Signing remote action scripts on Mac (classic)

The following is a step-by-step guide to signing remote action scripts on a Mac device.

For the production environment, we recommend using a code signing certificate.

Create your certificate

  • Launch Keychain Access on your Mac device.

  • Go to Keychain Access > Certificate Assistant > Create a Certificate…

  • Enter the name of your certificate.

  • Choose Code Signing for the Certificate Type.

  • For testing purposes, you can leave Let me override defaults unchecked.

  • Click Create and Done. The system has generated the certificate.

Signing and packaging a remote action script

Signing

Sign the remote action scripts using the standard macOS codesign utility.

codesign -s <your certificate identity> --timestamp --prefix=<code signature identifier prefix> --force <script file name>

Parameters:

-s <your certificate identity>

The identity of your code signing certificate is in the Keychain. Generally, it is a certificate subject common name or a certificate hash. See the codesign manual page for a full description.

--timestamp

A trusted timestamp for a signature.

--prefix

A prefix to a code signature identifier. It attaches your company identity to an identifier and helps to make an identifier unique. See the code signature identifier generation rules on the codesign manual page.

--force

This forces a code signature to be rewritten if it already exists.

Example

Example of a test certificate for example_ra_script.sh remote action script:

codesign -s "RA scripts code signing certificate" --timestamp --prefix=com.my-organisation.remote-action.macos. --force example_ra_script.sh

The signature for the script file is generated in the file system extended attributes associated with the file. Use the codesign utility to get the code signature details and validate the signature:

Packaging

Package the remote action script with a .tar archive and .gzip compression. The extension ".tar.gz" is mandatory.

tar -czvf ./<your script name>.tar.gz ./<your script name>.sh

If the script file is signed, the tar utility will pack its extended attributes as well. This way, the system can transport the code signature along with a script file. Limitations

  • Only one script can be put into one archive.

  • A script file should be put into the root package folder, the ./myscript/myscript.sh path is not correct.

  • A script must have the .sh extension.

  • A script filename must be UTF-8 encoded, which is the default on macOS.

Example

Example of packaging the test.sh script:

tar -czvf ./example_ra_script.tar.gz ./example_ra_script.sh

The resulting example_ra_script.tar.gz is the remote action script file.

Signing and packaging a remote action script

Nexthink recommends using this script to simplify the signing and packaging process.

#!/bin/bash
#
# script_signing.sh
# 
# Copyright (C) 2023 by Nexthink S.A., Switzerland. Any usage, copy or partial copy of
# this code without the explicit agreement of Nexthink S.A. is prohibited and will be
# pursued to the full extend of the law.
#
# The arguments for the script:
# - input script filename
# - output archive filename
# - Certificate owner
# - Prefix
#
 
 
# Error handling
set -euo pipefail
trap "echo unrecoverable error !" ERR
 
 
# Check codesign
if [[ ! -x /usr/bin/codesign ]]
then
    echo "Error: this script requires that codesign is installed"
    exit 2
fi
 
# Check tar
if [[ ! -x /usr/bin/tar ]]
then
    echo "Error: this script requires that tar is installed"
    exit 2
fi
 
 
# Check arguments
if [[ $# -lt 4 ]]
then
    echo "Usage: script_signing.sh inputScriptFilename outputArchiveFilename CertificateOwner prefix"
    echo "Example: ./script_signing.sh script.sh script.tar.gz \"John Doe\" com.john.remote-action.macos."
    exit 1
fi
 
/usr/bin/codesign -s "$3" --timestamp --prefix="$4" --force "$1"
/usr/bin/tar czf "$2" "$1"

Exporting a code signing certificate to install on endpoints

If you have your code signing certificate in the Keychain and want to install its public version on endpoints, you need to export it first.

  • Choose the Certificate (.cer) file format for a public certificate in the pop-up window.

Importing a code signing certificate to the Keychain on endpoints

  • Import your code-signed certificate into the System keychain to use remote action scripts with a Trusted Publisher execution policy.

  • Double-click a .cer file and choose the System option in the Keychain drop-down menu.

  • Enter the root password to import the certificate.

If the certificate is self-signed, it should also be trusted for code signing.

  • Double-click the Keychain Access utility certificate and choose Always trust for the Code Signing option.

To automate these tasks, use the security utility (external link) or your automation framework.

Verify that the certificate was properly imported to an endpoint

  • Copy and unpack your signed remote action script to the endpoint.

tar -xzvf example_ra_script.tar.gz
  • Verify your signature.

codesign -vvvv -R="certificate leaf trusted" example_ra_script.sh

If the signature is properly imported, you should see the following output:


RELATED TOPIC

Last updated