3 # Poor man's option parsing.
4 # Replace with shift/case once more options come along.
6 if [ "$1" == "-s" ]; then
10 PRODUCT_NAME
=$(sw_vers -productName)
11 PRODUCT_VERSION
=$(sw_vers -buildVersion)
12 HOSTNAME
=$(hostname -s)
13 NOW
=$(date "+%Y%m%d%H%M%S")
21 CRASHDIR
=/Library
/Logs
/DiagnosticReports
22 SECLOGPATH
=/var
/log
/module
/com.apple.securityd
23 syd
=/System
/Library
/PrivateFrameworks
/SyncedDefaults.framework
/Support
/syncdefaultsd
24 kvsutil
=/AppleInternal
/Applications
/kvsutil
30 OUTPUTPARENT
=/Library
/Logs
/CrashReporter
31 CRASHDIR
=/var
/mobile
/Library
/Logs
/CrashReporter
32 SECLOGPATH
=/var
/mobile
/Library
/Logs
/CrashReporter
/DiagnosticLogs
33 syd
=/System
/Library
/PrivateFrameworks
/SyncedDefaults.framework
/Support
/syncdefaultsd
34 kvsutil
=/usr
/local
/bin
/kvsutil
38 if (( ! $SHORT )); then
39 OUTPUTBASE
=ckcdiagnose_
${HOSTNAME}_
${PRODUCT_VERSION}_
${NOW}
41 OUTPUTBASE
=ckcdiagnose_snapshot_
${HOSTNAME}_
${PRODUCT_VERSION}_
${NOW}
43 OUTPUT
=$OUTPUTPARENT/$OUTPUTBASE
47 if [ "$PROD" = "IOS" ]; then
48 while !(/usr
/local
/bin
/profilectl cpstate
| grep -Eq 'Unlocked|Disabled'); do
49 echo Please ensure that your device is unlocked and press Enter.
>&2
55 echo Outputting to
$OUTPUT
58 sw_vers
> $OUTPUT/sw_vers.log
60 $secexec sync
-D > $OUTPUT/syncD.log
62 $secexec sync
-i > $OUTPUT/synci.log
64 (( $SHORT )) || ([ -x $kvsutil ] && $kvsutil show com.apple.security.cloudkeychainproxy3
> $OUTPUT/kvsutil_show.txt
2>&1)
66 if [ "$PROD" == "OSX" ]; then
67 $secexec item
-g class
=genp
,nleg
=1,svce
="iCloud Keychain Account Meta-data" > $OUTPUT/ickcmetadata.log
68 $secexec item
-g class
=genp
,nleg
=1,acct
=engine
-state > $OUTPUT/engine
-state.log
69 elif [ "$PROD" == "IOS" ]; then
70 $secexec item
-g class
=genp
,svce
="iCloud Keychain Account Meta-data" > $OUTPUT/ickcmetadata.log
71 $secexec item
-g class
=genp
,acct
=engine
-state > $OUTPUT/engine
-state.log
74 # In preparation, before getting any of the logs, query all classes,
75 # just in order to excercise the decryption and corruption
76 # verification for all items. This will log errors and simulated crashes
77 # if any of the items should turn out corrupted.
78 # The items are NOT saved in the diagnostic log, because they potentially
79 # contain very private items.
80 for class
in genp inet cert keys
; do
83 echo class
=${class},sync
=${sync},tomb
=${tomb}: >> $OUTPUT/keychain
-state.log
84 ${secexec} item
-q class
=${class},sync
=${sync},tomb
=${tomb} | grep '^acct'|wc -l 2>&1 >> $OUTPUT/keychain
-state.log
89 if (( ! $SHORT )); then
90 syslog
-k Sender Seq syncdefaults
> $OUTPUT/syslog_syncdefaults.log
91 syslog
-k Sender Seq
$secd > $OUTPUT/syslog_secd.log
92 syslog
-k Sender Seq CloudKeychain
> $OUTPUT/syslog_cloudkeychain.log
95 (( $SHORT )) || (sbdtool status
> $OUTPUT/sbdtool_status.log
2>&1)
97 $syd status
> $OUTPUT/syd_status.txt
2>&1
98 $syd lastrequest
> $OUTPUT/syd_lastrequest.txt
2>&1
99 $syd serverlimits
> $OUTPUT/syd_serverlimits.txt
2>&1
101 # Compare kvsutil and sync -D state, shows if store diverged from on-device state.
102 if (( ! $SHORT )); then
103 if [ -f $OUTPUT/kvsutil_show.txt
]; then
104 cat $OUTPUT/kvsutil_show.txt
| grep -E '^ "?[o-]?ak.* = ' | sed -E 's/^ "?([^"]*)"? = \<.* (.*) (.*)\>.*$/\1 \2\3/g;s/^(.*) [0-9a-f]*([0-9a-f]{8})/\1 \2/g' | sort > $OUTPUT/kvs_keys.txt
105 cat $OUTPUT/syncD.log
| grep -E 'contents = "?[o-]?ak' | sed -E 's/^.*contents = "?([^"]*)"?\} = .*bytes = .* ... [0-9a-f]+([0-9a-f]{8})\}/\1 \2/g' | sort > $OUTPUT/syncD_keys.txt
106 diff -u $OUTPUT/kvs_keys.txt
$OUTPUT/syncD_keys.txt
> $OUTPUT/kvs_syncD_diff.txt
110 if [ "$PROD" = "IOS" ]; then
111 cp /private
/var
/preferences
/com.apple.security.cloudkeychainproxy3.keysToRegister.plist
$OUTPUT/
112 cp /var
/mobile
/Library
/SyncedPreferences
/com.apple.security.cloudkeychainproxy3.plist
$OUTPUT/
114 cp ~
/Library
/Preferences
/com.apple.security.cloudkeychainproxy3.keysToRegister.plist
$OUTPUT/
115 cp ~
/Library
/SyncedPreferences
/com.apple.security.cloudkeychainproxy3.plist
$OUTPUT/
118 if (( ! $SHORT )); then
119 cp $SECLOGPATH/security.log
* $OUTPUT/
121 cp $CRASHDIR/*${secd}* $OUTPUT/
122 cp $CRASHDIR/*syncdefaults
* $OUTPUT/
123 cp $CRASHDIR/*CloudKeychain
* $OUTPUT/
125 (cd $SECLOGPATH; gzcat
-c -f security.log
*) > $OUTPUT/security
-complete.log
128 (cd $SECLOGPATH; gzcat
-c security.log.
*.gz
; cat security.log.
*Z
) | grep -E -- 'Invalid date.|-26275|[cC]orrupt|[cC]rash|Public Key not available' > $OUTPUT/problems.log
129 (cd $SECLOGPATH; gzcat
-c security.log.
*.gz
; cat security.log.
*Z
) | cut
-d ' ' -f 6- | sort |uniq -c | sort -n > $OUTPUT/security
-sorted.log
132 ) > $OUTPUT/ckcdiagnose.log
2>&1
134 tar czf
$OUTPUT.tgz
-C $OUTPUTPARENT $OUTPUTBASE
138 if (( ! $SHORT )); then
140 echo "The file containing the diagnostic information is "
142 echo 'Please attach it to a Radar in "Security / iCloud Keychain"'
145 [ "$PROD" = "OSX" ] && open
$OUTPUTPARENT