Automate the inspection of signed Configuration Profiles with the
uscp
function
Background
A manual, step-by-step process of using Terminal to make a timestamped, unsigned copy of a Configuration Profile was detailed as part of previous Sophos-specific post.
This posts builds on bz please and introduces a new uscp
function which automates the inspection of signed Configuration Profiles:
- The original, signed Configuration Profile’s signature “subjects” and modification date are displayed
- A timestamped backup of the original, signed Configuration Profile is created and its signature removed
- The unsigned backup Configuration Profile is formatted for readability and is opened in Visual Studio Code
~/.zshrc
Configuration
Backup your current ~/.zshrc
and add the following uscp
function:
uscp () { # [u]n[s]ign [c]onfiguration [p]rofile if [ -z ${1} ]; then printf "\n###\n# [u]n[s]ign [c]onfiguration [p]rofile\n###\n\n" printf "Usage:\n1. Type \"uscp\", followed by a [Space]\n2. Drag-and-drop the signed Configuration Profile\n3. Press [Return]\n\nA timestamped, unsigned copy will be saved next to the source file and opened in Visual Studio Code.\n\n" return fi signedConfigurationProfile=${1} signedFileName=$( echo ${signedConfigurationProfile} | awk -F '/' '{print $NF}' ) printf "\n###\n# [u]n[s]ign [c]onfiguration [p]rofile:\n# ${signedFileName}\n###\n\n" subjects=$( openssl pkcs7 -inform DER -print_certs -in $signedConfigurationProfile | grep subject ) printf "• The signature of \"${signedFileName}\" contains the following subjects:\n${subjects}\n\n" fileModificationDate=$( date -j -f "%s" "$( stat -f "%m" $signedConfigurationProfile)" "+%Y-%m-%d" ) printf "• The modification date of \"${signedFileName}\" is:\n${fileModificationDate}\n\n" timestampedConfigurationProfile="${signedConfigurationProfile%.*}-$fileModificationDate.${signedConfigurationProfile##*.}" printf "• Creating a timestamped copy of \"${signedFileName}\", appending \"${fileModificationDate}\" to the filename …\n" cp -v "$signedConfigurationProfile" "${timestampedConfigurationProfile}" timestampedFileName=$( echo ${timestampedConfigurationProfile} | awk -F '/' '{print $NF}' ) printf "\n• Removing signature from \"${timestampedFileName}\" …\n" openssl smime -inform DER -verify -in "${timestampedConfigurationProfile}" -noverify -out "${timestampedConfigurationProfile%.*}"-unsigned."${timestampedConfigurationProfile##*.}" unsignedConfigurationProfile="${timestampedConfigurationProfile%.*}"-unsigned."${timestampedConfigurationProfile##*.}" unsignedFileName=$( echo ${unsignedConfigurationProfile} | awk -F '/' '{print $NF}' ) printf "\n• Formatting \"${unsignedFileName}\" …\n" plutil -convert xml1 "${unsignedConfigurationProfile}" resultCode=${?} if [ ${resultCode} = "0" ]; then printf "Formatting successful\n\n" printf "\n• Editing ${unsignedConfigurationProfile} in Visual Studio Code …\n\n" code ${unsignedConfigurationProfile} else printf "Error: ${resultCode}\n\n" return fi }
Function Usage
- Launch Terminal
- Type
followed by a Spaceuscp
- Drag-and-drop the signed Configuration Profile to the open Terminal window
- Press Return
Update: Aug 2024
Sign Configuration Profile
The following may prove helpful to convert a .plist
to a signed .mobileconfig
scp () { # [s]ign [c]onfiguration [p]rofile if [ -z ${1} ]; then printf "\n###\n# [s]ign [c]onfiguration [p]rofile\n###\n\n" printf "Usage:\n1. Type \"scp\", followed by a [Space]\n2. Drag-and-drop a properly formatted \".plist\" file\n3. Press [Return]\n\nA signed \".mobileconfig\" will be saved next to the source file.\n\n" return fi developerIDstring="Developer ID Installer: Your Company Name (Your Team ID)" plistFile=${1} plistFileName=$( echo ${plistFile} | awk -F '/' '{print $NF}' ) mobileconfigFileName=$( echo ${plistFile%.*}.mobileconfig | awk -F '/' '{print $NF}' ) printf "\n###\n# [s]ign [c]onfiguration [p]rofile\n###\n\n" printf "• Input: ${plistFileName}\n" /usr/bin/security cms -S -N "${developerIDstring}" -i "${plistFile}" -o "${plistFile%.*}".mobileconfig printf "• Output: ${mobileconfigFileName}\n\n" }