packages icon indicating copy to clipboard operation
packages copied to clipboard
verified publisher icon packagesdev

Custom plugin bundle and installation requirements script questions

Open ShangLin-Wu opened this issue 1 year ago • 2 comments

Hi, I found in /private/var/log/installer.log that when opening a pkg, the installer stores the customized plugin bundle and installation requirements external to scripts in the following path: "TMPDIR=/var/folders/6k/8rj2bz5zv9kqw6s5btc0000gn/T/com.apple.install.XXXXXX".

If I replace the plugin bundle before clicking "Allow" in Figure 1, the content of the installer screen will be altered to an invalid plugin bundle. It could be achievable by the attackers to replace the files programmatically even in the shortest time interval. I tried modifying the ACL of the bundle and scripts before packaging the pkg, but the ACL gets reverted to its original state after opening the pkg.

Regarding 'plugin bundle' and 'installation requirements external scripts,' since the com.apple.install.xxx folder name is randomly generated, is there a way to perform integration checks through the installer? Or what methods can be used to prevent the bundle and scripts from being tampered with? Any suggestions would be appreciated. Thank you!

figure 1. image

figure 2. image

ShangLin-Wu avatar Oct 17 '24 09:10 ShangLin-Wu

This seems more a question for Apple since this is their installation mechanism. Your plugin is codesigned?

packagesdev avatar Oct 22 '24 21:10 packagesdev

@packagesdev , yes, our plugin has been codesigned. May I ask the packages can preserve the scripts and plugins' ACL?

ShangLin-Wu avatar Oct 24 '24 00:10 ShangLin-Wu