Sam隨手筆記: 2021

2021年9月21日星期二

Mac install and kext 公證方式!

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

Author: Sam

Date: 2021/08/05

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

*******************************************************************

** ProjectMaker .mpkg 增加Ａpple Sign

## productsign --sign "Developer ID Application: User" Source_Path Target_Path

## productsign --sign "Developer ID Installer: User" Source_Path Target_Path

*******************************************************************

EX.

productsign --sign "Developer ID Application: User)" \

/Users/accusys/Desktop/Accusys_Mac_Driver_257_Beta4.mpkg \

/Users/accusys/Desktop/Accusys_Mac_Driver_257_Beta4_Sign1.mpkg

*******************************************************************

** 確認ProjectMaker .mpkg 檔案 Sign 狀態

## pkgutil --check-signature /path/to/file.pkg

*******************************************************************

EX1.

# pkgutil --check-signature Accusys_Mac_Driver_257_Beta4.mpkg

Package "Accusys_Mac_Driver_257_Beta4":

Status: no signature

EX2.

# pkgutil --check-signature Accusys_Mac_Driver_257_Beta4_Sign.mpkg

Package "Accusys_Mac_Driver_257_Beta4_Sign":

Status: signed by a certificate trusted by macOS

Certificate Chain:

1. Developer ID Application: User

Expires: 2023-09-08 08:17:40 +0000

SHA256 Fingerprint:

ED 2E 67 F9 F1 28 70 BC DC 87 00 CA D5 99 59 B5 86 C6 69 F2 47 C7

A2 82 91 34 8C 58 A1 C4 4C 74

------------------------------------------------------------------------

2. Developer ID Certification Authority

Expires: 2027-02-01 22:12:15 +0000

SHA256 Fingerprint:

7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03

F2 9C 88 CF B0 B1 BA 63 58 7F

------------------------------------------------------------------------

3. Apple Root CA

Expires: 2035-02-09 21:40:36 +0000

SHA256 Fingerprint:

B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C

68 C5 BE 91 B5 A1 10 01 F0 24

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

** Apple Kext 公證方式教學

** https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?preferredLanguage=occ

** https://juejin.cn/post/6894059183453241357

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

** 您的(Sam) App 專用密碼 Accusys Kext: xxxx-xxxx-xxxx-xxxx

－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－

** Notarize 前準備

1. 先將APLLE ID 升級為 Apple ID 雙重認證.

2. 在APPLE ID 帳戶 Security 選項, 新增 APP-SPECIFIC PASSWORDS.

這組密碼用來公證時使用的密碼.

*******************************************************************

** 選擇Xcode

## sudo xcode-select -s /path/to/Xcode13.app

*******************************************************************

EX.

# xcode-select -s /Applications/Xcode-13beta2.app/

*******************************************************************

** Add Timestamp from kext

## codesign --timestamp -f -s "Developer ID Application: xxxx (xxxxx)" xxx.kext

*******************************************************************

EX.

# codesign --timestamp -f -s "Developer ID Application: User" ACS6x.kext

codesign -s "Developer ID Application: User" --options runtime -f --timestamp ACS6x.kext

驗證方式:

# codesign -dvvv ACS6x.kext

可以看到 "Signed Time=Jul 15, 2021 at 3:24:24 PM"

改為 "Timestamp=Jul 15, 2021 at 3:35:21 PM"

*******************************************************************

** Add hardened runtime flag

## codesign --options=runtime --timestamp -f -s "Developer ID Application: xxxx (xxxxx)" DtrGuiSrv01_64

*******************************************************************

** Create a ZIP archive suitable for notarization.

## /usr/bin/ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"

*******************************************************************

EX.

