Thomas' Wiki

User Tools

Site Tools

Trace: Managing ZFS on Debian Managing KVM on Debian Unblocking all files in a folder recursively on Windows Managing LUKS on Debian Using robocopy virt-install examples
public:repackaging_isabel_security_components_for_macos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
public:repackaging_isabel_security_components_for_macos [2024/04/03 14:26] thomaspublic:repackaging_isabel_security_components_for_macos [2024/04/05 08:43] (current) thomas
Line 1: Line 1:
-The macOS installer of Isabel has 2 major deficiencies: +====== Repackaging Isabel Security Components for macOS ======
-  * It runs an AppleScript during installation, assuming that a user is logged in. +
-  * It assumes that the DMG image is mounted while installing the PKG installer package.+
  
-These make it impossible to perform a silent install, e.g. through Munki or installer. In order to overcome this limitation, we must make some adjustments to the postinstall script responsible for these actions.+===== Why repackage? =====
  
-Open the DMG.+The macOS installer of Isabel has some major deficiencies. It tries to access resources not in its installer, tries to manipulate the Dock of the active user, tries to interact with Finder, and uses the ''security'' command. 
 + 
 +These make it impossible to perform a silent install, e.g. through Munki or ''installer''. In order to overcome this limitation, we must make some adjustments to the scripts responsible for these actions. 
 + 
 +Note that I did this for version 6.33.19, but I suspect other versions to have the same general issues. 
 + 
 +===== Repackaging procedure ===== 
 + 
 +Download the Isabel installation disk image from the [[https://www.isabel.eu/nl/multibanking/support/downloadzone_mac.html|download zone]] and open it.
  
 Extract the package to a working location. Extract the package to a working location.
 <code> <code>
 mkdir work mkdir work
-pkgutil --expand /Volumes/ISA_LAYER\ Security\ Components\ 1/\ .pkg ./work/ISABEL+pkgutil --expand /Volumes/ISA_LAYER\ Security\ Components/\ .pkg ./work/ISABEL
 </code> </code>
  
-Navigate to the offending subpackage: +In ''work/ISABEL/ISA_LAYER.pkg/Scripts/preinstall'', comment out the following lines:
-<code> +
-cd work/ISABEL/ISA_LAYER.pkg +
-</code>+
  
-Open the postinstall script in a text editor: 
 <code> <code>
-vim Scripts/postinstall+# ## Delete Link to Production URL into the Taskbar ======= 
 +# if [ -f /usr/libexec/PlistBuddy ]; then 
 +#   #delete existing link from com.apple.dock.plist 
 +#   set +e 
 +#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel 6/  {printf NR;exit}'
 +#   dloc=$[$dloc-1] 
 +#   if (( $dloc >= 0 )); then 
 +#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist 
 +#   fi 
 +
 +#   sleep 5 
 +
 +#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Seven Login/  {printf NR;exit}'
 +#   dloc=$[$dloc-1] 
 +#   if (( $dloc >= 0 )); then 
 +#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist 
 +#   fi 
 +#   set -e 
 +#   sleep 5 
 +#   killall Dock 
 +# fi
 </code> </code>
  
-Comment out this line: +These would normally manipulate the logged-in user's dock, but when installing silently in the background, there may not be a logged-in user or a running dock process, causing the script to fail. 
-<code> + 
-#set -e +In ''work/ISABEL/ISA_LAYER.pkg/Scripts/postinstall'', comment out the following lines:
-</code>+
  
-And this section: 
 <code> <code>
 +##uninstallation 
 #cp /Volumes/"ISA_LAYER Security Components"/ISA_LAYER_Uninstall.pkg /usr/local/ISA_LAYER #cp /Volumes/"ISA_LAYER Security Components"/ISA_LAYER_Uninstall.pkg /usr/local/ISA_LAYER
 </code> </code>
  
