https://github.com/osquery/osquery logo
Join Slack
Powered by
:wave: The macos pkg doesn’t have the same hash on...
# macos
d
👋 The macos pkg doesn’t have the same hash on github and on the osquery website, is it expected
a
did you check the signature?
d
Only the sha512
a
Copy code
URLDownloader
{'Input': {'filename': 'osquery.pkg',
           'url': '<https://osquery-packages.s3.amazonaws.com/darwin/osquery.pkg'}}>
URLDownloader: No value supplied for prefetch_filename, setting default value of: False
URLDownloader: No value supplied for CHECK_FILESIZE_ONLY, setting default value of: False
URLDownloader: Storing new Last-Modified header: Tue, 22 Jun 2021 19:04:54 GMT
URLDownloader: Storing new ETag header: "9180d84001b51fd92f85e8d5ba418db8"
URLDownloader: Downloaded /Users/allister/Library/AutoPkg/Cache/com.github.keeleysam.recipes.osquery.download/downloads/osquery.pkg
{'Output': {'download_changed': True,
            'etag': '"9180d84001b51fd92f85e8d5ba418db8"',
            'last_modified': 'Tue, 22 Jun 2021 19:04:54 GMT',
            'pathname': '/Users/allister/Library/AutoPkg/Cache/com.github.keeleysam.recipes.osquery.download/downloads/osquery.pkg',
            'url_downloader_summary_result': {'data': {'download_path': '/Users/allister/Library/AutoPkg/Cache/com.github.keeleysam.recipes.osquery.download/downloads/osquery.pkg'},
                                              'summary_text': 'The following '
                                                              'new items were '
                                                              'downloaded:'}}}
EndOfCheckPhase
{'Input': {}}
{'Output': {}}
CodeSignatureVerifier
{'Input': {'expected_authority_names': ['Developer ID Installer: Theodore Reed '
                                        '(B89LNTUADM)',
                                        'Developer ID Certification Authority',
                                        'Apple Root CA'],
           'input_path': '/Users/allister/Library/AutoPkg/Cache/com.github.keeleysam.recipes.osquery.download/downloads/osquery.pkg'}}
…512? not 256?
d
512
a
I don't remember what's posted
d
it’s the 256 is posted
image.png
a
Copy code
3f9ab772596f4da69687a2d7db9a382535b5eabf2346abd452b24666b8f25102
Copy code
% santactl fileinfo /Users/allister/Library/AutoPkg/Cache/com.github.keeleysam.recipes.osquery.download/downloads/osquery.pkg
Path                   : /Users/allister/Library/AutoPkg/Cache/com.github.keeleysam.recipes.osquery.download/downloads/osquery.pkg
SHA-256                : 3f9ab772596f4da69687a2d7db9a382535b5eabf2346abd452b24666b8f25102
d
image.png
a
where is 512 posted?
oh github, one sec
you are correct
osqueryd itself differs
install size differs according to pkginfo
lsbom only shows the size of osqueryd as differing
d
Was it the same with previous version ? 4.8 is not on github anymore
a
not sure, autopkg grabs the one on s3
not sure what's worthwhile to diff about the 40.2MB compiled binary
not long before the rest of those on the right coast come online
they've always been interested in repeatable builds so there should be a reason they can suss out
s
Hum interesting, I have downloaded from github, website and s3. s3 and the website have the same pkg sha, but extracting all of them result in the same content.
The difference in the pkg is likely due to the difference in timestamps between signatures. @allister you said you see the osqueryd binary being different, what's the command you used to check?
a
lsbom
I expanded the pkgs with e.g. 
pkgutil --expand autopkgpath /tmp/s3
then used archive utility to expand the payload and diff'd them which pointed to osqueryd (and the pkginfo, since it looks at exact size in bytes of the payload, and bom as per the content you see converted by lsbom) being different
s
ok nvm PEBCAK, I see the difference now in the osqueryd binary too
a
the signature timestamp differing wouldn't alter the filesize, though?
s
They have different signatures, the github one is using the new LF keys, while the website one still uses Teddy keys.
I mean, this is on the binary
a
pkg sig's are both teddy
s
yep
Copy code
codesign --verbose=4 -dv ../website/osquery/Payload/usr/local/bin/osqueryd
Executable=/private/tmp/osquery/website/osquery/Payload/usr/local/bin/osqueryd
Identifier=osqueryd
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=311636 flags=0x10000(runtime) hashes=9733+2 location=embedded
VersionPlatform=1
VersionMin=658432
VersionSDK=721152
Hash type=sha256 size=32
CandidateCDHash sha256=4010e5a75de2c29387cdfd76ed20ddaa9c0f438e
CandidateCDHashFull sha256=4010e5a75de2c29387cdfd76ed20ddaa9c0f438e4bb851c486de2b46e0476cd0
Hash choices=sha256
CMSDigest=4010e5a75de2c29387cdfd76ed20ddaa9c0f438e4bb851c486de2b46e0476cd0
CMSDigestType=2
Page size=4096
    -2=695ae83a2af26948741ec57ed0f661fa69ffece7e4fc6e7c81b3550cde5492a7
CDHash=4010e5a75de2c29387cdfd76ed20ddaa9c0f438e
Signature size=8996
Authority=Developer ID Application: Theodore Reed (B89LNTUADM)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=22 Jun 2021 at 21:04:40
Info.plist=not bound
TeamIdentifier=B89LNTUADM
Runtime Version=11.1.0
Sealed Resources=none
Internal requirements count=1 size=168
Copy code
codesign --verbose=4 -dv osquery/Payload/usr/local/bin/osqueryd
Executable=/private/tmp/osquery/github/osquery/Payload/usr/local/bin/osqueryd
Identifier=osqueryd
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=311732 flags=0x10000(runtime) hashes=9733+5 location=embedded
VersionPlatform=1
VersionMin=658432
VersionSDK=721152
Hash type=sha256 size=32
CandidateCDHash sha256=70e03c536569ef97594a762c8f428a69752acf40
CandidateCDHashFull sha256=70e03c536569ef97594a762c8f428a69752acf40220b6ae74cd22c4cb96fcbec
Hash choices=sha256
CMSDigest=70e03c536569ef97594a762c8f428a69752acf40220b6ae74cd22c4cb96fcbec
CMSDigestType=2
Page size=4096
    -5=cf468074bceac0fbab1058e86626b0357adf297c18c7a4fc22929f6644b4f6e0
    -4=0000000000000000000000000000000000000000000000000000000000000000
    -3=0000000000000000000000000000000000000000000000000000000000000000
    -2=eedc00297f1acf7b04a82fa071552093e345ee06d62595e66c766aeeef05665a
CDHash=70e03c536569ef97594a762c8f428a69752acf40
Signature size=9022
Authority=Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=15 Jun 2021 at 03:38:09
Info.plist=not bound
TeamIdentifier=3522FA9PXF
Runtime Version=11.1.0
Sealed Resources=none
Internal requirements count=1 size=168
second one is github
a
it's a difference of an additional ~480 bytes, I'd think the signing would be like-for-like blobs differing
s
Also a very quick bin diff shows that there's a big blob at the end of the binary that's different.
I see some additional zero padding at the end of the biggest one
s
Hi! I’ll take a look. It would not surprise me if we used different signing keys. or packaging steps on these to. 4.9.0 was somewhat transitional.
d
Ok thanks
s
Thank you bringing this up! This was not intentional, but represents a packaging building error specific to 4.9.0. The website one is correct, and I am updating github with it. This happened because we’re in the midst of moving the codesigning to GitHub driven automation. The automated packages are using the new osquery codesigning certificates. But, we consider that a breaking change. So the 4.x process was generally had Teddy go through manual re-sign steps. The github one was not correct re-signed (only the outer package was resigned, not the inner binary) The 5.0 release moves the signing to being automated and based on the osquery certs directly.
1
a
!m @Daisukixci (you're doing good work, 大好きち!)
(thanks for the explanation!)
d
Thanks for the explanation
2 Views
Open in Slack
PreviousNext
Powered by