Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

santactl/fileinfo: Add --entitlements flag and key. #263

Merged
merged 4 commits into from
Feb 18, 2025
Merged

santactl/fileinfo: Add --entitlements flag and key. #263

merged 4 commits into from
Feb 18, 2025

Conversation

russellhancox
Copy link
Member

@russellhancox russellhancox commented Feb 14, 2025
edited
Loading

Entitlements will be printed if --entitlements is passed as a flag or if Entitlements is in the list of requested keys.

@russellhancox
santactl/fileinfo: Add --entitlements flag and key.
4e2da7a 
Entitlements will be printed if `--entitlement` is passed as a flag or
if `Entitlements` is in the list of requested keys.
@russellhancox russellhancox requested a review from a team as a code owner February 14, 2025 22:57
@github-actions github-actions bot added comp/santactl Issues or PRs related to santactl lang/objc PRs modifying files in ObjC size/s Size: small labels Feb 14, 2025
@pmarkowsky
Copy link
Contributor

This is showing up as mostly JSON for me.

Entitlements           : {
    "com.apple.application-identifier" = "ZMCG7MLDV9.com.northpolesec.santa";
    "com.apple.developer.system-extension.install" = 1;
    "com.apple.developer.team-identifier" = ZMCG7MLDV9;
    "keychain-access-groups" =     (
        "ZMCG7MLDV9.com.northpolesec.santa"
    );
}

Why not format this like the signing chain with the list being ordered as key value pairs to match the other items when not using --json?

E.g.

Entitlements           : 
 1. "com.apple.application-identifier": "ZMCG7MLDV9.com.northpolesec.santa"
 2. "com.apple.developer.system-extension.install": "1"
 3. "com.apple.developer.team-identifier" : "ZMCG7MLDV9"
 4. "keychain-access-groups" :    ["ZMCG7MLDV9.com.northpolesec.santa"]

@mlw
Copy link
Contributor

mlw commented Feb 17, 2025

Keeping things interesting, we have a slightly different format for bundle hashes - they're not numbered:

Bundle Info:
       Main Bundle Path    : /Applications/Obsidian.app
       Main Bundle ID      : md.obsidian
       Bundle Hash         : 7ae486a88778e0614dec2a6491a6e61051efdd1cba3cc09fc9f6faa9aa926ecc
              f522ed15aae77dcaae68e7ed325bb6deedeea8b1ecc13b68e99cdba904f319ec  /Applications/Obsidian.app/Contents/Frameworks/Obsidian Helper.app/Contents/MacOS/Obsidian Helper
              ceb4f928b5c1f35c20a32701be59bce412a2cec09230a840b0327522e09e09d3  /Applications/Obsidian.app/Contents/Frameworks/Obsidian Helper (Plugin).app/Contents/MacOS/Obsidian Helper (Plugin)
              5ff1bbcff2f3749a8af98511880880645a1d5577100da1082cd8d10c1f7a8282  /Applications/Obsidian.app/Contents/Frameworks/Obsidian Helper (GPU).app/Contents/MacOS/Obsidian Helper (GPU)
              57e6e71886bb2e1789768fe8c715c83868443e9e2e10cfc6b8a83b13c8a3dcf8  /Applications/Obsidian.app/Contents/MacOS/Obsidian
              296f1606b744e044b8f9f4f25f09db8698066f209e540a883ade54b66ada5ccc  /Applications/Obsidian.app/Contents/Frameworks/Obsidian Helper (Renderer).app/Contents/MacOS/Obsidian Helper (Renderer)
              63214894364346d5b29cba9dcaad8e8244afefeee036b25bbdd7a3f3dbde65ee  /Applications/Obsidian.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt
              5dbada2017b8a7556c631d912cd16c28f0bd790c38a07cc3a1260fb718d125fb  /Applications/Obsidian.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler

I think I agree it makes sense to display things a tad bit nicer in non-JSON output. Though we will still hit some issues with nested k/v pairs and we probably shouldn't try too hard there... As to whether or not we number, I don't care - it'd be nice to be consistent eventually though

@russellhancox
Copy link
Member Author

Done. Other than parsing true/false values I'm not attempting to do anything with the value so there can still be JSON output in complex cases. E.g.

