Checking certs in an EA

honestpuck
Contributor

Hi,

I've got an EA that should return the encryption of a user certificate on a Mac. It works on all my test machines but appears to be broken on most of the machines out in the wild.

The key line is :

certalg=$(security find-certificate -a -c ${username} -p -Z | openssl x509 -text | grep "Signature Algorithm" | head -n1 | awk '{ print $3' )

I'm stumped trying to figure out how it goes wrong on the other machines. Anyone got any ideas? I'm sure $username is valid.

// Tony

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

It probably doesn't work because the EA script is being run as root when a Mac checks in to submit inventory (or submits it at the end of a policy run) whereas when you run your script in Terminal, you're running it as you. Since you aren't specifying a path to the keychain to check, it's trying to look for that cert in the root keychain, which (likely) doesn't exist.

There are a couple of methods of resolving this. You could try including the full path to the user's keychain. For that, you need to get the username, which I assume might be the same as the $username variable in your script, but I'm not certain. Are you getting the username dynamically when the script runs? Like seeing who the main user is on the Mac, or who is logged in? If so, see if including /Users/$username/Library/Keychains/login.keychain at the end works.

Note that this doesn't always work though. In some cases, even the root account can't read some items from a user's keychain. I guess it's a security precaution Apple has included in the OS. It might be fine in this case, but in case it doesn't work, another option is to run the command itself as that user, which usually does work. For that, I tend to rely on the /bin/launchctl asuser syntax, rather than some of the other methods in use.

Do some searches here on that and you should find threads that discuss the method. If you still need help, post back and I can see what might need to be adjusted to make it work.

View solution in original post

3 REPLIES 3

patgmac
Contributor III

First thing I would try is to use the full path to security and openssl.

/usr/bin/security /usr/bin/openssl

mm2270
Legendary Contributor III

It probably doesn't work because the EA script is being run as root when a Mac checks in to submit inventory (or submits it at the end of a policy run) whereas when you run your script in Terminal, you're running it as you. Since you aren't specifying a path to the keychain to check, it's trying to look for that cert in the root keychain, which (likely) doesn't exist.

There are a couple of methods of resolving this. You could try including the full path to the user's keychain. For that, you need to get the username, which I assume might be the same as the $username variable in your script, but I'm not certain. Are you getting the username dynamically when the script runs? Like seeing who the main user is on the Mac, or who is logged in? If so, see if including /Users/$username/Library/Keychains/login.keychain at the end works.

Note that this doesn't always work though. In some cases, even the root account can't read some items from a user's keychain. I guess it's a security precaution Apple has included in the OS. It might be fine in this case, but in case it doesn't work, another option is to run the command itself as that user, which usually does work. For that, I tend to rely on the /bin/launchctl asuser syntax, rather than some of the other methods in use.

Do some searches here on that and you should find threads that discuss the method. If you still need help, post back and I can see what might need to be adjusted to make it work.

honestpuck
Contributor

Using /bin/launchctl asuser didn't work.

The solution turned out to be adding /Users/${username}/Library/Keychains/login.keychain to the end of the security command and using launchctl.

Why it worked on some machines without it and why it broke on some I have no idea. :)

Thanks for the suggestions.