search

google / santa

A binary authorization and monitoring system for macOS
https://santa.dev
Apache License 2.0
4.43k stars 297 forks source link

Apple Signed Binary Blocked: RemotePairingDataVaultHelper #1309

Closed eopeter closed 7 months ago

eopeter commented 7 months ago

In lockdown mode, we are seeing an Apple Signed binary getting blocked. Apple binaries was supposed the be critical OS binaries that should not be blocked:

$ codesign -dvv /Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper
Executable=/Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper
Identifier=com.apple.CoreDevice.RemotePairingDataVaultHelper
Format=Mach-O universal (x86_64 arm64e arm64)
CodeDirectory v=20400 size=1002 flags=0x0(none) hashes=20+7 location=embedded
Signature size=4493
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=21
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=100
mlw commented 7 months ago

Can you please provide the output of santactl fileinfo, as well as some version information, both for Santa and macOS?

mlw commented 7 months ago

I would also be interested in the output of:

codesign --verify --deep -vvv /Library/Apple/System/Library/PrivateFrameworks/RemotePairing.framework/Versions/A/Resources/bin/RemotePairingDataVaultHelper

(this binary in particular has had signing issues in previous Sonoma versions)

eopeter commented 7 months ago

The user experiencing this has not sent me the requested logs; so closing