Thomas' Wiki

User Tools

Site Tools

Trace:
public:repackaging_isabel_security_components_for_macos

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
public:repackaging_isabel_security_components_for_macos [2024/04/03 15:08] thomaspublic:repackaging_isabel_security_components_for_macos [2024/04/05 08:43] (current) thomas
Line 1: Line 1:
-The macOS installer of Isabel has 2 major deficiencies: +====== Repackaging Isabel Security Components for macOS ======
-  * It runs an AppleScript during installation, assuming that a user is logged in. +
-  * It assumes that the DMG image is mounted while installing the PKG installer package.+
  
-These make it impossible to perform a silent install, e.g. through Munki or installer. In order to overcome this limitation, we must make some adjustments to the postinstall script responsible for these actions.+===== Why repackage? =====
  
-Open the DMG.+The macOS installer of Isabel has some major deficiencies. It tries to access resources not in its installer, tries to manipulate the Dock of the active user, tries to interact with Finder, and uses the ''security'' command. 
 + 
 +These make it impossible to perform a silent install, e.g. through Munki or ''installer''. In order to overcome this limitation, we must make some adjustments to the scripts responsible for these actions. 
 + 
 +Note that I did this for version 6.33.19, but I suspect other versions to have the same general issues. 
 + 
 +===== Repackaging procedure ===== 
 + 
 +Download the Isabel installation disk image from the [[https://www.isabel.eu/nl/multibanking/support/downloadzone_mac.html|download zone]] and open it.
  
 Extract the package to a working location. Extract the package to a working location.
 <code> <code>
 mkdir work mkdir work
-pkgutil --expand /Volumes/ISA_LAYER\ Security\ Components\ 1/\ .pkg ./work/ISABEL+pkgutil --expand /Volumes/ISA_LAYER\ Security\ Components/\ .pkg ./work/ISABEL
 </code> </code>
  
-Navigate to the offending subpackage: +In ''work/ISABEL/ISA_LAYER.pkg/Scripts/preinstall'', comment out the following lines:
-<code> +
-cd work/ISABEL/ISA_LAYER.pkg +
-</code>+
  
-Open the postinstall script in a text editor: 
 <code> <code>
-vim Scripts/postinstall+# ## Delete Link to Production URL into the Taskbar ======= 
 +# if [ -f /usr/libexec/PlistBuddy ]; then 
 +#   #delete existing link from com.apple.dock.plist 
 +#   set +e 
 +#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel 6/  {printf NR;exit}'
 +#   dloc=$[$dloc-1] 
 +#   if (( $dloc >= 0 )); then 
 +#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist 
 +#   fi 
 +
 +#   sleep 5 
 +
 +#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Seven Login/  {printf NR;exit}'
 +#   dloc=$[$dloc-1] 
 +#   if (( $dloc >= 0 )); then 
 +#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist 
 +#   fi 
 +#   set -e 
 +#   sleep 5 
 +#   killall Dock 
 +# fi
 </code> </code>
  
-Comment out this line: +These would normally manipulate the logged-in user's dock, but when installing silently in the background, there may not be a logged-in user or a running dock process, causing the script to fail. 
-<code> + 
-#set -e +In ''work/ISABEL/ISA_LAYER.pkg/Scripts/postinstall'', comment out the following lines:
-</code>+
  
-And this section: 
 <code> <code>
 +##uninstallation 
 #cp /Volumes/"ISA_LAYER Security Components"/ISA_LAYER_Uninstall.pkg /usr/local/ISA_LAYER #cp /Volumes/"ISA_LAYER Security Components"/ISA_LAYER_Uninstall.pkg /usr/local/ISA_LAYER
 </code> </code>
  
