santactl/fileinfo: Print useful info when codesign validation fails

2026-04-24 03:00:12 -04:00 · 2016-03-10 18:23:21 -05:00
parent ad43db10f2
commit 0aa2d2c613
2 changed files with 42 additions and 5 deletions
--- a/Podfile.lock
+++ b/Podfile.lock
@@ -3,7 +3,7 @@ PODS:
    - FMDB/standard (= 2.6)
  - FMDB/standard (2.6)
  - MOLCertificate (1.3)
-  - MOLCodesignChecker (1.3):
+  - MOLCodesignChecker (1.4):
    - MOLCertificate (~> 1.3)
  - OCMock (3.2.2)

@@ -16,7 +16,7 @@ DEPENDENCIES:
 SPEC CHECKSUMS:
  FMDB: c1968bab3ab0aed38f66cb778ae1e7fa9a652b6e
  MOLCertificate: a776221906b5a46dd1bd749d0682bef3ee68c1f5
-  MOLCodesignChecker: c75ce5980454e4800053ccac4e9806a6596c9411
+  MOLCodesignChecker: 34e60cc6beadabfb4762b6e5087e12837774f85f
  OCMock: 18c9b7e67d4c2770e95bb77a9cc1ae0c91fe3835

 COCOAPODS: 0.39.0
--- a/Source/santactl/fileinfo/SNTCommandFileInfo.m
+++ b/Source/santactl/fileinfo/SNTCommandFileInfo.m
@@ -95,9 +95,46 @@ REGISTER_COMMAND_NAME(@"fileinfo")
    [self printKey:@"Page Zero" value:@"__PAGEZERO segment missing/bad!"];
  }

-  MOLCodesignChecker *csc = [[MOLCodesignChecker alloc] initWithBinaryPath:filePath];
-  [self printKey:@"Code-signed" value:(csc) ? @"Yes" : @"No"];
-  if (csc) {
+  NSError *error;
+  MOLCodesignChecker *csc = [[MOLCodesignChecker alloc] initWithBinaryPath:filePath error:&error];
+  if (!error) {
+    [self printKey:@"Code-signed" value:@"Yes"];
+  } else {
+    switch (error.code) {
+      case errSecCSUnsigned:
+        [self printKey:@"Code-signed" value:@"No"];
+        break;
+      case errSecCSSignatureFailed:
+      case errSecCSStaticCodeChanged:
+      case errSecCSSignatureNotVerifiable:
+      case errSecCSSignatureUnsupported:
+        [self printKey:@"Code-signed" value:@"Yes, but code/signatured changed/unverifiable"];
+        break;
+      case errSecCSResourceDirectoryFailed:
+      case errSecCSResourceNotSupported:
+      case errSecCSResourceRulesInvalid:
+      case errSecCSResourcesInvalid:
+      case errSecCSResourcesNotFound:
+      case errSecCSResourcesNotSealed:
+        [self printKey:@"Code-signed" value:@"Yes, but resources invalid"];
+        break;
+      case errSecCSReqFailed:
+      case errSecCSReqInvalid:
+      case errSecCSReqUnsupported:
+        [self printKey:@"Code-signed" value:@"Yes, but failed requirement validation"];
+        break;
+      case errSecCSInfoPlistFailed:
+        [self printKey:@"Code-signed" value:@"Yes, but can't validate as Info.plist is missing"];
+        break;
+      default: {
+        NSString *val = [NSString stringWithFormat:@"Yes, but failed to validate (%ld)",
+                                                   error.code];
+        [self printKey:@"Code-signed" value:val];
+        break;
+      }
+    }
+  }
+  if (csc.certificates) {
    printf("Signing chain:\n");

    [csc.certificates enumerateObjectsUsingBlock:^(MOLCertificate *c,