Title
#fleet
Mystery Incorporated

Mystery Incorporated

06/05/2022, 11:27 AM
Hello does using orbit to deploy fleet-osquery mean we loose the signed pkg and so we loose the EndpointSecuroty stuff?
Guillaume

Guillaume

06/06/2022, 12:24 PM
For macOS packages, you can sign and notarize them on your own as you generate them with
--sign-identity
and
--notarize
- it requires having the right Apple certificates to do so though. https://fleetdm.com/docs/using-fleet/adding-hosts#signing-installers That will sign and notarize the entire package, which contains the osquery package.
Mystery Incorporated

Mystery Incorporated

06/06/2022, 12:27 PM
Yes but what I am trying to work out is, by doing that, do I loose the signing that is currently provided by the osquery foundation and therefore loose the Endpoint Security notorization? Like I understand that we can sign the package ourself, but does it come with the trafe off of loosing the signature from the official osquery pkg?
Guillaume

Guillaume

06/06/2022, 12:28 PM
No, the osquery package itself remains signed, but what we do on our own environment is we grant full disk access to orbit (and osquery is a sub process and inherits).
s

sharvil

06/06/2022, 12:47 PM
Just to add a few more details: Orbit packager grabs official osquery packages from TUF, they are signed/notarized/entitled with osquery Foundation certs, so you can continue using EndpointSecurity stuff as normal. The orbit.pkg adds a few more goodies, and that pkg is signed and notarized with Fleet’s certs
Mystery Incorporated

Mystery Incorporated

06/08/2022, 10:26 AM
@sharvil that is fantastic news thanks