# ditto -c -k --keepParent /Users/accusys/Desktop/ACS6x.kext /Users/accusys/Desktop/ACS6x.kext.zip

*******************************************************************

** Notarize kext

## xcrun altool --notarize-app -f Source_path \

## --primary-bundle-id "User_define_ID" (使用者自行定義，可用於版本區分)

## -u "Apple ID" -p "Apple ID 額外聲請第三方使用密碼"

## 成功後可以得到一組Request UUID, 等待約15分後請用查詢指令確認狀態

*******************************************************************

EX.

#xcrun altool --notarize-app -f /Users/accusys/Desktop/ACS6x.kext.zip \

--primary-bundle-id "com.Accusys.driver.368Intel" \

-u "User" -p "User"

Cmd Reply:

No errors uploading '/Users/accusys/Desktop/ACS6x.kext.zip'.

RequestUUID = 2b945190-d915-48ae-99c9-526235a7d8ec

*******************************************************************

** 確認公證狀態, 看全部資訊

## xcrun altool --notarization-history 0 --username "xxxx" --password "xxxx"

*******************************************************************

EX.

# xcrun altool --notarization-history 0 -u "User" -p "User"

Cmd Reply:

Notarization History - page 0

Date RequestUUID Status Status Code Status Message

------------------------- ------------------------------------ ------- ----------- ----------------

2021-07-12 09:02:10 +0000 81a4299c-66d1-4016-907b-0bf53eb4432b invalid 2 Package Invalid

2021-07-12 08:47:31 +0000 3e92f8ec-77f5-42a8-baa4-d6a6fe3b8066 success 0 Package Approved

Next page value: 1626079651000

*******************************************************************

** 確認公證狀態, 看特定RequestUUID 細節

## xcrun altool --notarization-info "Request UUID" -u "APPLE ID" -p " App password"

## 特別注意上面附有LogFileURL, 不管對錯都可以從裡面看到相關資訊

*******************************************************************

EX1.

sh-3.2# xcrun altool --notarization-info 3e92f8ec-77f5-42a8-baa4-d6a6fe3b8066 -u "User" -p "User"

No errors getting notarization info.

Date: 2021-07-12 08:47:31 +0000

Hash: c3d9426297775094427e026e2fb9f423d3322dc3f79846d28deebf378fcc8813

LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma115/v4/a7/b1/8c/a7b18cd7-dc24-0bb3-bfd0-de9ca3b701b6/developer_log.json?accessKey=1626295600_6591354106415281256_xhl7DLpqT8rtDFSq3EAx1og5tezk43VkktZ87vI%2Ba4sID7bwj7vc%2FhH9mECv7fpFMn2wp1au4z1CKOHXQ1uY91Fin%2BIEQyjF9U3dBC%2FvN18NM%2FnTVecPeyLzkRVtqpH%2B%2BfTjF4liBudo8Nuyc7V6RBOVIG8m7exygsN7PdOvQxY%3D

RequestUUID: 3e92f8ec-77f5-42a8-baa4-d6a6fe3b8066

Status: success

Status Code: 0

Status Message: Package Approved

EX2.

sh-3.2# xcrun altool --notarization-info 81a4299c-66d1-4016-907b-0bf53eb4432b -u "User" -p "User"

No errors getting notarization info.

Date: 2021-07-12 09:02:10 +0000

Hash: 88749476df828b14a4c6f2b9de0eccf2ed605565f2bf327dcf2d208988f4d19a

LogFileURL: https://osxapps-ssl.itunes.apple.com/itunes-assets/Enigma115/v4/53/53/e1/5353e10a-445f-1b9c-9d88-4eef3088bb0c/developer_log.json?accessKey=1626295070_8353744305349471620_keVak2QrHUsMplR%2FuUAFQ0kASGO%2BVRlE6VTIh8VTaMe1ZX5V6ztRT3r54Nj317wTzpWfF851zAsfWeoTSNWcxOiBrHhWwfgPepzgmNVfs2WKeRqPRs%2FFaxCqOHiRv6YybiKDox2GQ1MzXEGOLG0y23sS%2B6P6DxelSgKqo3ub0J8%3D

