After you download the macOS Agent installer, verify the package integrity. As an additional security measure, you can verify the digital signature of the internal binaries.

  • To verify package integrity: use steps 1 and 2.
  • To verify the digital signatures of the internal binaries, do one or both of the following:
    • using the codesign command: use steps 3 and 4.
    • using the spctl command: use steps 3 and 5.

Procedure

  1. Execute the following command to verify the integrity of the macOS Agent Installer package: 
    %pkgutil –check-signature ./${Mac_Package}

    The result of the command should be similar to the following text:

    Package "./${Mac_Package}": 
Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2021-10-04 10:35:48 +0000
   Certificate Chain:
    1. Developer ID Installer: Carbon Black, Inc. (7AGZNQ2S2T)
       Expires: 2023-01-09 18:06:36 +0000
       SHA256 Fingerprint:
           17 A6 E5 4F 0B 7F CE E1 14 7C E8 36 81 DA 31 5D 86 12 4D 93 46 3B 
           2B 33 33 58 C3 C3 A9 A3 A8 12
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 
           68 C5 BE 91 B5 A1 10 01 F0 24
  2. Verify that the Certificate Chain Developer ID Installer is: Carbon Black, Inc.(7AGZNQ2S2T).
    The verification results for the Certificate Chain Developer ID Installer
    Warning: If the Certificate Chain Developer ID Installer value is not a match, do not proceed and contact Carbon Black Support.
  3. To verify the digital signatures of the internal binaries, you must first extract the main packages and internal packages.

    Binaries in the macOS Agent Installer package:

    • appc-es-loader.app
    • b9cli
    • b9daemon
    • b9kernel.kext
    • b9notifier.app
    • libcrypto.dylib
    • libssl.dylib

    Use the following set of commands to extract each of the main and internal packages:

    
    pkgutil --expand Bit9Agent.pkg pkg_tmp

    cd pkg_tmp

    cd b9kernel.pkg

    tar xvf Payload

    cd ..

    cd bit9.pkg

    tar xvf Payload
  4. To use the codesign command to verify the digital signature of the binaries: 
    %codesign -vvvv -R="notarized" --check-notarization ./${Mac_Binary}

    The result of the command should be:

    host-a01:$ codesign -vvvv -R="notarized" --check-notarization ./${Mac_Binary} 
./${Mac_Binary} : valid on disk
./${Mac_Binary} : satisfies its Designated Requirement
./${Mac_Binary} : explicit requirement satisfied

    A file without signing and notarization does not run on macOS. In this case, the following output displays:

    % codesign -vvvv -R="notarized" --check-notarization ./${Mac_Binary} 
./${Mac_Binary}  code object is not signed at all
In architecture: x86_64

    The following image shows verification of all binaries in the Bit9Agent package using the codesign command:

    The verification results for all binaries in the Bit9Agent package using the codesign command

  5. To use the spctl command to verify the digital signatures of the binaries, use the following command: 
    % spctl -a -t exec -vvv ./${Mac_Binary}

    The result of the command should be:

    ./${Mac_Binary}: accepted
source=Notarized Developer ID
origin=Developer ID Application: Carbon Black, Inc. (7AGZNQ2S2T)
    If the binary does not belong to any .app package, the output shows: 
    rejected (the code is valid but does not seem to be an
    app)
    % spctl -a -t exec -vvv ./${Mac_Binary} 
./${Mac_Binary} : rejected (the code is valid but does not seem to be an app)
origin=Developer ID Application: Carbon Black, Inc. (7AGZNQ2S2T)

    As shown in the following image, rejected output is shown for all binaries except .app files. In this case, the file is valid — rejection is because file is not an app. Instead of looking at rejected, you can verify that the Developer ID Application equals: Carbon Black, Inc. (7AGZNQ2S2T).

    The following image shows verification of all the binaries in the Bit9Agent package using the spctl command.

    The verification results for all binaries in the Bit9Agent package using the spctl command