Differences

This shows you the differences between two versions of the page.

--- public:repackaging_isabel_security_components_for_macos [2024/04/03 13:33] – created thomas
+++ public:repackaging_isabel_security_components_for_macos [2024/04/05 08:43] (current) – thomas
@@ Line 1: / Line 1: @@
-Open the DMG.
+====== Repackaging Isabel Security Components for macOS ======
+===== Why repackage? =====
+The macOS installer of Isabel has some major deficiencies. It tries to access resources not in its installer, tries to manipulate the Dock of the active user, tries to interact with Finder, and uses the ''security'' command.
+These make it impossible to perform a silent install, e.g. through Munki or ''installer''. In order to overcome this limitation, we must make some adjustments to the scripts responsible for these actions.
+Note that I did this for version 6.33.19, but I suspect other versions to have the same general issues.
+===== Repackaging procedure =====
+Download the Isabel installation disk image from the [[https://www.isabel.eu/nl/multibanking/support/downloadzone_mac.html|download zone]] and open it.
 Extract the package to a working location.
 <code>
 mkdir work
-pkgutil --expand /Volumes/ISA_LAYER\ Security\ Components\ 1/\ .pkg ./work/ISABEL
+pkgutil --expand /Volumes/ISA_LAYER\ Security\ Components/\ .pkg ./work/ISABEL
 </code>
-Navigate to the offending subpackage:
+In ''work/ISABEL/ISA_LAYER.pkg/Scripts/preinstall'', comment out the following lines:
-<code>
-cd work/ISABEL/ISA_LAYER.pkg
-</code>
-Open the postinstall script in a text editor:
 <code>
-vim Scripts/postinstall
+# ## Delete Link to Production URL into the Taskbar =======
+# if [ -f /usr/libexec/PlistBuddy ]; then
+#   #delete existing link from com.apple.dock.plist
+#   set +e
+#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel 6/  {printf NR;exit}')
+#   dloc=$[$dloc-1]
+#   if (( $dloc >= 0 )); then
+#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist
+#   fi
+#
+#   sleep 5
+#
+#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Seven Login/  {printf NR;exit}')
+#   dloc=$[$dloc-1]
+#   if (( $dloc >= 0 )); then
+#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist
+#   fi
+#   set -e
+#   sleep 5
+#   killall Dock
+# fi
 </code>
-Comment out this section:
+These would normally manipulate the logged-in user's dock, but when installing silently in the background, there may not be a logged-in user or a running dock process, causing the script to fail.
+In ''work/ISABEL/ISA_LAYER.pkg/Scripts/postinstall'', comment out the following lines:
 <code>
+##uninstallation
 #cp /Volumes/"ISA_LAYER Security Components"/ISA_LAYER_Uninstall.pkg /usr/local/ISA_LAYER
 </code>
-And also this section:
+This would copy the uninstall program directly from the disk image. Why it is not just included in the package is beyond me. When installing silently, the disk image may not be mounted, causing this command to fail.
+Also comment out the following:
 <code>
+#echo "*** Updating Link to ISA_LAYER Production URL"
+## =====================================================================
+## =================== Link to IsaLayer Production URL  ==================
+## =====================================================================
+#login6_shortcut="/Applications/ISABEL/Isabel 6 login.webloc"
+#/usr/local/ISA_LAYER/fileicon.sh set "$login6_shortcut" /usr/local/ISA_LAYER/ISA_LAYER_6_icon.png
+#chmod 777 "$login6_shortcut"
 #echo 'on run
 #    set some_file to POSIX file "'$login6_shortcut'" as alias
@@ Line 35: / Line 77: @@
 #  end run
 #' | osascript
+#
+# echo "*** Adding Link to Production URL to the Taskbar"
+# # ==================================================================
+# # =========== Add Link to Production URL into the Taskbar ==========
+# # ==================================================================
+# if [ -f /usr/libexec/PlistBuddy ]; then
+#   #delete existing link from com.apple.dock.plist
+#   set +e
+#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel /  {printf NR;exit}')
+#   dloc=$[$dloc-1]
+#   if (( $dloc >= 0 )); then
+#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist
+#   fi
+#
+# sleep 5
+#
+#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel /  {printf NR;exit}')
+#   dloc=$[$dloc-1]
+#   if (( $dloc >= 0 )); then
+#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist
+#   fi
+#
+# sleep 5
+#   set -e
+#   # Add link to Taskbar for the current user
+#  sudo -u "$USER" defaults write ~/Library/Preferences/com.apple.dock persistent-others -array-add "<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>$login6_shortcut</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>";killall Dock
+#
+#  sleep 5
+#  sudo killall Dock
+#  sleep 5
+#else
+#   echo "File /usr/libexec/PlistBuddy does not exist. User must manually drag $login6_shortcut to the Taskbar"
+#fi
 </code>
-Navigate back to the top of your working directory:
+This would ask the Finder to manipulate a shortcut via AppleScript. However, when installing silently the Finder might not be running. It also tries to manipulate the Dock for the active user (again).
+In ''work/ISABEL/MacIOS.pkg/Scripts/preinstall'', comment out the following lines:
 <code>
-cd ../../
+## delete Isabel certificates for MacOSX > 10.5
+#ver=`sw_vers | grep ProductVersion | awk -F "." '{print $2}'`
+#echo "Version=$ver"
+#if [ "$ver" -gt "5" ]; then
+#echo "Delete cert"
+#  security -v delete-certificate -Z EE291EF1F343F1BF8F4E6228BD164CCE2824C0F8
+#  security -v delete-certificate -Z D0636F70A73BE6E25A99EE987AAA6EF92A824811
+#fi
 </code>
-Repackage in a .pkg file:
+This code attempts to clean up some old certificates by using the security command. However, that triggers dialogs that require user interaction, which is unwanted during a silent install. The security command may even ask end users to authenticate as an admin, which they cannot do.
+In ''work/ISABEL/MacIOS.pkg/Scripts/postinstall'', comment out the following lines:
+<code>
+#echo "   *** installing certificates"
+## =====================================================================
+## =================== Certificates installation =======================
+## =====================================================================
+#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA-Prod.cer
+#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA4K-Prod.cer
+#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA-ProdXCA4K-Prod.cer
+#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA4K-ProdXCA-Prod.cer
+</code>
+This code once again tries to use the security command to install some new certificates. Testing shows that Isabel still seems to work, even without having these installed. If really needed, they can be deployed through an alternate method such as MDM.
+Navigate back to the top of your working directory and repackage in a .pkg file:
 <code>
 pkgutil --flatten ISABEL Isabel.pkg
 </code>
+{{tag>Isabel installer pkgutil}}