verify_signature: Refactor and add notarisation check

- Update the function comment - Remove the if else and replace with two if blocks - Update the regex to escape the dot and check only the end of the string for a match - Add notarisation check for Apps and Packages - Use the full path of pkgutil (/usr/sbin/pkgutil) - Change variable application_path to file_path - Add variable package_name
0xmachos · Apr 24, 2024 · e0f7cc4 · e0f7cc4
1 parent 27d738b
commit e0f7cc4
Showing 1 changed file with 32 additions and 11 deletions.
diff --git a/bittersweet b/bittersweet
@@ -165,39 +165,60 @@ function verify_sha {
 
 function verify_signature {
   # verify_signature
-  #   Check the crypographic signature of .app/ .pkg files
-  #   before installing them
+  #   Check that .app and .pkg files are signed, if not hard exit 
+  #   Check that .app and .pkg files are notarised, if not print warning
   # Paramters: 
-  #   $application_path REQUIRED
+  #   $file_path REQUIRED
   #     Path to .app or .pkg file
+  #     e.g. $HOME/Downloads/Maccy.app
   #   $application_name REQUIRED
   #     Name of Application being installed
+  #     e.g Maccy
 
-  local application_path=${1:?application_path not passed to verify_signature}
+  local file_path=${1:?file_path not passed to verify_signature}
   local application_name=${2:?application_name not passed to verify_signature}
 
-  if [[ "${application_path}" =~ .pkg ]]; then
+  if [[ "${file_path}" =~ \.pkg$ ]]; then
 
-    echo "[🍺] Attempting to validated the signature on ${application_name}.pkg"
+    local package_name
+    package_name="$(basename "${file_path}")"
+
+    echo "[🍺] Attempting to validated the signature on ${package_name}"
 
-    if pkgutil --check-signature "${application_path}" >/dev/null; then 
-      echo "[✅] Successfully validated the signaturee on ${application_name}.pkg"
+    if /usr/sbin/pkgutil --check-signature "${file_path}" >/dev/null; then 
+      echo "[✅] Successfully validated the signaturee on ${package_name}"
     else
-      echo "[❌] Failed to validate the signature on ${application_name}.pkg"
+      echo "[❌] Failed to validate the signature on ${package_name}"
       exit 1
     fi
 
-  elif [[ "${application_path}" =~ .app ]]; then
+    if /usr/sbin/spctl --assess --type install "${file_path}"; then
+      echo "[✅] ${package_name} is notarised"
+      return 0
+    else
+      echo "[❌] ${package_name} is NOT notarised"
+    fi
+  fi
+
+
+  if [[ "${file_path}" =~ \.app$ ]]; then
 
     echo "[🍺] Attempting to validated the signature on ${application_name}.app"
 
-    if codesign --verify --deep --strict "${application_path}"; then
+    if /usr/bin/codesign --verify --deep --strict "${file_path}"; then
       # Check the .app is correctly signed
       echo "[✅] Successfully validated the signaturee on ${application_name}.app"
     else
       echo "[❌] Failed to validate the signature on ${application_name}.app"
       exit 1
     fi
+
+    if /usr/sbin/spctl --assess --type execute "${file_path}"; then
+      echo "[✅] ${application_name}.app is notarised"
+      return 0
+    else
+      echo "[❌] ${application_name}.app is NOT notarised"
+    fi
 fi
 }