blakefrantz · February 3, 2014 21:32
diff --git a/gatekeeper_status.sh b/gatekeeper_status.sh
 #!/bin/bash  
 #
 # Determines the state of Gatekeeper on OSX 10.8 and 10.9. Differentiates between three modes:
 #
 # - Mac App Store
 # - Mac App Store and identified developers
 # - Anywhere
 #
 # DEV_REQ_[12] are certificate requirements stored in the SystemPolicy sqlite database. 
 # Each certificate requirement is disabled/enabled persuant to the 'disabled' field in
 # the 'requirements' table. 
 #
 # When the aforementioned certificate requirements are enabled,
 # while Gatekeeper status is enabled, it means Gate Keeper will permit software signed
 # by only the Mac App store and identified developers. 
 #
 # When the aforementioned certificate requirements are disabled,
 # while Gatekeeper status is enabled, it means Gatekeeper will permit software signed
 # by only the Mac App store. 
 #
 # [email protected]
 #
 
 SPCTL=/usr/sbin/spctl 
 SQLITE=/usr/bin/sqlite3
 SYSTEM_POLICY_PATH=/var/db/SystemPolicy
 
 if [ ! -r $SYSTEM_POLICY_PATH -o ! -x $SPCTL -o ! -x $SQLITE ]; then
        echo "Error: Ensure the permissions and path to spctl, sqlite3, and SystemPolicy are sane."
        exit
 fi
 
 STATUS=$($SPCTL --status);
 
 DEV_REQ_1="anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"
 
 DEV_REQ_2="anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])"
 
 SQL="select requirement, disabled from authority where (requirement = '$DEV_REQ_1' or requirement = '$DEV_REQ_2') and disabled = 1;"
 
 OUTPUT=$($SQLITE $SYSTEM_POLICY_PATH "$SQL")
 
 if [ "$STATUS" == "assessments enabled" ]; then
 
        if [ "$OUTPUT" == "" ]; then
                echo "Gate Keeper is enabled and in 'Mac App Store and identified developers' mode"
        else
                echo "Gate Keeper is enabled and in 'Mac App Store' mode"
        fi 
 else
        echo "Gate Keeper is disabled and in 'Anywhere' mode"
 fi
	#!/bin/bash
	#
	# Determines the state of Gatekeeper on OSX 10.8 and 10.9. Differentiates between three modes:
	#
	# - Mac App Store
	# - Mac App Store and identified developers
	# - Anywhere
	#
	# DEV_REQ_[12] are certificate requirements stored in the SystemPolicy sqlite database.
	# Each certificate requirement is disabled/enabled persuant to the 'disabled' field in
	# the 'requirements' table.
	#
	# When the aforementioned certificate requirements are enabled,
	# while Gatekeeper status is enabled, it means Gate Keeper will permit software signed
	# by only the Mac App store and identified developers.
	#
	# When the aforementioned certificate requirements are disabled,
	# while Gatekeeper status is enabled, it means Gatekeeper will permit software signed
	# by only the Mac App store.
	#
	# [email protected]
	#

	SPCTL=/usr/sbin/spctl
	SQLITE=/usr/bin/sqlite3
	SYSTEM_POLICY_PATH=/var/db/SystemPolicy

	if [ ! -r $SYSTEM_POLICY_PATH -o ! -x $SPCTL -o ! -x $SQLITE ]; then
	echo "Error: Ensure the permissions and path to spctl, sqlite3, and SystemPolicy are sane."
	exit
	fi

	STATUS=$($SPCTL --status);

	DEV_REQ_1="anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"

	DEV_REQ_2="anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])"

	SQL="select requirement, disabled from authority where (requirement = '$DEV_REQ_1' or requirement = '$DEV_REQ_2') and disabled = 1;"

	OUTPUT=$($SQLITE $SYSTEM_POLICY_PATH "$SQL")

	if [ "$STATUS" == "assessments enabled" ]; then

	if [ "$OUTPUT" == "" ]; then
	echo "Gate Keeper is enabled and in 'Mac App Store and identified developers' mode"
	else
	echo "Gate Keeper is enabled and in 'Mac App Store' mode"
	fi
	else
	echo "Gate Keeper is disabled and in 'Anywhere' mode"
	fi