Verify Certificate Not Working in EA

sgiesbrecht
Contributor III

The following script does not work in Extension Attribute but works with ran manually (with BBEdit)

What am I missing

#!/bin/bash

SSKeychain=$( security find-certificate -a -c "Some Software, Inc" 2>&1 | grep labl )

if [[ -z $SSKeychain ]]
then echo "<result>Some Software Certificate not installed</result>"
else echo "<result>Applied</result>"
fi
1 ACCEPTED SOLUTION

Tangentism
Contributor III

Ah.... of course!

If you're looking in the users login.keychain-db, you'll need to specify the current logged in user & the absolute keychain path. I prefer to use `scutil` to get the currentUser.

I tried this method below and it spewed out a lot of data (I have 4 or 5 developer certs in my login keychain) so grep / awk if you want a specific name/trim the data returned down.

 

 

#get current user
currentUser="$(scutil <<<"show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')"

# searches for 'developer' certs in current users login.keychain-db
# change path to /Library/Keychains/System.keychain if thats the one you want
SSKeychain=$(security find-certificate -a -c 'Developer' "/Users/${currentUser}/Library/Keychains/login.keychain-db")

# echos out but grep/awk the abve command to get a succinct reply then check with if clause
echo $SSKeychain

 

 

View solution in original post

4 REPLIES 4

Tangentism
Contributor III

What's the result of just the following command?

security find-certificate -a -c "Some Software, Inc" 2>&1 | grep labl

 

sgiesbrecht
Contributor III

@Tangentism when I run in BBEdit, it output is correct but when I run in as a EA the output is blank.  The issue is the EA is running as Root, not as the user context (just figured that out yesterday (brain fart)).

I updated the EA script but still does not work 

#!/bin/bash

#get uid of console owner
eval $(stat -s /dev/console)
#get username
consoleUsername=$(id -un $st_uid)

#grep for string as console user
SSKeychain=$(su $consoleUsername -c "security find-certificate -a -c 'Some Software, Inc'" )

#if string is not empty
if [ -n "${SSKeychain}" ]; then
    echo "<result>Installed</result>"
else
    echo "<result>SS Certificate not installed</result>"
fi

Tangentism
Contributor III

Ah.... of course!

If you're looking in the users login.keychain-db, you'll need to specify the current logged in user & the absolute keychain path. I prefer to use `scutil` to get the currentUser.

I tried this method below and it spewed out a lot of data (I have 4 or 5 developer certs in my login keychain) so grep / awk if you want a specific name/trim the data returned down.

 

 

#get current user
currentUser="$(scutil <<<"show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }')"

# searches for 'developer' certs in current users login.keychain-db
# change path to /Library/Keychains/System.keychain if thats the one you want
SSKeychain=$(security find-certificate -a -c 'Developer' "/Users/${currentUser}/Library/Keychains/login.keychain-db")

# echos out but grep/awk the abve command to get a succinct reply then check with if clause
echo $SSKeychain

 

 

Thank you @Tangentism it works