option.
To automate these tasks, use the security utility (external link) or your automation framework.
Verify that the certificate was properly imported to an endpoint
Copy and unpack your signed remote action script to the endpoint.
Verify your signature.
If the signature is properly imported, you should see the following output:
RELATED TOPIC
Last updated