codesign check: verify all architectures (#239)

* fileinfo rule: don't use certs that have codesigning errors

* pods: MOLCodesignChecker --> 1.8

Podfile.lock

@@ -4,10 +4,10 @@ PODS:
   - FMDB/standard (2.6.2)
   - MOLAuthenticatingURLSession (2.2):
     - MOLCertificate (~> 1.5)
-  - MOLCertificate (1.5)
-  - MOLCodesignChecker (1.5):
-    - MOLCertificate (~> 1.3)
-  - MOLFCMClient (1.3):
+  - MOLCertificate (1.7)
+  - MOLCodesignChecker (1.8):
+    - MOLCertificate (~> 1.7)
+  - MOLFCMClient (1.5):
     - MOLAuthenticatingURLSession (~> 2.1)
   - OCMock (3.4)
 
@@ -22,11 +22,11 @@ DEPENDENCIES:
 SPEC CHECKSUMS:
   FMDB: 854a0341b4726e53276f2a8996f06f1b80f9259a
   MOLAuthenticatingURLSession: 5a5e31eb73248c3e92c79b9a285f031194e8404c
-  MOLCertificate: c39cae866d24d36fbc78032affff83d401b5384a
-  MOLCodesignChecker: fc9c64147811d7b0d0739127003e0630dff9213a
-  MOLFCMClient: 13d8b42db9d750e772f09cc38fc453922fece09f
+  MOLCertificate: 1cdb264405631b4bbdcf4cde7627469290cf1187
+  MOLCodesignChecker: 93460b82eb41b671c1c8eff9fc904d0d3d149e16
+  MOLFCMClient: 88debb79f8c0454c3dd4f6514c2453e57a963c08
   OCMock: 35ae71d6a8fcc1b59434d561d1520b9dd4f15765
 
 PODFILE CHECKSUM: acd378b3727c923d912e09812da344f7375c14fe
 
-COCOAPODS: 1.3.1
+COCOAPODS: 1.4.0

README.md

@@ -15,7 +15,7 @@ execution decisions based on the contents of a SQLite database, a GUI agent that
 notifies the user in case of a block decision and a command-line utility for
 managing the system and synchronizing the database with a server.
 
-Santa is not yet a 1.0. We're writing more tests, fixing bugs, working on TODOs
+Santa is not yet at 1.0. We're writing more tests, fixing bugs, working on TODOs
 and finishing up a security audit.
 
 It is named Santa because it keeps track of binaries that are naughty or nice.
@@ -29,21 +29,21 @@ The Santa docs are stored in the [Docs](https://github.com/google/santa/blob/mas
 Admin-Related Features
 ========
 
-* Multiple modes: In the default MONITOR mode, all binaries except
+* Multiple modes: In the default MONITOR mode, all binaries except 
 those marked as blacklisted will be allowed to run, whilst being logged and recorded in the events database. In LOCKDOWN mode, only whitelisted binaries are
 allowed to run.
 
 * Event logging: When the kext is loaded, all binary launches are logged.
 When in either mode, all unknown or denied binaries are stored in the database to enable later aggregation.
 
-* Certificate-based rules, with override levels: Instead of relying on a binaries hash (or 'fingerprint'), executables can be whitelisted/blacklisted by their signing
+* Certificate-based rules, with override levels: Instead of relying on a binary's hash (or 'fingerprint'), executables can be whitelisted/blacklisted by their signing
 certificate. You can therefore trust/block all binaries by a given publisher that were signed with that cert across version updates. A
 binary can only be whitelisted by its certificate if its signature validates
-correctly, but a rule for a binaries fingerprint will override a decision for a
+correctly, but a rule for a binary's fingerprint will override a decision for a
 certificate; i.e. you can whitelist a certificate while blacklisting a binary
 signed with that certificate, or vice-versa.
 
-* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature as Managed Client for OS X's (the precursor to configuration profiles, which used the same implementation mechanism) Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and doesn't rely on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precendence.
+* Path-based rules (via NSRegularExpression/ICU): This allows a similar feature to that found in Managed Client (the precursor to configuration profiles, which used the same implementation mechanism), Application Launch Restrictions via the mcxalr binary. This implementation carries the added benefit of being configurable via regex, and not relying on LaunchServices. As detailed in the wiki, when evaluating rules this holds the lowest precendence.
 
