Hello does using orbit to deploy fleet-osquery mean we loose the signed pkg and so we loose the EndpointSecuroty stuff?

For macOS packages, you can sign and notarize them on your own as you generate them with

--sign-identity

and

--notarize

- it requires having the right Apple certificates to do so though. https://fleetdm.com/docs/using-fleet/adding-hosts#signing-installers That will sign and notarize the entire package, which contains the osquery package.

Yes but what I am trying to work out is, by doing that, do I loose the signing that is currently provided by the osquery foundation and therefore loose the Endpoint Security notorization? Like I understand that we can sign the package ourself, but does it come with the trafe off of loosing the signature from the official osquery pkg?

No, the osquery package itself remains signed, but what we do on our own environment is we grant full disk access to orbit (and osquery is a sub process and inherits).

Just to add a few more details: Orbit packager grabs official osquery packages from TUF, they are signed/notarized/entitled with osquery Foundation certs, so you can continue using EndpointSecurity stuff as normal. The orbit.pkg adds a few more goodies, and that pkg is signed and notarized with Fleet’s certs

@sharvil that is fantastic news thanks