]>
git.saurik.com Git - apple/security.git/blob - OSX/libsecurity_codesigning/gke/gkgenerate
3 # gkgenerate - produce Gatekeeper explicit allow data
5 # gkgenerate [--output name] files...
6 # will collect GKE data from all files and write two output files (name.auth and name.sigs)
7 # that are ready to drop into a /var/db for pickup.
20 # Parameters and constants
29 print >>sys
.stderr
, "Usage: %s sourcedir" % sys
.argv
[0]
33 print >>sys
.stderr
, "%s: %s" % (sys
.argv
[0], whatever
)
40 parser
= argparse
.ArgumentParser()
41 parser
.add_argument("--output", default
="./gke", help="name of output files")
42 parser
.add_argument("--uuid", default
=uuid
.uuid4(), help="explicitly specify the uuid stamp")
43 parser
.add_argument("--empty", action
='store_true', help="allow empty output sets")
44 parser
.add_argument('source', nargs
='+', help='files generated by the gkrecord command')
45 args
= parser
.parse_args()
47 authfile
= args
.output
+ ".auth"
48 sigsfile
= args
.output
+ ".sigs"
52 # Augment a snippet record
55 for auth
in data
.authority
.values():
56 if auth
.path
in data
.signatures
:
57 signature
= data
.signatures
[auth
.path
].signature
.data
58 unpack
= subprocess
.Popen(["/usr/local/bin/gkunpack"], stdin
=subprocess
.PIPE
, stdout
=subprocess
.PIPE
, stderr
=subprocess
.PIPE
)
59 (stdout
, stderr
) = unpack
.communicate(input=signature
)
61 fail("signature unpack failed for %s" % auth
.path
)
62 auth
.screen
= stdout
.rstrip();
66 # Start by collecting authority evidence from the authority records
70 for source
in args
.source
:
72 data
= plistlib
.readPlist(source
[1:])
74 auth
.update(data
["authority"])
75 sigs
.update(data
["signatures"])
77 data
= plistlib
.readPlist(source
)
79 auth
.update(data
["authority"])
81 if not auth
and not args
.empty
:
82 fail("No authority records (nothing to do)")
86 # Scrub the authority records to remove incriminating evidence
89 for rec
in auth
.values():
93 new_auth
[str(u
)] = rec
98 # The authority file is written as-is, as a plist
104 plistlib
.writePlist(wrap
, authfile
)
105 print "Wrote %d authority record(s) to %s" % (len(auth
), authfile
)
109 # The signatures are written as tightly packed signature blobs
111 sigblobs
= open(sigsfile
, "w")
114 sigblobs
.write(sigdata
["signature"].data
)
116 print "Wrote %d signature record(s) to %s" % (len(sigs
), sigsfile
)