 * Failsafe cert rules: You cannot put in a deny rule that would block the certificate used to sign launchd, a.k.a. pid 1, and therefore all components used in macOS. The binaries in every OS update (and in some cases entire new versions) are therefore auto-whitelisted. This does not affect binaries from Apple's App Store, which use various certs that change regularly for common apps. Likewise, you cannot blacklist Santa itself, and Santa uses a distinct separate cert than other Google apps.
 
@@ -54,7 +54,7 @@ Santa is written with the intention of helping protect users from themselves.
 People often download malware and trust it, giving the malware credentials, or
 allowing unknown software to exfiltrate more data about your system. As a
 centrally managed component, Santa can help stop the spread of malware among a
-larger fleet of machines. Independently, Santa can aid in analyzing what is
+large fleet of machines. Independently, Santa can aid in analyzing what is
 running on your computer.
 
 Santa is part of a defense-in-depth strategy, and you should continue to protect
@@ -62,7 +62,6 @@ hosts in whatever other ways you see fit.
 
 Get Help
 ========
-
 If you have questions or otherwise need help getting started, the
 [santa-dev](https://groups.google.com/forum/#!forum/santa-dev) group is a
 great place. Please consult the [wiki](https://github.com/google/santa/wiki) and [issues](https://github.com/google/santa/issues) as well.
@@ -84,7 +83,7 @@ continue to work across OS versions.
 
 Known Issues
 ============
-Santa is not yet a 1.0 and we have some known issues to be aware of:
+Santa is not yet at 1.0 and we have some known issues to be aware of:
 
 * Santa only blocks execution (execve and variants), it doesn't protect against
 dynamic libraries loaded with dlopen, libraries on disk that have been replaced, or

Source/santactl/Commands/SNTCommandFileInfo.m

@@ -345,10 +345,11 @@ REGISTER_COMMAND_NAME(@"fileinfo")
     dispatch_once(&token, ^{ [cmd.daemonConn resume]; });
     __block SNTEventState state;
     dispatch_semaphore_t sema = dispatch_semaphore_create(0);
-    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:NULL];
+    NSError *err;
+    MOLCodesignChecker *csc = [fileInfo codesignCheckerWithError:&err];
     [[cmd.daemonConn remoteObjectProxy] decisionForFilePath:fileInfo.path
                                                  fileSHA256:fileInfo.SHA256
-                                          certificateSHA256:csc.leafCertificate.SHA256
+                                          certificateSHA256:err ? nil : csc.leafCertificate.SHA256
                                                       reply:^(SNTEventState s) {
       state = s;
       dispatch_semaphore_signal(sema);

Source/santactl/Commands/sync/SNTCommandSyncManager.m

@@ -178,7 +178,7 @@ static void reachabilityHandler(
 }
 
 - (void)isFCMListening:(void (^)(BOOL))reply {
-  reply((self.FCMClient.FCMToken != nil));
+  reply(self.FCMClient.isConnected);
 }
 
 #pragma mark push notification methods
@@ -205,16 +205,17 @@ static void reachabilityHandler(
       [self processFCMMessage:message withMachineID:machineID];
   }];
 
-  self.FCMClient.connectionErrorHandler = ^(NSError *error) {
+  self.FCMClient.connectionErrorHandler = ^(NSHTTPURLResponse *response, NSError *error) {
     STRONGIFY(self);
-    LOGE(@"FCM connection error: %@", error);
+    if (response) LOGE(@"FCM fatal response: %@", response);
+    if (error) LOGE(@"FCM fatal error: %@", error);
     [self.FCMClient disconnect];
     self.FCMClient = nil;
     [self rescheduleTimerQueue:self.fullSyncTimer secondsFromNow:kDefaultFullSyncInterval];
   };
 
   self.FCMClient.loggingBlock = ^(NSString *log) {
-    LOGD(@"%@", log);
+    LOGD(@"FCMClient: %@", log);
   };
 
   [self.FCMClient connect];