$ santactl fileinfo /opt/homebrew/Cellar/tart/2.19.3/libexec/tart.app/Contents/MacOS/tart --entitlements
---->8-----
Code-signed            : Yes
Rule                   : Allowed (SigningID)
Entitlements:
    1. com.apple.vm.networking
    2. com.apple.security.virtualization
Signing Chain:
    1. SHA-256             : 11a945ae04224780e250ad7ea0fd53e57c98c4624c2efe516cb808220492d746
       SHA-1               : b2faa961251f71684d35672deef87f9acf83e0eb
----8<-----

$ santactl fileinfo /Applications/Xcode.app --entitlements
---->8-----
Code-signed            : Yes
Rule                   : Allowed (SigningID)
Entitlements:
    1. com.apple.PairingManager.RemovePeer
    2. com.apple.PerfPowerServices.data-donation
    3. com.apple.private.syspolicy.execution-policy-bypass
    4. com.apple.developer.aps-environment: production
    5. com.apple.private.biome.read-write: (
    "GenerativeModels.GenerativeFunctions.Instrumentation"
)
    6. com.apple.private.coreservices.definesExtensionPoint
    7. com.apple.private.network.system-token-fetch
    8. com.apple.private.security.storage.MobileAssetGenerativeModels
    9. com.apple.private.feedback.drafting
   10. com.apple.projectsetdeviced.client
   11. com.apple.private.MobileContainerManager.lookup: {
    appData = 1;
    daemon =     (
        "com.apple.testmanagerd",
        "com.apple.dt.testmanagerd"
    );
    pluginData = 1;
}
   12. com.apple.private.dt.xcode.set-responsible-process-for-ui-testing
   13. com.apple.application-identifier: 59GAB85EFG.com.apple.dt.Xcode
   14. com.apple.PairingManager.Read
   15. com.apple.private.viewbridge.preview
   16. com.apple.sysmond.client
----8<-----

@russellhancox
Copy link
Member Author

russellhancox commented Feb 18, 2025
edited
Loading

Keeping things interesting, we have a slightly different format for bundle hashes - they're not numbered:

I've added numbers to the binaries included in the bundle hash:

Bundle Info:
       Main Bundle Path    : /Applications/Zed.app
       Main Bundle ID      : dev.zed.Zed
       Bundle Hash         : cd2be97ec550b8ca2ee1732341855e4f441ad21c06c59459907a1f6cc937dc41
            1. ebd9f6b4b18668d66f65f8f128d9f949a03e0a2f038185d9d22ba3ab73d2282e  /Applications/Zed.app/Contents/MacOS/cli
            2. f5c2d51789216b69aebce90d0f5d8343be4cd6a7591847b69d59249d95baaa67  /Applications/Zed.app/Contents/MacOS/git
            3. 66c5ec4504e4108f1d512d231796270ae0ab48b056f55747b2e49dc63df75fcb  /Applications/Zed.app/Contents/MacOS/zed

pmarkowsky
pmarkowsky approved these changes Feb 18, 2025
View reviewed changes
Copy link
Contributor

@pmarkowsky pmarkowsky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@russellhancox russellhancox merged commit 1406a92 into main Feb 18, 2025
10 checks passed
@russellhancox russellhancox deleted the rah/fileinfo-entitlements branch February 18, 2025 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmarkowsky pmarkowsky pmarkowsky approved these changes

Assignees
No one assigned
Labels
comp/santactl Issues or PRs related to santactl lang/objc PRs modifying files in ObjC size/s Size: small
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@russellhancox @pmarkowsky @mlw