-And also this section:+This would copy the uninstall program directly from the disk image. Why it is not just included in the package is beyond me. When installing silently, the disk image may not be mounted, causing this command to fail. 
 + 
 +Also comment out the following: 
 <code> <code>
 +#echo "*** Updating Link to ISA_LAYER Production URL"
 +## =====================================================================
 +## =================== Link to IsaLayer Production URL  ==================
 +## =====================================================================
 +#login6_shortcut="/Applications/ISABEL/Isabel 6 login.webloc"
 +#/usr/local/ISA_LAYER/fileicon.sh set "$login6_shortcut" /usr/local/ISA_LAYER/ISA_LAYER_6_icon.png
 +#chmod 777 "$login6_shortcut"
 #echo 'on run #echo 'on run
 #    set some_file to POSIX file "'$login6_shortcut'" as alias #    set some_file to POSIX file "'$login6_shortcut'" as alias
Line 46: Line 77:
 #  end run #  end run
 #' | osascript #' | osascript
 +#
 +# echo "*** Adding Link to Production URL to the Taskbar"
 +# # ==================================================================
 +# # =========== Add Link to Production URL into the Taskbar ==========
 +# # ==================================================================
 +# if [ -f /usr/libexec/PlistBuddy ]; then
 +#   #delete existing link from com.apple.dock.plist
 +#   set +e
 +#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel /  {printf NR;exit}')
 +#   dloc=$[$dloc-1]
 +#   if (( $dloc >= 0 )); then
 +#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist
 +#   fi
 +#
 +# sleep 5
 +#
 +#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel /  {printf NR;exit}')
 +#   dloc=$[$dloc-1]
 +#   if (( $dloc >= 0 )); then
 +#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist
 +#   fi
 +#
 +# sleep 5
 +#   set -e
 +#   # Add link to Taskbar for the current user
 +#  sudo -u "$USER" defaults write ~/Library/Preferences/com.apple.dock persistent-others -array-add "<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>$login6_shortcut</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>";killall Dock
 +#
 +#  sleep 5
 +#  sudo killall Dock
 +#  sleep 5
 +#else
 +#   echo "File /usr/libexec/PlistBuddy does not exist. User must manually drag $login6_shortcut to the Taskbar"
 +#fi
 </code> </code>
  
-Navigate back to the top of your working directory:+This would ask the Finder to manipulate a shortcut via AppleScript. However, when installing silently the Finder might not be running. It also tries to manipulate the Dock for the active user (again). 
 + 
 +In ''work/ISABEL/MacIOS.pkg/Scripts/preinstall'', comment out the following lines: 
 <code> <code>
-cd ../../+## delete Isabel certificates for MacOSX > 10.
 +#ver=`sw_vers | grep ProductVersion | awk -F "." '{print $2}'
 +#echo "Version=$ver" 
 +#if [ "$ver" -gt "5" ]; then 
 +#echo "Delete cert" 
 +#  security -v delete-certificate -Z EE291EF1F343F1BF8F4E6228BD164CCE2824C0F8 
 +#  security -v delete-certificate -Z D0636F70A73BE6E25A99EE987AAA6EF92A824811 
 +#fi
 </code> </code>
  
-Repackage in a .pkg file:+This code attempts to clean up some old certificates by using the security command. However, that triggers dialogs that require user interaction, which is unwanted during a silent install. The security command may even ask end users to authenticate as an admin, which they cannot do. 
 + 
 +In ''work/ISABEL/MacIOS.pkg/Scripts/postinstall'', comment out the following lines: 
 + 
 +<code> 
 +#echo "   *** installing certificates" 
 +## ===================================================================== 
 +## =================== Certificates installation ======================= 
 +## ===================================================================== 
 +#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA-Prod.cer 
 +#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA4K-Prod.cer 
 +#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA-ProdXCA4K-Prod.cer 
 +#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA4K-ProdXCA-Prod.cer 
 +</code> 
 + 
 +This code once again tries to use the security command to install some new certificates. Testing shows that Isabel still seems to work, even without having these installed. If really needed, they can be deployed through an alternate method such as MDM. 
 + 
 +Navigate back to the top of your working directory and repackage in a .pkg file:
 <code> <code>
 pkgutil --flatten ISABEL Isabel.pkg pkgutil --flatten ISABEL Isabel.pkg
public/repackaging_isabel_security_components_for_macos.1712154400.txt.gz · Last modified: by thomas
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki