csreq(1) [osx man page]
CSREQ(1) BSD General Commands Manual CSREQ(1) NAME
csreq -- Expert tool for manipulating Code Signing Requirement data SYNOPSIS
csreq [-v] -r requirement-input -t csreq [-v] -r requirement-input -b outputfile DESCRIPTION
The csreq command manipulates Code Signing Requirement data. It reads one requirement from a file or command arguments, converts it into internal form, checks it, and then optionally outputs it in a different form. The options are as follows: -b path Requests that the requirement read be written in binary form to the path given. -r requirement-input Specifies the input requirement. See "specifying requirements" below. This is exactly the same format as is accepted by the -r and -R options of the codesign(1) command. -t Requests that the requirement read be written as text to standard output. -v Increases the verbosity of output. Multiple instances of -v produce increasing levels of commentary output. In the first synopsis form, csreq reads a Code Requirement and writes it to standard output as canonical source text. Note that with text input, this actually compiles the requirement into internal form and then converts it back to text, giving you the system's view of the requirement code. In the second synopsis form, csreq reads a Code Requirement and writes its binary representation to a file. This is the same form produced by the SecRequirementCopyData API, and is readily acceptable as input to Code Signing verification APIs. It can also be used as input to subse- quent invocations of csreq by passing the filename to the -r option. SPECIFYING REQUIREMENTS
The requirement argument (-r) can be given in various forms. A plain text argument is taken to be a path to a file containing the require- ment. This program will accept both binary files containing properly compiled requirements code, and source files that are automatically com- piled for use. An argument of "-" requests that the requirement(s) are read from standard input. Again, standard input can contain either binary form or text. Finally, an argument that begins with an equal sign "=" is taken as a literal requirements source text, and is compiled accordingly for use. EXAMPLES
To compile an explicit requirement program and write its binary form to file "output": csreq -r="identifier com.foo.test" -b output.csreq To display the requirement program embedded at offset 1234 of file "foo": tail -b 1234 foo | csreq -r- -t FILES
DIAGNOSTICS
The csreq program exits 0 on success or 1 on failure. Errors in arguments yield exit code 2. SEE ALSO
codesign(1) HISTORY
The csreq command first appeared in Mac OS 10.5.0 . BSD
June 1, 2006 BSD
Check Out this Related Man Page
SPCTL(8) BSD System Manager's Manual SPCTL(8) NAME
spctl -- SecAssessment system policy security SYNOPSIS
spctl --assess [-t type] [-] file ... spctl --master-enable | --master-disable spctl --enable | --disable | --remove [-t type] [--path path] [--requirement requirement] [--anchor hash] [--hash hash] spctl --status DESCRIPTION
spctl manages the security assessment policy subsystem. This subsystem maintains and evaluates rules that determine whether the system allows the installation, execution, and other operations on files on the system. spctl requires one command option that determines its principal operation: --add Add rule(s) to the system-wide assessment rule database. -a, --assess Requests that spctl perform an assessment on the files given. --disable Disable one or more rules in the assessment rule database. Disabled rules are not considered when performing assessment, but remain in the database and can be re-enabled later. --enable Enable rule(s) in the assessment rule database, counteracting earlier disabling. --disable --master-disable Disable the assessment subsystem altogether. Operations that would be denied by system policy will be allowed to proceed; assess- ment APIs always report success. Requires root access. --master-enable Enable the assessment subsystem. Operations that are denied by system policy will fail; assessment APIs report the truth. Requires root access. --remove Remove rule(s) from the assessment rule database. --status Query whether the assessment subsystem is enabled or disabled. In addition, the following options are recognized: --anchor In rule update operations, indicates that the arguments are hashes of anchor certificates. --continue If the assessment of a file fails, continue assessing additional file arguments. Without this option, the first failed assessment terminates operation. --hash In rule update operations, indicates that the arguments are code directory hashes. --ignore-cache Do not query or use the assessment object cache. This may significantly slow down operation. Newly generated assessments may still be stored in the cache. --label label Specifies a string label to attach to new rules, or find in existing rules. Labels are arbitrary strings that are assigned by con- vention. Rule labels are optional. --no-cache Do not place the outcome of any assessments into the assessment object cache. No other assessment may reuse this outcome. This option not prohibit the use of existing cache entries. --path In rule update operations, indicates that the argument(s) denote paths to files on disk. --priority priority In rule update operations, specifies the priority of the rule(s) created or changed. Priorities are floating-point numbers. Higher numeric values indicate higher priority. --raw When displaying the outcome of an assessment, write it as a "raw" XML plist instead of parsing it in somewhat more friendly form. This is useful when used in scripts, or to access newly invented assessment aspects that spctl does not yet know about. --requirement In rule update operations, indicates that the argument(s) are code requirement source. --rule In rule update operations, indicates that the argument(s) are the index numbers of existing rules. -t, --type Specify which type of assessment is desired: execute to assess code execution, install to assess installation of an installer pack- age, and open to assess the opening of documents. The default is to assess execution. -v, --verbose Requests more verbose output. Repeat the option or give it a higher numeric value to increase verbosity. RULE SUBJECTS
The system assessement rule database contains entries that match candidates based on Code Requirements. spctl allows you to specify these requirements directly using the --requirement option. In addition, individual programs on disk can be addressed with the --path option (which uses their Designated Requirement). The --anchor option takes the hash of a (full) certificate and turns it into a requirement match- ing any signature based on that anchor certificate. Alternatively, it can take the absolute path of a certificate file on disk, containing the DER form of an anchor certificate. Finally, the --hash option generates a code requirement that denotes only and exactly one program whose CodeDirectory hash is given. The means of specifying subjects does not affect the remaining processing. FILES
/var/db/SystemPolicy The system policy database. /var/db/.SystemPolicy-default A copy of the initial distribution version of the system policy database. Useful for starting over if the database gets messed up beyond recognition. EXAMPLES
To check whether Mail.app is allowed to run on the local system: spctl -a /Applications/Mail.app To allow Frobozz.app to run on the local system: spctl --add --label "My Stuff" /Applications/Frobozz.app To forbid all code obtained from the Mac App Store from running: spctl --disable --label "Mac App Store" DIAGNOSTICS
spctl exits zero on success, or one if an operation has failed. Exit code two indicates unrecognized or unsuitable arguments. If an assess- ment operation results in denial but no other problem has occurred, the exit code is three. SEE ALSO
codesign(1), syspolicyd(1) HISTORY
The system policy facility and spctl command first appeared in Mac OS X Lion 10.7.3 as a limited developer preview. BSD
January 19, 2012 BSD