Menu Close

Signed Configuration Profile Inspection

Automate the inspection of signed Configuration Profiles with the uscp function 


A manual, step-by-step process of using Terminal to make a timestamped, unsigned copy of a Configuration Profile was detailed as part of previous Sophos-specific post.

This posts builds on bz please and introduces a new uscp function which automates the inspection of signed Configuration Profiles:

  1. The original, signed Configuration Profile’s signature “subjects” and modification date are displayed
  2. A timestamped backup of the original, signed Configuration Profile is created and its signature removed
  3. The unsigned backup Configuration Profile is formatted for readability and is opened in Visual Studio Code

~/.zshrc Configuration

Backup your current ~/.zshrc and add the following uscp function:

uscp () {    # [u]n[s]ign [c]onfiguration [p]rofile
    if [ -z ${1} ]; then
        printf "\n###\n# [u]n[s]ign [c]onfiguration [p]rofile\n###\n\n"
        printf "Usage:\n1. Type \"uscp\", followed by a [Space]\n2. Drag-and-drop the signed Configuration Profile\n3. Press [Return]\n\nA timestamped, unsigned copy will be saved next to the source file and opened in Visual Studio Code.\n\n"

    signedFileName=$( echo ${signedConfigurationProfile} | awk -F '/' '{print $NF}' )

    printf "\n###\n# [u]n[s]ign [c]onfiguration [p]rofile:\n# ${signedFileName}\n###\n\n"

    subjects=$( openssl pkcs7 -inform DER -print_certs -in $signedConfigurationProfile | grep subject )
    printf "• The signature of \"${signedFileName}\" contains the following subjects:\n${subjects}\n\n"

    fileModificationDate=$( date -j -f "%s" "$( stat -f "%m" $signedConfigurationProfile)" "+%Y-%m-%d" )
    printf "• The modification date of \"${signedFileName}\" is:\n${fileModificationDate}\n\n"

    printf "• Creating a timestamped copy of \"${signedFileName}\", appending \"${fileModificationDate}\" to the filename …\n"
    cp -v "$signedConfigurationProfile" "${timestampedConfigurationProfile}"

    timestampedFileName=$( echo ${timestampedConfigurationProfile} | awk -F '/' '{print $NF}' )
    printf "\n• Removing signature from \"${timestampedFileName}\" …\n"
    openssl smime -inform DER -verify -in "${timestampedConfigurationProfile}" -noverify -out "${timestampedConfigurationProfile%.*}"-unsigned."${timestampedConfigurationProfile##*.}"

    unsignedFileName=$( echo ${unsignedConfigurationProfile} | awk -F '/' '{print $NF}' )

    printf "\n• Formatting \"${unsignedFileName}\" …\n"
    plutil -convert xml1 "${unsignedConfigurationProfile}"
    if [ ${resultCode} = "0" ]; then
        printf "Formatting successful\n\n"
        printf "\n• Editing ${unsignedConfigurationProfile} in Visual Studio Code …\n\n"
        code ${unsignedConfigurationProfile}
        printf "Error: ${resultCode}\n\n"


Function Usage

  1. Launch Terminal
  2. Type uscp followed by a Space
  3. Drag-and-drop the signed Configuration Profile to the open Terminal window
  4. Press Return
Screencast (01:36; no audio)
Posted in macOS, Tips & Tricks

Related Posts