Validate CMS-signed manifests and catalogs in Munki
Munki needs to be patched to have support for "postware" (vs. "middlware") which allows for custom code to happen after a URL has been downloaded by managedsoftwareupdate
. This is available in this PR:
https://github.com/munki/munki/pull/851
Why this method over, say, a Munki preflight script? The main reason was to try and hook Munki in a way we could re-use Munki's middleware to fetch additional files (the signatures) where we need to be able to call Munki routines while its running (preflight/postflights are executed in another process). It's not clear that this couldn't simply use munki routine's as we do in the "postware" here, so I suppose its up for debate and certainly open to other methods.
Generate an X.509 Cert. And Key for use:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout cert.key -out cert.pem -subj "/CN=MunkiSigs"
signrepo
to sign your repository catalogs and manifestsAfter you've used makecatalogs
as normal you need to sign your repository and generate the .sig files:
# the place where the manifests and catalogs directory is
$ cd /path/to/my/munki/repo
$ python /path/to/this/repo/signrepo.py /path/to/cert.pem /path/to/cert.key
Signing
File: manifests/testing
Signature: manifests/testing.sig
Signing
File: catalogs/all
Signature: catalogs/all.sig
Signing
File: catalogs/testing
Signature: catalogs/testing.sig
postware.py
installed into Munki very similarly to how Munki middleware is installed.VerifyCMSCertPath
Munki preference to where you installed the certificate: sudo defaults write /Library/Preferences/ManagedInstalls.plist VerifyCMSCertPath /etc/munki_verify_cert.crt
..sig
files along with the manifests and catalogs and verifying them as they're received.Pkginfos aren't touched by the Munki client at all. Packages themselves are already SHA256 cryptographically verified by Munki. This means as long as a catalog is signed and trusted, than any package defined with a hash signature is also trusted.