Last active
September 3, 2019 21:29
-
-
Save digiter/6327ee85138a93d297702aac153d0d1b to your computer and use it in GitHub Desktop.
Debug Catalina Gatekeeper
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| flutter@mac9 Downloads % spctl --assess -vvvvvv Google\ Chrome.app | |
| Google Chrome.app: accepted | |
| source=Notarized Developer ID | |
| origin=Developer ID Application: Google, Inc. (EQHXZ8M8AV) | |
| flutter@mac9 Downloads % spctl --assess -vvvvvv /bin/zsh | |
| /bin/zsh: rejected (the code is valid but does not seem to be an app) | |
| origin=Software Signing | |
| flutter@mac9 Downloads % spctl --assess -vvv /usr/local/bin/dart | |
| /usr/local/bin/dart: rejected | |
| source=no usable signature | |
| # Android Studio isn't notoried, and isn't able to be open directly. | |
| % spctl -vvv --assess Android\ Studio.app | |
| Android Studio.app: accepted | |
| source=Developer ID | |
| origin=Developer ID Application: Google, Inc. (EQHXZ8M8AV) | |
| flutter@mac9 Downloads % spctl --list > rules.txt | |
| ==== In rules.txt, these are related lines ==== | |
| 16[Notarized Developer ID] P5 allow lsopen | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and notarized | |
| 12[Notarized Developer ID] P5 allow install | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840 | |
| .113635.100.6.1.13]) and notarized | |
| 11[Notarized Developer ID] P5 allow execute | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and notarized | |
| 9[Developer ID] P4 allow lsopen | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and legacy | |
| 7[Developer ID] P4 allow install | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840 | |
| .113635.100.6.1.13]) and legacy | |
| 6[Developer ID] P4 allow execute | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and (certificate leaf[times | |
| tamp.1.2.840.113635.100.6.1.33] absent or certificate leaf[timestamp.1.2.840.113635.100.6.1.33] < timestamp "20190408000000Z") | |
| 15[Unnotarized Developer ID] P0 deny lsopen | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists | |
| 14[Unnotarized Developer ID] P0 deny install | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) | |
| 13[Unnotarized Developer ID] P0 deny execute | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] exists and certificate leaf[timestamp.1.2.840.113635.100.6.1.33] >= timestamp "20190408000000Z") | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ spctl --assess -vvvvv Google\ Chrome.app/ | |
| Google Chrome.app/: accepted | |
| source=Notarized Developer ID | |
| origin=Developer ID Application: Google, Inc. (EQHXZ8M8AV) | |
| $ spctl --assess -vvvvv /bin/zsh | |
| /bin/zsh: rejected (the code is valid but does not seem to be an app) | |
| origin=Software Signing | |
| $ spctl --assess -vvvv /Users/wutong/utils/homebrew/bin/dart | |
| /Users/wutong/utils/homebrew/bin/dart: rejected | |
| source=no usable signature | |
| ==== In rules.txt, these are related lines ==== | |
| 5418[Notarized Developer ID] P5 allow lsopen | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and notarized | |
| 12[Notarized Developer ID] P5 allow install | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) and notarized | |
| 11[Notarized Developer ID] P5 allow execute | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and notarized | |
| 2716[Unnotarized Developer ID] P4 deny lsopen | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] exists and certificate leaf[timestamp.1.2.840.113635.100.6.1.33] >= timestamp "20190408000000Z") | |
| 2715[Unnotarized Developer ID] P4 deny install | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] exists and certificate leaf[timestamp.1.2.840.113635.100.6.1.33] >= timestamp "20190408000000Z") | |
| 2714[Unnotarized Developer ID] P4 deny execute | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] exists and certificate leaf[timestamp.1.2.840.113635.100.6.1.33] >= timestamp "20190408000000Z") | |
| 9[Developer ID] P0 allow lsopen | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] absent or certificate leaf[timestamp.1.2.840.113635.100.6.1.33] < timestamp "20190408000000Z") | |
| 7[Developer ID] P0 allow install | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] absent or certificate leaf[timestamp.1.2.840.113635.100.6.1.33] < timestamp "20190408000000Z") | |
| 6[Developer ID] P0 allow execute | |
| anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and (certificate leaf[timestamp.1.2.840.113635.100.6.1.33] absent or certificate leaf[timestamp.1.2.840.113635.100.6.1.33] < timestamp "20190408000000Z") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See diff at https://diff.googleplex.com/#key=TAJmWjE9MbWp