├── README.md
└── eddie


/README.md:
--------------------------------------------------------------------------------
 1 | # Eddie Vetter
 2 | 
 3 | Triage macOS applications for security research
 4 | 
 5 | Assumes you have `jq` installed.
 6 | 
 7 | ## Usage
 8 | 
 9 | ```bash
10 | $ eddie /Applications/Slack.app      
11 | 
12 | ==========================
13 | Is the Application signed?
14 | ==========================
15 | 
16 | Yes (Bundle ID: com.tinyspeck.slackmacgap)
17 | 
18 | ==========================
19 | Signing authority:
20 | ==========================
21 | 
22 | Authority=Developer ID Application: Slack Technologies, Inc. (BQR82RBBHL)
23 | Authority=Developer ID Certification Authority
24 | Authority=Apple Root CA
25 | 
26 | ============================
27 | Is Hardened Runtime enabled?
28 | ============================
29 | 
30 | Yes
31 | 
32 | =============================================
33 | Which Entitlements does the Application have?
34 | =============================================
35 | 
36 | "com.apple.security.cs.allow-jit"
37 | "com.apple.security.cs.allow-unsigned-executable-memory"
38 | "com.apple.security.device.audio-input"
39 | "com.apple.security.device.camera"
40 | ```
41 | 


--------------------------------------------------------------------------------
/eddie:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | IFS=$'\n\t'
 4 | 
 5 | APPLICATION="$@"
 6 | 
 7 | if ! command -v jq &> /dev/null
 8 | then
 9 | 	echo " ! Please install jq first"
10 | 	exit 1
11 | fi
12 | 
13 | echo
14 | echo '=========================='
15 | echo 'Is the Application signed?'
16 | echo '=========================='
17 | echo
18 | 
19 | OUTPUT="$(codesign -d -vvvvv "$APPLICATION" 2>&1 >/dev/null)"
20 | 
21 | if echo "$OUTPUT" | grep -q "not signed"; then
22 | 	echo "No"
23 | 	echo
24 | 	exit 0
25 | else
26 | 	BUNDLEID="$(echo "$OUTPUT" | grep "^Identifier" | cut -d '=' -f 2)"
27 | 	echo "Yes (Bundle ID: "$BUNDLEID")"
28 | fi
29 | 
30 | echo
31 | echo '=========================='
32 | echo 'Signing authority:'
33 | echo '=========================='
34 | echo
35 | 
36 | AUTHORITY="$(echo "$OUTPUT" | grep "Authority")"
37 | echo "$AUTHORITY"
38 | 
39 | 
40 | 
41 | echo
42 | echo '============================'
43 | echo 'Is Hardened Runtime enabled?'
44 | echo '============================'
45 | echo
46 | if echo "$OUTPUT" | grep -q "runtime"; then
47 | 	echo "Yes"
48 | else
49 | 	echo "No"
50 | fi
51 | 
52 | echo
53 | echo '============================================='
54 | echo 'Which Entitlements does the Application have?'
55 | echo '============================================='
56 | echo
57 | 
58 | PLIST="$(codesign -d --entitlement :- "$APPLICATION" 2>/dev/null)"
59 | 
60 | JSON_PLIST="$(echo "$PLIST" | plutil -convert json -o - -r -)"
61 | 
62 | echo "$JSON_PLIST" | jq -c 'to_entries[] | select (.value != false) | .key'
63 | 


--------------------------------------------------------------------------------