Jamf Nation Community

The script creates a CSV report with app names and the code signing version. Anything that says "version=1" will not work on Macs with Gatekeeper enabled unless the user knows and uses the ctrl-click, open workaround. It is not the end of the world but will save a lot of support calls when the change comes around if you can push out updates to apps with "version=2" signatures before the 10.9.5 update goes out.

Oh, and I should mention that you may need to add other paths in the "for i in" part of the script depending on your particular situation.

Thanks. The "version=1" part was what I wasn't clear on. When I run the script on a Mavericks system it seems to only pull a line labeled as "rules=xx",not a "version=X", so looks like the output on 10.9.x changed. Not even seeing the version information anywhere when doing the codesign command against an app, whether from Apple or any other vendor.

Re: the point on the additional paths, I rewrote the script to grab all apps in the normal /Applications/ path using Spotligh. In case you'd like to use it, or parts of it, here it is, though the point above still applies in that its not really pulling the version info

#!/bin/bash

RPT_FILE=~/Signing_Report.csv

while read app; do
        version=$(codesign -dv "$app" 2>&1 | awk '/Sealed Resources/{print $3}')
        printf ""$app",$version
" >> "$RPT_FILE"
done < <(mdfind -onlyin /Applications/ 'kMDItemKind == "Application"')

@mm2270 I got the expected results (Version, not Rule). Perhaps you changed the column in the awk command.

Nope, I first tried the exact same script as @jescala][/url posted and got only the "rules" line in the csv file. I also thought maybe it was the awk column but I tried several different ones. The thing is, if I remove the awk part and just do something like - code sign -dv /Applications/iTunes.app - I don't see a version indicated in the entire output. This is against a 10.9.3 Mac. Not sure why, but it isn't there for me.

Edit: I should note that I get the expected results against a 10.8.5 Mac, so it seems like something in 10.9 that isn't lining up. Again, its not all that big of a deal to me, but just wanted to mention it, in case others who do care about this have the same problem.

The code I wrote also pulls all apps, including items like the Xsan Admin.app in your example, so if you don't care about those, you may not want to use the mdfind command.
you can use find with a -maxdepth value so it only goes, say, 2 levels deep.

find /Applications/ -maxdepth 2 -name "*.app"

That still locates all the base MS Office apps and other items in Utilities, etc, but doesn't pull XSan Admin.app as an example.

@mm2270 The "if [[ $i == *.app/Contents/* ]]" part of my code seems to filter out all those false positives.

Ah, I didn't see that. Yeah, that will work too :)

I was also testing in 10.9, so it's strange that you saw something different (though it's 10.9.4).

@JPDyson and @mm2270: So you're not always getting the "version=1" part of the output for the code sign command? I only have Macs with 10.9.4 and 10.7.5 to test with at the moment. For me it works with 10.9.4, but does not work with 10.7.5 (as expected).

No, it was only me, and its working now for some reason. Not sure what I had wrong before, but I get the version line in the output now. Weird!
Anyway, your code is good. It was just me it looks like. Thanks again for the heads up on this situation!

I am curious if anyone has experienced any issues with this now that 10.9.5 has dropped.

@nkalister Thanks for that info! We've only deployed to a handful of test Macs and we were surprised to find that so far we had not seen any issues. I guess that would explain it.

The biggest one for me so far was FontExplorer X Pro. Before the GM dropped, they had issued a fix - 4.2.1. Certainly more complex that we first thought...