Help

Trouble signing (Crowdstrike) mobile config

rseeley
New Contributor III

Posted on ‎02-04-2021 02:19 PM

Figured I start a separate discussion as the primary one is focused on the System Extension Blocked issue.

Ive spun my wheels trying to figure out I cannot sign the mobile config file, hope you all can see where I am going wrong.

Followed the steps here: https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority

After downloading the pem file, double clicked it to install. Set to always trust on the certificate
Verified that I can see the certificate as well as the public and private keys in the keychain

In terminal ran this to get the SKID

/usr/bin/security find-certificate -a
......
keychain: "/Library/Keychains/System.keychain"
version: 256
class: 0x80001000 
attributes:
  "alis"<blob>=
  "cenc"<uint32>=0x00000003 
  "ctyp"<uint32>=0x00000001 
  "hpky"<blob>=0x2B467E8A1226173324E05CA03A85AAC07C674554 "+F~212�22&�273$340134240:205252300|gET"
  "issu"<blob>=0x30323130302E060355040313274E524343204A5353204255494C542D494E20434552544946494341544520415554484F52495459 "02100.�06�03U�04�03�23'NRCC JSS BUILT-IN CERTIFICATE AUTHORITY"
  "labl"<blob>="CSMobile"
  "skid"<blob>=0x2B467E8A1226173324E05CA03A85AAC07C674554 "+F~212�22&�273$340134240:205252300|gET"
  "snbr"<blob>=0x00FDEB4A0E "�00375353J�16"
  "subj"<blob>=0x3042310B30090603550406130255533111300F0603550403130843534D4F42494C453120301E06092A864886F70D010901161168656C706465736B406E7263632E6F7267 "0B1�130�11�06�03U�04�06�23�02US1�210�17�06�03U�04�03�23�10CSMOBILE1

Got my Subject Key ID 2B467E8A1226173324E05CA03A85AAC07C674554
Verifying I have a valid identity 

/usr/bin/security find-identity -v
 1) FFAE2352459867142C583660822EE80FEF830F7C "CSMobile"
 2) FFAE2352459867142C583660822EE80FEF830F7C "CSMobile"
 3) A69E85A3387D13A3D432D0812F3204E86C42E028 "062285CD-6664-4D34-BB0E-D5B71CBC744C"
   3 valid identities found

Great, sees it as a valid identity. Then... 

Sudo /usr/bin/security cms -S -Z 2B467E8A1226173324E05CA03A85AAC07C674554 -i "Falcon Profile.mobileconfig" -o FalconSigned.mobileconfig
Password:
security: failed to find identity with subject key ID: " 2B467E8A1226173324E05CA03A85AAC07C674554": The specified item could not be found in the keychain.
security: could not find signing identity for subject key ID: " 2B467E8A1226173324E05CA03A85AAC07C674554"
security: problem signing

Doesnt seem to like it ... also tried it this way .. 

Sudo /usr/bin/security cms -S -N CSMobile -i "Falcon Profile.mobileconfig" -o FalconSigned.mobileconfig
Password:
security: could not find signing identity for name: " CSMobile"
security: problem signing

My suspicion is it sees a duplicate of the CSMobile cert and doesnt know which one to pick. Ive tried deleting everything and importing again but it always creates 2 entries when I check for a valid identity. c5de19c85a3f4bac9dfafb3590a757b6

3de2efcb2aa74441a96a8c55301719fb

Labels:
0 Kudos
Reply
1 REPLY 1

jtrant
Valued Contributor

Posted on ‎02-04-2021 02:23 PM

Just my opinion, but I would be hesitant to sign certificates using the built-in CA certificates, as they expire after a year if generated by Jamf using a CSR. They should still be respected by the OS if pushed via MDM, but with Big Sur and beyond, who knows. You definitely don't want Crowdstrike to randomly stop working in a year.

Far better to get access to an Apple Developer account so you can generate Developer ID Installer certificates which can also be used to sign packages (e.g. QuickAdd, if you're still using it).

In terms of actually signing, take a look at Hancock: https://github.com/JeremyAgost/Hancock/releases

Reply