diff --git a/bittersweet b/bittersweet index ea536ba..875644b 100755 --- a/bittersweet +++ b/bittersweet @@ -165,39 +165,60 @@ function verify_sha { function verify_signature { # verify_signature - # Check the crypographic signature of .app/ .pkg files - # before installing them + # Check that .app and .pkg files are signed, if not hard exit + # Check that .app and .pkg files are notarised, if not print warning # Paramters: - # $application_path REQUIRED + # $file_path REQUIRED # Path to .app or .pkg file + # e.g. $HOME/Downloads/Maccy.app # $application_name REQUIRED # Name of Application being installed + # e.g Maccy - local application_path=${1:?application_path not passed to verify_signature} + local file_path=${1:?file_path not passed to verify_signature} local application_name=${2:?application_name not passed to verify_signature} - if [[ "${application_path}" =~ .pkg ]]; then + if [[ "${file_path}" =~ \.pkg$ ]]; then - echo "[🍺] Attempting to validated the signature on ${application_name}.pkg" + local package_name + package_name="$(basename "${file_path}")" + + echo "[🍺] Attempting to validated the signature on ${package_name}" - if pkgutil --check-signature "${application_path}" >/dev/null; then - echo "[✅] Successfully validated the signaturee on ${application_name}.pkg" + if /usr/sbin/pkgutil --check-signature "${file_path}" >/dev/null; then + echo "[✅] Successfully validated the signaturee on ${package_name}" else - echo "[❌] Failed to validate the signature on ${application_name}.pkg" + echo "[❌] Failed to validate the signature on ${package_name}" exit 1 fi - elif [[ "${application_path}" =~ .app ]]; then + if /usr/sbin/spctl --assess --type install "${file_path}"; then + echo "[✅] ${package_name} is notarised" + return 0 + else + echo "[❌] ${package_name} is NOT notarised" + fi + fi + + + if [[ "${file_path}" =~ \.app$ ]]; then echo "[🍺] Attempting to validated the signature on ${application_name}.app" - if codesign --verify --deep --strict "${application_path}"; then + if /usr/bin/codesign --verify --deep --strict "${file_path}"; then # Check the .app is correctly signed echo "[✅] Successfully validated the signaturee on ${application_name}.app" else echo "[❌] Failed to validate the signature on ${application_name}.app" exit 1 fi + + if /usr/sbin/spctl --assess --type execute "${file_path}"; then + echo "[✅] ${application_name}.app is notarised" + return 0 + else + echo "[❌] ${application_name}.app is NOT notarised" + fi fi }