Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
l
lvferdi
01/10/2018, 1:56 PM@theopolis when I use the signature table I get
+---------+--------+--------------+------------------------------------------+-----------------+------------------+
| path | signed | identifier | cdhash | team_identifier | authority |
+---------+--------+--------------+------------------------------------------+-----------------+------------------+
| /bin/ls | 1 | <http://com.apple.ls|com.apple.ls> | b7aa5322870358c31ecec59439537f7282832edc | | Software Signing |
+---------+--------+--------------+------------------------------------------+-----------------+------------------+1@theopolis sorry to bother you with this again but is my assumption wrong about the
signedt
theopolis
01/12/2018, 3:02 PMSorry, I’m sporadic this week. I think the assumption is wrong, and that field is reporting the status after checking the signature.
Let’s review the code, and maybe you can copy a signed binary to temp, twiddle a few bytes, and check that field again?
l
lvferdi
01/12/2018, 4:17 PMperfect I’ll get testing that
One of my guys did some testing and our results are:
1 = signed (self or other) and valid
0 = unsigned
0 = signed and invalid
May be worth breaking those into two outputs.
signature_signedsignature_validt
theopolis
01/12/2018, 7:52 PMyes, maybe just a
signedvalidl
lvferdi
01/12/2018, 8:57 PMI think it will help with the understanding of the output as well. We are going to continue testing but it will take a few days. Going to try and throw some stuff at it and see what it says. But to be less confusing to the community two columns would be great. And help when hunting for abnormalities
t
theopolis
01/12/2018, 9:08 PMright! are you planning to create a PR for that change?
l
lvferdi
01/12/2018, 9:12 PMI can.
t
theopolis
01/12/2018, 9:45 PM🙏