RequestUUID: 81a4299c-66d1-4016-907b-0bf53eb4432b

Status: invalid

Status Code: 2

Status Message: Package Invalid

*******************************************************************

** KEXT公證過後APPLE如何確定是否公證過, 後續需要多做一個裝訂的程序將票證裝在KEXT.

** 一旦對應用程序進行了公證，Apple便為開發人員提供了“票證”，可以將其“裝訂”到經過公證的對像上。

** 此時裝訂的過程要連接網, 由APPLE 回傳確定是否通過公證,若有則會裝訂票證到檔案.

** 如果未裝訂應用程序或kext，Internet連接下，則在加載應用程序/ kext時，macOS會使用Apple服務器簽入，以查看是否可以正常運行。

** 如果未裝訂應用程序或kext，Internet未連接下，因無法判斷是否通過公證，會直接當作無公證，導致載入時失敗.

** 具體可通過stapler工具來裝訂:

## sudo xcrun stapler staple xxxx.kext

## sudo xcrun stapler staple -v xxxx.kext 可以看詳細內容

*******************************************************************

EX.

# sudo xcrun stapler staple ACS6x.kext

Cmd Reply:

Processing: /Users/Accusys/Desktop/ACS6x.kext

The staple and validate action worked!

*******************************************************************

** 驗證是否裝訂完成 xxxxx.kext

## sudo xcrun stapler validate xxxxx.kext

## sudo xcrun stapler validate -v xxxxx.kext 可以看詳細內容

*******************************************************************

EX.

# sudo xcrun stapler validate ACS6x.kext

Cmd Reply:

The validate action worked!

*******************************************************************

** 對於APP的公證權限驗證

## spctl -a -v xxxx.app

*******************************************************************

** 對於pkg包的公證權限驗證

## spctl -v -a --type install xxx.pkg

*******************************************************************

EX1.

sh-3.2# spctl -v -a --type install R_MacDrv_V6.2.16.pkg

R_MacDrv_V6.2.16.pkg: accepted

source=Notarized Developer ID

EX2.

sh-3.2# spctl -v -a --type install Accusys_Mac_BigSur_3.7.1s.mpkg/

Accusys_Mac_BigSur_3.7.1s.mpkg/: rejected

source=Unnotarized Developer ID

Mac OS Bigsur XSAN 7 cmd line 設定方式

** Mac OS Bigsur XSAN 7 cmd line 設定方式

1. 設定HostName

sh-3.2# sudo scutil --set HostName MDC.private

2. Edit /etc/hosts 增加 HostName IP to hosts

sh-3.2# cat /etc/hosts

# Host Database

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

10.10.8.157 mdc.private

3. Create SAN server and account

user : accusys

password : accusys

SAN_Name: Xsan

mail : xsan@gmail.com

certificate auth name. In this example the certificate auth name is Accusyscert

" sudo xsanctl createSan SAN_Name --account user --pass password --user user --cert-auth-name certificate_auth_name --cert-admin-email mail "

sh-3.2# sudo xsanctl createSan xsan --account accusys --pass accusys --user accusys --cert-auth-name videocert --cert-admin-email xsan@gmail.com

PS. "xsanctl listSan"

xsan (mdc3.private)

xsan (mdc.private)

4. Create an Xsan volume

a. export volum setting

sh-3.2# sudo cvlabel -c >label_list

b. Edit the label_list file, changing CvfsDisk_UNKNOWN to the desired label name MetadataLUN and DataLUN:

sh-3.2# sudo vi label_list

From

CvfsDisk_UNKNOWN /dev/rdisk5 # host 1 lun 0 sectors 4194285535 sector_size 512 inquiry [ACCUSYS A12S3-PS 364] serial 50363230313800003632323000000000

CvfsDisk_UNKNOWN /dev/rdisk6 # host 1 lun 0 sectors 20971501535 sector_size 512 inquiry [ACCUSYS A12S3-PS 364] serial 50363230313800013632323000000000

