Dan K. SnelsonAutomate the inspection of signed Configuration Profiles with the
uscpfunction
Background
A manual, step-by-step process of using Terminal to make a timestamped, unsigned copy of a Configuration Profile was detailed as part of previous Sophos-specific post.
This posts builds on bz please and introduces a new uscp function which automates the inspection of signed Configuration Profiles:
- The original, signed Configuration Profile’s signature “subjects” and modification date are displayed
- A timestamped backup of the original, signed Configuration Profile is created and its signature removed
- The unsigned backup Configuration Profile is formatted for readability and is opened in Visual Studio Code
~/.zshrc Configuration
Backup your current ~/.zshrc and add the following uscp function:
uscp () { # [u]n[s]ign [c]onfiguration [p]rofile
if [ -z ${1} ]; then
printf "\n###\n# [u]n[s]ign [c]onfiguration [p]rofile\n###\n\n"
printf "Usage:\n1. Type \"uscp\", followed by a [Space]\n2. Drag-and-drop the signed Configuration Profile\n3. Press [Return]\n\nA timestamped, unsigned copy will be saved next to the source file and opened in Visual Studio Code.\n\n"
return
fi
signedConfigurationProfile=${1}
signedFileName=$( echo ${signedConfigurationProfile} | awk -F '/' '{print $NF}' )
printf "\n###\n# [u]n[s]ign [c]onfiguration [p]rofile:\n# ${signedFileName}\n###\n\n"
subjects=$( openssl pkcs7 -inform DER -print_certs -in $signedConfigurationProfile | grep subject )
printf "• The signature of \"${signedFileName}\" contains the following subjects:\n${subjects}\n\n"
fileModificationDate=$( date -j -f "%s" "$( stat -f "%m" $signedConfigurationProfile)" "+%Y-%m-%d" )
printf "• The modification date of \"${signedFileName}\" is:\n${fileModificationDate}\n\n"
timestampedConfigurationProfile="${signedConfigurationProfile%.*}-$fileModificationDate.${signedConfigurationProfile##*.}"
printf "• Creating a timestamped copy of \"${signedFileName}\", appending \"${fileModificationDate}\" to the filename …\n"
cp -v "$signedConfigurationProfile" "${timestampedConfigurationProfile}"
timestampedFileName=$( echo ${timestampedConfigurationProfile} | awk -F '/' '{print $NF}' )
printf "\n• Removing signature from \"${timestampedFileName}\" …\n"
openssl smime -inform DER -verify -in "${timestampedConfigurationProfile}" -noverify -out "${timestampedConfigurationProfile%.*}"-unsigned."${timestampedConfigurationProfile##*.}"
unsignedConfigurationProfile="${timestampedConfigurationProfile%.*}"-unsigned."${timestampedConfigurationProfile##*.}"
unsignedFileName=$( echo ${unsignedConfigurationProfile} | awk -F '/' '{print $NF}' )
printf "\n• Formatting \"${unsignedFileName}\" …\n"
plutil -convert xml1 "${unsignedConfigurationProfile}"
resultCode=${?}
if [ ${resultCode} = "0" ]; then
printf "Formatting successful\n\n"
printf "\n• Editing ${unsignedConfigurationProfile} in Visual Studio Code …\n\n"
code ${unsignedConfigurationProfile}
else
printf "Error: ${resultCode}\n\n"
return
fi
}
Function Usage
- Launch Terminal
- Type
uscp - Drag-and-drop the signed Configuration Profile to the open Terminal window
- Press Return
Update: Aug 2024
Sign Configuration Profile
The following may prove helpful to convert a .plist to a signed .mobileconfig
scp () { # [s]ign [c]onfiguration [p]rofile
if [ -z ${1} ]; then
printf "\n###\n# [s]ign [c]onfiguration [p]rofile\n###\n\n"
printf "Usage:\n1. Type \"scp\", followed by a [Space]\n2. Drag-and-drop a properly formatted \".plist\" file\n3. Press [Return]\n\nA signed \".mobileconfig\" will be saved next to the source file.\n\n"
return
fi
developerIDstring="Developer ID Installer: Your Company Name (Your Team ID)"
plistFile=${1}
plistFileName=$( echo ${plistFile} | awk -F '/' '{print $NF}' )
mobileconfigFileName=$( echo ${plistFile%.*}.mobileconfig | awk -F '/' '{print $NF}' )
printf "\n###\n# [s]ign [c]onfiguration [p]rofile\n###\n\n"
printf "• Input: ${plistFileName}\n"
/usr/bin/security cms -S -N "${developerIDstring}" -i "${plistFile}" -o "${plistFile%.*}".mobileconfig
printf "• Output: ${mobileconfigFileName}\n\n"
}
