Add hash, bundle ID, team ID, and code sign status to list software API

[harrisonravazzolo]

• customer-ufa: Gong snippet:
• customer-pingali: Slack thread: https://fleetdm.slack.com/archives/C050XE4CQNA/p1730480758648659
• customer-pingali: Gong: https://us-65885.app.gong.io/call?id=8470217130347639214&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A1033%2C%22to%22%3A1092%7D%5D
• @noahtalerman: User requested this because they want to compare the hashes for software installed on their hosts to a list of known vulnerable (CVEs) hashes.
  • @noahtalerman: In the interim the user can write an osquery query to collect this information.
  • @nonpunctual: The user can't get the team ID b/c the team ID isn't in the Info plist so we can't use the plist table
    • @nonpunctual: IT admins refer to team ID as "developer ID". They're the same thing.
    • @nonpunctual: The user could loop through all the apps, run the codesign command against each app, and put the output in some plist. Then write a query against the plist table to collect that info.
    • @nonpunctual: If you run this codesign command against an app you can get the team ID. For example:

      
      codesign -dvv Google Chrome 2>&1 | awk '/TeamIdentifier/{print substr($0,16)}'
      EQHXZ8M8AV

The team ID is EQHXZ8M8AV

  - @noahtalerman: _Eventually_ the user would be able to click around in the UI to see this information.
- @noahtalerman: _User requested this because_ they want to be able to check the team id, cfbundleidentifier, and code signing info for the software installed on their hosts so that they can identify anomolies. If you find a piece of software with a strange looking attribute then you'd do further investigate and if necessary remove that piece of software from the workstation.
  - @noahtalerman: _In the interim_ the user can write an osquery query to collect this information.
  - @noahtalerman: _Eventually_ the user would be able to click around in the UI to see this information.
---

[harrisonravazzolo]

Adding more details from Slack:

the main one that I would like the most within the software apis would likely be: The sha256 hash of the mach-o binary, this would allow me to:

• Search the amount of users that have a specific piece of software installed by file hash
• Search the cve’s associated with a specific software by file hash

Bundle identifier would be nice to include as well and likely easier to add since the software api’s are already using the apps table as a datasource.

[noahtalerman]

No Gong Snippet but see this thread with customer-pingali: https://fleetdm.slack.com/archives/C050XE4CQNA/p1730480758648659 x I’d be interested to be able to filter software: A single piece of software: -By hash (file hash of the mach-o binary or cdhash of the bundle) -cdhash is included in signature table: https://fleetdm.com/tables/signature -File hash included in the file table: https://fleetdm.com/tables/file Multiple piece of software by: -team id (not team id in fleet): https://developer.apple.com/documentation/automaticassessmentconfiguration/aeassessmentapplication/teamidentifier -team id is included in the signature table: https://fleetdm.com/tables/signature

• cfbundleidentifier (bundle identifier could include multiple versions of the same software) -Included in the apps table: https://fleetdm.com/tables/apps
• Certificate info (sha256 of leaf and common name) or whether or not a piece of software is code signed.
  -Both info included in the signature table: https://fleetdm.com/tables/signature

Problem

tbd

What have you tried?

Using the software api to pull this info, but it's not available.

Potential solutions

I would like to be able to pull more information about software from the api to support my workflows.

What is the expected workflow as a result of your proposal?

When calling the list software api /api/v1/fleet/software/titles I would like information such as cfbundleidentifier presented to me, without having to use a query.

[nonpunctual]

For app architecture:

% mdls /Applications/Google\ Chrome.app -name kMDItemExecutableArchitectures -raw

app architecture is also available via mdls so that's available in a query like

SELECT ap.path,
       md.*
FROM apps AS ap
JOIN mdls AS md ON md.path='/Applications/Safari.app' WHERE key='kMDItemExecutableArchitectures' LIMIT 1;

[noahtalerman]

From @nonpunctual: the reason it's referred to as developer ID is Apple's key labels

Here are the 2 ways of getting it.

% sudo /usr/sbin/spctl -a -vv -t execute /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome 
/Applications/Google Chrome.app/Contents/MacOS/Google Chrome: accepted
source=Notarized Developer ID
origin=Developer ID Application: Google LLC (EQHXZ8M8AV)

% codesign -dvv /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome
Executable=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
Identifier=com.google.Chrome
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1821 flags=0x12a00(kill,restrict,library-validation,runtime) hashes=46+7 location=embedded
Signature size=8990
Authority=Developer ID Application: Google LLC (EQHXZ8M8AV)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Oct 28, 2024 at 8:44:08 PM
Notarization Ticket=stapled
Info.plist entries=43
TeamIdentifier=EQHXZ8M8AV
Runtime Version=14.0.0
Sealed Resources version=2 rules=13 files=63
Internal requirements count=1 size=288

[nonpunctual]

Team ID is also available via the signature table https://fleetdm.com/tables/signature

[nonpunctual]

Related PR: https://github.com/osquery/osquery/pull/4246