Skip to content

Instantly share code, notes, and snippets.

@Daij-Djan

Daij-Djan/ps_osx.sh

Created January 26, 2017 15:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Daij-Djan/cca0682add2ac643e2cc6a990774d827 to your computer and use it in GitHub Desktop.
Save Daij-Djan/cca0682add2ac643e2cc6a990774d827 to your computer and use it in GitHub Desktop.
Download ZIP
PS for OSX:: Runs 'ps ax' and verify the code signature of every running proccess using apple's 'codesign' tool
Raw
ps_osx.sh
#!/bin/sh
IFS=$'\n'
#help text
usage="$(basename "$0") [-h or -?] [-i] [-a] [-s] [-d] [-u] [-s] [-b]
Runs 'ps ax' and verify the code signature of every running proccess using apple's 'codesign' tool
-h/-? :: help for command
-i :: dont show an inital count before analyzing each process
-a :: dont log processes signed by apple directly
-s :: dont log processes signed for the appstore
-d :: dont log processes signed by a known developer
-u :: dont log processes NOT signed at all
-f :: dont show a final count after analyzing each process
-b :: dont log the processes shortname (basename) only but include its full path"
#flags
logHeader=1
logApple=1
logStore=1
logDev=1
logUnknown=1
logSummary=1
useShortNames=1
#read args
while getopts "h?iasdufb" opt; do
case "$opt" in
h|\?)
echo "$usage"
exit 0
;;
i) logHeader=0
;;
a) logApple=0
;;
s) logStore=0
;;
d) logDev=0
;;
u) logUnknown=0
;;
f) logSummary=0
;;
b) useShortNames=0
;;
esac
done
#gather all running
procs=()
ps=`ps ax -o command`
cProcesses=`echo "$ps" |wc -l | xargs`
for command in $ps
do
exec=`echo $command | cut -d " " -f 1`
if [[ $exec == -* ]]
then
exec=${exec:1}
fi
proc=`which $exec`
procs+=($proc)
done
#unique it
uniques=(`for i in "${procs[@]}"; do echo $i; done | sort -u`)
if [ "$logHeader" -eq "1" ]; then
echo "${#procs[@]} running processes"
echo "${#uniques[@]} unique binaries"
fi
#check signatures
cApple=0
cStore=0
cDev=0
cUnknown=0
for proc in "${uniques[@]}"; do
res=`codesign --display --verbose=4 $proc 2>&1`
isApple=`echo "$res" | grep "Authority=Apple Code Signing Certification Authority"`
isStore=`echo "$res" | grep "Authority=Apple Worldwide Developer Relations Certification Authority"`
isDev=`echo "$res" | grep "Authority=Developer ID Application:"`
if [ "$useShortNames" -eq "1" ]; then
proc=`basename $proc`
fi
if [ -n "$isApple" ]; then
if [ "$logApple" -eq "1" ]; then
echo "* '$proc' is signed (Apple directly)"
fi
cApple=$((cApple+1))
elif [ -n "$isDev" ]; then
if [ "$logDev" -eq "1" ]; then
isDev=${isDev:35}
echo "? '$proc' is signed. (Known developer, $isDev)"
fi
cDev=$((cDev+1))
elif [ -n "$isStore" ]; then
if [ "$logStore" -eq "1" ]; then
echo "* '$proc' is signed. (Software from Appstore)"
fi
cStore=$((cStore+1))
else
if [ "$logUnknown" -eq "1" ]; then
echo "! '$proc' is unsigned. (Unknown identity)"
fi
cUnknown=$((cUnknown+1))
fi
done
if [ "$logSummary" -eq "1" ]; then
echo "$cApple apple processes
$cStore apps from the AppStore
$cDev developer signed programs
$cUnknown unknown processes found"
fi
@Daij-Djan
Copy link
Author

Daij-Djan commented Jan 26, 2017
edited

to install it:

  1. download the raw code,
  2. save it to a file (e.g. ps_osx.sh)
  3. run chmod a+x ps_osx.sh in the terminal where you downloaded the file to

Sample output:

361 running processes
280 unique binaries
* 'AutoMute' is signed. (Software from Appstore)
? 'Dropbox' is signed. (Known developer,  Dropbox, Inc.)
? 'garcon' is signed. (Known developer,  Dropbox, Inc.)
? 'Fabric' is signed. (Known developer,  Crashlytics, Inc.)
? 'CSYMGenerator' is signed. (Known developer,  Crashlytics, Inc.)
? 'Flux' is signed. (Known developer,  Michael Herf)
* 'Magnet' is signed. (Software from Appstore)
* 'Mail' is signed (Apple directly)
....
269 apple processes
3 apps from the AppStore
6 developer signed programs
2 unknown processes found

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment