After you download the macOS Agent installer, verify the package integrity. As an additional security measure, you can verify the digital signature of the internal binaries.

  • To verify package integrity: use steps 1 and 2.
  • To verify the digital signatures of the internal binaries, do one or both of the following:
    • using the codesign command: use steps 3 and 4.
    • using the spctl command: use steps 3 and 5.

Procedure

  1. Execute the following command to verify the integrity of the macOS Agent Installer package:
    %pkgutil –check-signature ./${Mac_Package}

    The result of the command should be similar to the following text:

    Package "./${Mac_Package}": 
    Status: signed by a developer certificate issued by Apple for distribution
       Signed with a trusted timestamp on: 2021-10-04 10:35:48 +0000
       Certificate Chain:
        1. Developer ID Installer: Carbon Black, Inc. (7AGZNQ2S2T)
           Expires: 2023-01-09 18:06:36 +0000
           SHA256 Fingerprint:
               17 A6 E5 4F 0B 7F CE E1 14 7C E8 36 81 DA 31 5D 86 12 4D 93 46 3B 
               2B 33 33 58 C3 C3 A9 A3 A8 12
           ------------------------------------------------------------------------
        2. Developer ID Certification Authority
           Expires: 2027-02-01 22:12:15 +0000
           SHA256 Fingerprint:
               7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 
               F2 9C 88 CF B0 B1 BA 63 58 7F
           ------------------------------------------------------------------------
        3. Apple Root CA
           Expires: 2035-02-09 21:40:36 +0000
           SHA256 Fingerprint:
               B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
               68 C5 BE 91 B5 A1 10 01 F0 24 
  2. Verify that the Certificate Chain Developer ID Installer is: Carbon Black, Inc.(7AGZNQ2S2T).
    The verification results for the Certificate Chain Developer ID Installer
    Warning: If the Certificate Chain Developer ID Installer value is not a match, do not proceed and contact Carbon Black Support.
  3. To verify the digital signatures of the internal binaries, you must first extract the main packages and internal packages.

    Binaries in the macOS Agent Installer package:

    • appc-es-loader.app
    • b9cli
    • b9daemon
    • b9kernel.kext
    • b9notifier.app
    • libcrypto.dylib
    • libssl.dylib

    Use the following set of commands to extract each of the main and internal packages:

    
        pkgutil --expand Bit9Agent.pkg pkg_tmp
    
        cd pkg_tmp
    
        cd b9kernel.pkg
    
        tar xvf Payload
    
        cd ..
    
        cd bit9.pkg
    
        tar xvf Payload
    
    
  4. To use the codesign command to verify the digital signature of the binaries:
    %codesign -vvvv -R="notarized" --check-notarization ./${Mac_Binary} 

    The result of the command should be:

    host-a01:$ codesign -vvvv -R="notarized" --check-notarization ./${Mac_Binary} 
    ./${Mac_Binary} : valid on disk
    ./${Mac_Binary} : satisfies its Designated Requirement
    ./${Mac_Binary} : explicit requirement satisfied 

    A file without signing and notarization does not run on macOS. In this case, the following output displays:

    % codesign -vvvv -R="notarized" --check-notarization ./${Mac_Binary} 
    ./${Mac_Binary}  code object is not signed at all
    In architecture: x86_64 

    The following image shows verification of all binaries in the Bit9Agent package using the codesign command:

    The verification results for all binaries in the Bit9Agent package using the codesign command

  5. To use the spctl command to verify the digital signatures of the binaries, use the following command:
    % spctl -a -t exec -vvv ./${Mac_Binary}   

    The result of the command should be:

    ./${Mac_Binary}: accepted
    source=Notarized Developer ID
    origin=Developer ID Application: Carbon Black, Inc. (7AGZNQ2S2T)  
    If the binary does not belong to any .app package, the output shows:
    rejected (the code is valid but does not seem to be an
        app)
    % spctl -a -t exec -vvv ./${Mac_Binary} 
    ./${Mac_Binary} : rejected (the code is valid but does not seem to be an app)
    origin=Developer ID Application: Carbon Black, Inc. (7AGZNQ2S2T)

    As shown in the following image, rejected output is shown for all binaries except .app files. In this case, the file is valid — rejection is because file is not an app. Instead of looking at rejected, you can verify that the Developer ID Application equals: Carbon Black, Inc. (7AGZNQ2S2T).

    The following image shows verification of all the binaries in the Bit9Agent package using the spctl command.

    The verification results for all binaries in the Bit9Agent package using the spctl command