Change to

MetadataLUN /dev/rdisk5 # host 1 lun 0 sectors 4194285535 sector_size 512 inquiry [ACCUSYS A12S3-PS 364] serial 50363230313800003632323000000000

DataLUN /dev/rdisk6 # host 1 lun 0 sectors 20971501535 sector_size 512 inquiry [ACCUSYS A12S3-PS 364] serial 50363230313800013632323000000000

c. Update label_list

sh-3.2# sudo cvlabel label_list

*WARNING* This program will over-write volume labels on the

devices specified in the file "label_list".

After execution, the devices will only be usable by the

Xsan. You will have to re-partition the

devices to use them on a different file system.

Do you want to proceed? (Y / N) -> y

/dev/rdisk5 [ACCUSYS A12S3-PS 364] unknown Controller 'default', Serial '50363230313800003632323000000000', Sector Size 512, Sectors Max 4194285535 (2.1TB)

Do you want to label it acfs-EFI - Name: MetadataLUN Sectors: 4194285535 (Y / N) -> y

New Volume Label -Device: /dev/rdisk5 acfs Label: MetadataLUN Sectors: 4194285535.

/dev/rdisk6 [ACCUSYS A12S3-PS 364] unknown Controller 'default', Serial '50363230313800013632323000000000', Sector Size 512, Sectors Max 20971501535 (10.7TB)

Do you want to label it acfs-EFI - Name: DataLUN Sectors: 20971501535 (Y / N) -> y

New Volume Label -Device: /dev/rdisk6 acfs Label: DataLUN Sectors: 20971501535.

Done. 2 source lines. 2 labels.

Requesting disk rescan .

5. Mapping volume to Lun

-In this example, the name of the volume is Xsan.

-In this example, the name of the metadata LUN is MetadataLUN.

-In this example, the name of the data LUN is DataLUN.

Press Return after each step and if necessary, enter the administrator password.

sh-3.2# sudo xsanctl addVolume xsan --defaultFirstPool --addLUN MetadataLUN --storagePool data --addLUN DataLUN

Verify the volume was created: sudo xsanctl list.

To mount/unmount Xsan volume: sudo xsanctl mount/unmount XsanVolume

To remove Xsan volume: sudo xsanctl dropVolume XsanVolume

To stop/start Xsan volume: sudo xsanctl stopVolume/startVolume XsanVolume

6. For other client to quick setting

Export the Xsan configuration file for other client

sh-3.2# sudo xsanctl exportClientProfile

After you press Return, the Xsan configuration profile is saved in the current working directory. In this example, the file is named Xsan.mobilconfig.

# Remove SAN volume 流程!

a. Verify the volume was created:

sh-3.2# sudo xsanctl list

b. To mount/unmount Xsan volume:

sh-3.2# sudo xsanctl mount/unmount XsanVolume

c. To remove Xsan volume:

sh-3.2# sudo xsanctl dropVolume XsanVolume

d. stop/start Xsan volume:

sh-3.2# sudo xsanctl stopVolume/startVolume XsanVolume

# Remove SAN 流程!

After you press Return, the xsanctl command creates the Open Directory and SAN.

a. To destroy SAN:

sh-3.2# xsanctl destroySan Xsan

b. To destroy Open Directory:

sh-3.2# xsanctl destroyMaster --account accusys --pass accusys

2021年6月22日星期二

Mac Installer PackageMaker scripts

Mac OS 抓去 CPU 與 OS 版號資訊

CPU `uname -m` = x86_64 or arm64

OS 版號 `sw_vers -productVersion` = like 10.15.7

PKG安裝包的管理與文件格式分析 (參考網址)

