56 private static void verifyCodesignResult(List<String> result, Path target, 57 boolean signed) { 58 result.stream().forEachOrdered(TKit::trace); 59 if (signed) { 60 String lookupString = target.toString() + ": valid on disk"; 61 checkString(result, lookupString); 62 lookupString = target.toString() + ": satisfies its Designated Requirement"; 63 checkString(result, lookupString); 64 } else { 65 String lookupString = target.toString() 66 + ": code object is not signed at all"; 67 checkString(result, lookupString); 68 } 69 } 70 71 private static List<String> spctlResult(Path target, String type) { 72 List<String> result = new Executor() 73 .setExecutable("/usr/sbin/spctl") 74 .addArguments("-vvv", "--assess", "--type", type, 75 target.toString()) 76 .executeAndGetOutput(); 77 78 return result; 79 } 80 81 private static void verifySpctlResult(List<String> result, Path target, String type) { 82 result.stream().forEachOrdered(TKit::trace); 83 String lookupString = target.toString() + ": accepted"; 84 checkString(result, lookupString); 85 lookupString = "source=" + DEV_NAME; 86 checkString(result, lookupString); 87 if (type.equals("install")) { 88 lookupString = "origin=" + INSTALLER_CERT; 89 } else { 90 lookupString = "origin=" + APP_CERT; 91 } 92 checkString(result, lookupString); 93 } 94 95 private static List<String> pkgutilResult(Path target) { 96 List<String> result = new Executor() 97 .setExecutable("/usr/sbin/pkgutil") 98 .addArguments("--check-signature", 99 target.toString()) 100 .executeAndGetOutput(); 101 102 return result; 103 } 104 105 private static void verifyPkgutilResult(List<String> result) { 106 result.stream().forEachOrdered(TKit::trace); | 56 private static void verifyCodesignResult(List<String> result, Path target, 57 boolean signed) { 58 result.stream().forEachOrdered(TKit::trace); 59 if (signed) { 60 String lookupString = target.toString() + ": valid on disk"; 61 checkString(result, lookupString); 62 lookupString = target.toString() + ": satisfies its Designated Requirement"; 63 checkString(result, lookupString); 64 } else { 65 String lookupString = target.toString() 66 + ": code object is not signed at all"; 67 checkString(result, lookupString); 68 } 69 } 70 71 private static List<String> spctlResult(Path target, String type) { 72 List<String> result = new Executor() 73 .setExecutable("/usr/sbin/spctl") 74 .addArguments("-vvv", "--assess", "--type", type, 75 target.toString()) 76 // on Catalina, the exit code can be 3, meaning not notarized 77 .saveOutput() 78 .executeWithoutExitCodeCheck() 79 .getOutput(); 80 81 return result; 82 } 83 84 private static void verifySpctlResult(List<String> result, Path target, String type) { 85 result.stream().forEachOrdered(TKit::trace); 86 String lookupString; 87 /* on Catalina, spctl may return 3 and say: 88 * target: rejected 89 * source=Unnotarized DEV_NAME 90 * so we must skip these two checks 91 lookupString = target.toString() + ": accepted"; 92 checkString(result, lookupString); 93 lookupString = "source=" + DEV_NAME; 94 checkString(result, lookupString); 95 */ 96 if (type.equals("install")) { 97 lookupString = "origin=" + INSTALLER_CERT; 98 } else { 99 lookupString = "origin=" + APP_CERT; 100 } 101 checkString(result, lookupString); 102 } 103 104 private static List<String> pkgutilResult(Path target) { 105 List<String> result = new Executor() 106 .setExecutable("/usr/sbin/pkgutil") 107 .addArguments("--check-signature", 108 target.toString()) 109 .executeAndGetOutput(); 110 111 return result; 112 } 113 114 private static void verifyPkgutilResult(List<String> result) { 115 result.stream().forEachOrdered(TKit::trace); |