@Theile commented on GitHub:
Improved main code section part for debug:
# Exit if new version is the same as installed version
#echo "appversion $appversion" #for testing
`#echo "appNewVers…
@scriptingosx commented on GitHub:
codesign verifies the signature, but not notarization status.
@hkrewson commented on GitHub:
spctl first tells us the pkg is 'accepted' . That should be plenty to check for with or without the TeamID.
@Theile commented on GitHub:
I have tried to make a branch and create my suggestions in there. Hope that was the right way to do it…
@scriptingosx commented on GitHub:
@hkrewson spctl/GateKeeper only checks whether the signature is from a valid Developer ID. A malicious attacker could create a 'fake'/malicious app installer…
@scriptingosx commented on GitHub:
yes, @mischavdbent noticed this, too. Right now I am not sure how to extend the spctl check to work with Apple certs.
We could change the check to "just"…
@kenchan0130 commented on GitHub:
The certificate of Software Update details:
Subject Name
Common Name: Software Update
Organization: Apple Inc.
Country of Region: US
##…
@kenchan0130 commented on GitHub:
pkgutil can show some certificates.
$ pkgutil --check-signature "SF Symbols.pkg"
Package "SF Symbols.pkg":
Status: signed Apple Software
…
@scriptingosx commented on GitHub:
Since the Apple signed pkg passes the spctl check, I think it would be sufficient to check for the Apple Software label when the TeamID can't be found.
@Theile commented on GitHub:
I'm brainstorming. If it's as easy as Signal, that could be implemented and matched. If it's more difficult, the "new" version could be downloaded, and before copying…
@scriptingosx commented on GitHub:
I am also not convinced that all clients pinging multiple random web servers every day is the best approach
@scriptingosx commented on GitHub:
With some apps it is fairly easy to determine the latest version. With others: not so easy or even impossible. It would sure be nice, where possible. But I am…
@kenchan0130 commented on GitHub:
Since the Apple signed pkg passes the spctl check, I think it would be sufficient to check for the Apple Software label when the TeamID can't be found.
Looks…
@Theile commented on GitHub:
I get it, but how do you handle this in Jamf. You would have to investigate it somehow yourself, I guess… Or do you just make this available in Self Service?
When…
@Theile commented on GitHub:
My suggestion with the example of Signal.app: Add variable to the caseStatement called appNewVersion, and the caseStatement for Signal will be as follows: ` …
@acodega commented on GitHub:
Closing old issue. (Excuse the lateness, doing some housekeeping on Issues)