blakefrantz/gatekeeper_status.sh

## gatekeeper_status.sh
#!/bin/bash
#
# Determines the state of Gatekeeper on OSX 10.8 and 10.9. Differentiates between three modes:
#
# - Mac App Store
# - Mac App Store and identified developers
# - Anywhere
#
# DEV_REQ_[12] are certificate requirements stored in the SystemPolicy sqlite database.
# Each certificate requirement is disabled/enabled persuant to the 'disabled' field in
# the 'requirements' table.
#
# When the aforementioned certificate requirements are enabled,
# while Gatekeeper status is enabled, it means Gate Keeper will permit software signed
# by only the Mac App store and identified developers.
#
# When the aforementioned certificate requirements are disabled,
# while Gatekeeper status is enabled, it means Gatekeeper will permit software signed
# by only the Mac App store.
#
# blakefrantz@gmail.com
#

SPCTL=/usr/sbin/spctl
SQLITE=/usr/bin/sqlite3
SYSTEM_POLICY_PATH=/var/db/SystemPolicy

if [ ! -r $SYSTEM_POLICY_PATH -o ! -x $SPCTL -o ! -x $SQLITE ]; then
        echo "Error: Ensure the permissions and path to spctl, sqlite3, and SystemPolicy are sane."
        exit
fi

STATUS=$($SPCTL --status);

DEV_REQ_1="anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"

DEV_REQ_2="anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])"

SQL="select requirement, disabled from authority where (requirement = '$DEV_REQ_1' or requirement = '$DEV_REQ_2') and disabled = 1;"

OUTPUT=$($SQLITE $SYSTEM_POLICY_PATH "$SQL")

if [ "$STATUS" == "assessments enabled" ]; then

        if [ "$OUTPUT" == "" ]; then
                echo "Gate Keeper is enabled and in 'Mac App Store and identified developers' mode"
        else
                echo "Gate Keeper is enabled and in 'Mac App Store' mode"
        fi
else
        echo "Gate Keeper is disabled and in 'Anywhere' mode"
fi
	#!/bin/bash
	#
	# Determines the state of Gatekeeper on OSX 10.8 and 10.9. Differentiates between three modes:
	#
	# - Mac App Store
	# - Mac App Store and identified developers
	# - Anywhere
	#
	# DEV_REQ_[12] are certificate requirements stored in the SystemPolicy sqlite database.
	# Each certificate requirement is disabled/enabled persuant to the 'disabled' field in
	# the 'requirements' table.
	#
	# When the aforementioned certificate requirements are enabled,
	# while Gatekeeper status is enabled, it means Gate Keeper will permit software signed
	# by only the Mac App store and identified developers.
	#
	# When the aforementioned certificate requirements are disabled,
	# while Gatekeeper status is enabled, it means Gatekeeper will permit software signed
	# by only the Mac App store.
	#
	# blakefrantz@gmail.com
	#

	SPCTL=/usr/sbin/spctl
	SQLITE=/usr/bin/sqlite3
	SYSTEM_POLICY_PATH=/var/db/SystemPolicy

	if [ ! -r $SYSTEM_POLICY_PATH -o ! -x $SPCTL -o ! -x $SQLITE ]; then
	echo "Error: Ensure the permissions and path to spctl, sqlite3, and SystemPolicy are sane."
	exit
	fi

	STATUS=$($SPCTL --status);

	DEV_REQ_1="anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists"

	DEV_REQ_2="anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13])"

	SQL="select requirement, disabled from authority where (requirement = '$DEV_REQ_1' or requirement = '$DEV_REQ_2') and disabled = 1;"

	OUTPUT=$($SQLITE $SYSTEM_POLICY_PATH "$SQL")

	if [ "$STATUS" == "assessments enabled" ]; then

	if [ "$OUTPUT" == "" ]; then
	echo "Gate Keeper is enabled and in 'Mac App Store and identified developers' mode"
	else
	echo "Gate Keeper is enabled and in 'Mac App Store' mode"
	fi
	else
	echo "Gate Keeper is disabled and in 'Anywhere' mode"
	fi