https://github.com/osquery/osquery logo
Title
l

lvferdi

01/10/2018, 1:56 PM
@theopolis when I use the signature table I get
+---------+--------+--------------+------------------------------------------+-----------------+------------------+
| path    | signed | identifier   | cdhash                                   | team_identifier | authority        |
+---------+--------+--------------+------------------------------------------+-----------------+------------------+
| /bin/ls | 1      | <http://com.apple.ls|com.apple.ls> | b7aa5322870358c31ecec59439537f7282832edc |                 | Software Signing |
+---------+--------+--------------+------------------------------------------+-----------------+------------------+
My reading of this is that the signed field is “Is the software signed” not “Is the software signature valid” . Am I mistaken? Does a
1
in that column mean that it is signed and valid?
@theopolis sorry to bother you with this again but is my assumption wrong about the
signed
field
t

theopolis

01/12/2018, 3:02 PM
Sorry, I’m sporadic this week. I think the assumption is wrong, and that field is reporting the status after checking the signature.
Let’s review the code, and maybe you can copy a signed binary to temp, twiddle a few bytes, and check that field again?
l

lvferdi

01/12/2018, 4:17 PM
perfect I’ll get testing that
One of my guys did some testing and our results are: 1 = signed (self or other) and valid 0 = unsigned 0 = signed and invalid May be worth breaking those into two outputs.
signature_signed
and
signature_valid
or similar
t

theopolis

01/12/2018, 7:52 PM
yes, maybe just a
signed
and
valid
?
l

lvferdi

01/12/2018, 8:57 PM
I think it will help with the understanding of the output as well. We are going to continue testing but it will take a few days. Going to try and throw some stuff at it and see what it says. But to be less confusing to the community two columns would be great. And help when hunting for abnormalities
t

theopolis

01/12/2018, 9:08 PM
right! are you planning to create a PR for that change?
l

lvferdi

01/12/2018, 9:12 PM
I can.
t

theopolis

01/12/2018, 9:45 PM
🙏