-And also this section:+This would copy the uninstall program directly from the disk image. Why it is not just included in the package is beyond me. When installing silently, the disk image may not be mounted, causing this command to fail. 
 + 
 +Also comment out the following: 
 <code> <code>
 +#echo "*** Updating Link to ISA_LAYER Production URL"
 +## =====================================================================
 +## =================== Link to IsaLayer Production URL  ==================
 +## =====================================================================
 +#login6_shortcut="/Applications/ISABEL/Isabel 6 login.webloc"
 +#/usr/local/ISA_LAYER/fileicon.sh set "$login6_shortcut" /usr/local/ISA_LAYER/ISA_LAYER_6_icon.png
 +#chmod 777 "$login6_shortcut"
 #echo 'on run #echo 'on run
 #    set some_file to POSIX file "'$login6_shortcut'" as alias #    set some_file to POSIX file "'$login6_shortcut'" as alias
Line 46: Line 77:
 #  end run #  end run
 #' | osascript #' | osascript
-</code> +
- +# echo "*** Adding Link to Production URL to the Taskbar" 
-And also this section+# # ================================================================== 
-<code>+# # =========== Add Link to Production URL into the Taskbar ========== 
 +# # ================================================================== 
 +# if [ -f /usr/libexec/PlistBuddy ]; then 
 +#   #delete existing link from com.apple.dock.plist 
 +#   set +e 
 +#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel /  {printf NR;exit}'
 +#   dloc=$[$dloc-1] 
 +#   if (( $dloc >= 0 )); then 
 +#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist 
 +#   fi 
 +
 +# sleep 5 
 +
 +#   dloc=$(sudo -u "$USER" defaults read ~/Library/Preferences/com.apple.dock persistent-others | grep file-label | awk '/Isabel /  {printf NR;exit}'
 +#   dloc=$[$dloc-1] 
 +#   if (( $dloc >= 0 )); then 
 +#     sudo -u "$USER" /usr/libexec/PlistBuddy -c "Delete persistent-others:$dloc" ~/Library/Preferences/com.apple.dock.plist 
 +#   fi 
 +#
 # sleep 5 # sleep 5
 #   set -e #   set -e
 #   # Add link to Taskbar for the current user #   # Add link to Taskbar for the current user
 #  sudo -u "$USER" defaults write ~/Library/Preferences/com.apple.dock persistent-others -array-add "<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>$login6_shortcut</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>";killall Dock #  sudo -u "$USER" defaults write ~/Library/Preferences/com.apple.dock persistent-others -array-add "<dict><key>tile-data</key><dict><key>file-data</key><dict><key>_CFURLString</key><string>$login6_shortcut</string><key>_CFURLStringType</key><integer>0</integer></dict></dict></dict>";killall Dock
 +#
 +#  sleep 5
 +#  sudo killall Dock
 +#  sleep 5
 +#else
 +#   echo "File /usr/libexec/PlistBuddy does not exist. User must manually drag $login6_shortcut to the Taskbar"
 +#fi
 </code> </code>
  
-You will also need to adjust the preinstall script: +This would ask the Finder to manipulate a shortcut via AppleScript. However, when installing silently the Finder might not be running. It also tries to manipulate the Dock for the active user (again). 
-<code> + 
-vim Scripts/preinstall +In ''work/ISABEL/MacIOS.pkg/Scripts/preinstall'', comment out the following lines:
-</code>+
  
-Comment out this line: 
 <code> <code>
-#set -e+## delete Isabel certificates for MacOSX > 10.5 
 +#ver=`sw_vers | grep ProductVersion | awk -F "." '{print $2}'
 +#echo "Version=$ver" 
 +#if [ "$ver" -gt "5" ]; then 
 +#echo "Delete cert" 
 +#  security -v delete-certificate -Z EE291EF1F343F1BF8F4E6228BD164CCE2824C0F8 
 +#  security -v delete-certificate -Z D0636F70A73BE6E25A99EE987AAA6EF92A824811 
 +#fi
 </code> </code>
  
-And:+This code attempts to clean up some old certificates by using the security command. However, that triggers dialogs that require user interaction, which is unwanted during a silent install. The security command may even ask end users to authenticate as an admin, which they cannot do. 
 + 
 +In ''work/ISABEL/MacIOS.pkg/Scripts/postinstall'', comment out the following lines:
  
 <code> <code>
-#set -e +#echo "   *** installing certificates" 
-#sleep 5 +## ===================================================================== 
-#killall Dock+## =================== Certificates installation ======================= 
 +## ===================================================================== 
 +#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA-Prod.cer 
 +#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA4K-Prod.cer 
 +#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA-ProdXCA4K-Prod.cer 
 +#/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/KeyChains/System.keychain /usr/local/MacIOS/CA4K-ProdXCA-Prod.cer
 </code> </code>
  
-Navigate back to the top of your working directory: +This code once again tries to use the security command to install some new certificatesTesting shows that Isabel still seems to work, even without having these installedIf really needed, they can be deployed through an alternate method such as MDM.
-<code> +
-cd ../../ +
-</code>+
  
-Repackage in a .pkg file:+Navigate back to the top of your working directory and repackage in a .pkg file:
 <code> <code>
 pkgutil --flatten ISABEL Isabel.pkg pkgutil --flatten ISABEL Isabel.pkg
public/repackaging_isabel_security_components_for_macos.1712156906.txt.gz · Last modified: by thomas
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki