Skip to content

Instantly share code, notes, and snippets.

@pgib pgib/README.md

Last active Dec 28, 2015
Embed
What would you like to do?
Testing script to test Mac OS X Mavericks code signing for Profile Manager.

Install to /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php

Be sure to edit the file to set the path to your code-signing certificate.

Run with:

cd /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/backend/php
php -c /Applications/Server.app/Contents/ServerRoot/usr/share/devicemgr/php/php.ini signing_tester.php
<?php
// Look in /etc/certificates to get the base certificate name (without the .cert, .key, etc extension)
$certificate_base = '/etc/certificates/<base certificate name>';
$signed = dmx_get_cms_signed_data("{$certificate_base}.cert.pem", "{$certificate_base}.key.pem", 'foo bar bat baz');
if ($signed)
{
echo "Signing succeeded!\n";
}
else
{
echo "Signing failed. :(\n";
}
?>
@pgib

This comment has been minimized.

Copy link
Owner Author

pgib commented Nov 22, 2013

Note that you actually need to run this as root, and not via a sudo session. From Server.app, go to Tools, Directory Utility, unlock to make changes, and choose Edit, Enable root user...

Then become root by typing su.

@pgib

This comment has been minimized.

Copy link
Owner Author

pgib commented Mar 21, 2014

Latest results with Server 3.1 when using a "real" certificate:

Signing failed. :(

And seen in from scep_helper.log

0:: [738] [2014/03/21 10:15:28.243] EXCEPTION:  Error <kern_return_t
SCEPHELPERS_GetCMSSignedData(mach_port_t, vm_offset_t *, mach_msg_type_number_t *,
vm_offset_t *, mach_msg_type_number_t *, vm_offset_t *, mach_msg_type_number_t *,
vm_offset_t *, mach_msg_type_number_t *, audit_token_t)
(/SourceCache/RemoteDeviceManagement/RemoteDeviceManagement-864.18/Compiled/scep_helper/
main.m:905): "'((status = CMSEncode(signingIdentity, ((void*)0), 0, 0, kCMSAttrNone,
((const void*)(data)), ((size_t)(dataCnt)), &result)))' error -25308"> 0:: [738]

[2014/03/21 10:15:28.243] ERROR: SCEPHELPERS_GetCMSSignedData: User interaction is not
allowed.

When setting the script to use the self-signed certificate, we get:

Signing succeeded!

... with no entries in scep_helper.log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.