https://zhuanlan.zhihu.com/p/24895270

PackageMaker Script 時序

preflight：點擊安裝界面上的Install按鈕時運行此腳本。該腳本在程序每次安裝時都會運行。

preinstall/preupgrade：針對單程序安裝包（pkg），該腳本會在preflight腳本運行之後運行，針對多程序安裝包（mpkg），該腳本會在用戶按下Install銨鈕後執行。

preinstall與preupgrade的區別：

preinstall只會在用戶第一次安裝該程序時執行，而preupgrade只在之前安裝過該程序，用於軟件升級時，腳本才會執行，

preupgrade用於軟件升級時使用。區分程序是否為第一次安裝是通過pkg安裝器Installer.app來完成的，

Installer.app通過查看/private/var/db/receipts目錄，查看目錄中是否有以程序包名命名的pkg文件，如果存在，說明已經安裝過，反之，為第一次安裝。

postinstall/postupgrade：該腳本在程序安裝完之後才運行。它們的區別與preinstall/preupgrade一樣。

postflight：該腳本在postinstall/postupgrade腳本之後運行。

=======================================================

postflight Sample code

=======================================================

#!/bin/sh

###

### Unloaded and Remove old driver

###

sudo kextunload /Library/Extensions/ACS6x.kext/

sudo rm -rf /Library/Extensions/ACS6x.kext

cputype=`uname -m`

if [ "$cputype" == "arm64" ]; then

#echo "ARM Mac OS cputyep : $cputype"

sudo unzip /tmp/drv/ACS6x_M1.kext.zip -d /tmp/drv/

else

#echo "Intel Mac OS cputype : $cputype"

sudo unzip /tmp/drv/ACS6x.kext.zip -d /tmp/drv/

DRV1=/tmp/drv/ACS6x.kext

DRV2=/Library/Extensions/

sudo chown -R root:wheel $DRV1

sudo chmod -R 755 $DRV1

sudo cp -R $DRV1 $DRV2

### restart cache for 10.15/11.00 with m1 issue

#sudo kmutil clear-staging

### Remove temp file

sudo rm -rf /tmp/drv

exit 0

=======================================================

postflight Sample code

=======================================================

#!/bin/sh

###

### Remove old version before install file

###

sudo rm -rf /System/Library/Extensions/ACS62000.kext

sudo rm -rf /System/Library/Extensions/ACS6xxxx.kext

sudo rm -rf /System/Library/Extensions/Accusys6xxxx.kext

sudo rm -rf /System/Library/Extensions/ACS6x.kext

sudo rm -rf /Library/Extensions/ACS6x.kext

sudo rm -rf /System/Library/Extensions/AccusysNTDevice.kext

### Update driver

OSver=`sw_vers -productVersion`

OSver1=$(echo $OSver | cut -d "." -f 1)

OSver2=$(echo $OSver | cut -d "." -f 2)

OSver=$OSver1.$OSver2

#echo "Check Mac OS kernel version: OS version : $OSver"

if [ $(echo "$OSver >= 10.10" |bc) -eq 1 ]; then

#echo " > Check Mac OS kernel version: Darwin kernel version : $OSver"

DRV1=/tmp/drv/ACS6x.kext

DRV2=/Library/Extensions/

else

#echo " < Check Mac OS kernel version: Darwin kernel version : $OSver"

DRV1=/tmp/drv/ACS6x.kext

DRV2=/System/Library/Extensions/

sudo chown -R root:wheel $DRV1

sudo chmod -R 755 $DRV1

sudo cp -R $DRV1 $DRV2

if [ $(echo "$OSver >= 10.9" |bc) -eq 1 ]; then

sudo kextcache -system-caches

else

sudo touch /System/Library/Extensions

### Remove temp file

sudo rm -rf /tmp/drv

exit 0

=======================================================

訂閱：文章 (Atom)

2021年9月21日 星期二

Mac install and kext 公證方式!

Mac OS Bigsur XSAN 7 cmd line 設定方式

2021年6月22日 星期二

Mac Installer PackageMaker scripts

2021年9月21日星期二

2021年6月22日星期二