Signed Installer posted for OS X El Capitan v10.11
Signed Installer posted for OS X El Capitan v10.11 <https://smartcardservices.macosforge.org/post/signed-installer-posted-for-os-x-el-capitan-v1011/>2015-10-01 Installer posted for OS X El Capitan v10.11. This SmartCardServices Installer provides the Tokend bundles and cacloginconfig.plist for installation on your OS X El Capitan systems. Starting with today's (1 Oct 2015) release of the installer for OS X El Capitan v10.11, we are digitally signing the Installer and Tokend bundles for integrity assurance. The installer will be recognized and install properly with Gatekeeper set to default or higher and, on El Capitan, are installed in a new location "/ Library / Security / tokend" to work with System Integrity Protection (SIP) enabled. ____________________________________________________________________________________ NOTE: Installer and Tokend bundles from this project are now digitally signed. Older installers (ie. for v10.10, v10.9, ...) will be re-posted, incremented to v2.1, and digitally signed. The installation location will remain as they were on the respective OS releases. ____________________________________________________________________________________ You should verify the integrity of the Tokend(s) you have installed by verifying the digital signature using the following command in Terminal: $ codesign -dvvvv /Library/Security/tokend/<nameoftoken>.tokend for example: $ codesign -dvvvv /Library/Security/tokend/PIV.tokend Your results should be similar to the following: $ codesign -dvvvv /Library/Security/tokend/PIV.tokend/ Executable=/Library/Security/tokend/PIV.tokend/Contents/MacOS/PIV Identifier=org.macosforge.smartcardservices.tokend.piv Format=bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=1307 flags=0x0(none) hashes=57+3 location=embedded Hash type=sha1 size=20 CDHash=9211409073a5f9034a523b891918cbf8030a6b84 Signature size=4349 Authority=Mac Developer: Shawn Geddis (6NSF8PH78P) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=Sep 29, 2015, 9:06:58 PM Info.plist entries=9 TeamIdentifier=L2L8FX9AEK Sealed Resources version=2 rules=12 files=5 Internal requirements count=1 size=92 To ensure you have the original installer posted here and not one that has been modified, please also verify the SHA-256 hash of the .zip you download against the hash posted for the corresponding installer from the installers download page. http://smartcardservices.macosforge.org/trac/wiki/installers/ <https://smartcardservices.macosforge.org/trac/wiki/installers> Recall, we also post installers under a “Current” Static URL as well. SmartCard Services "Current" - Most recent Installer (i.e v2.1.0 for OS X El Capitan v10.11) http://smartcardservices.macosforge.org/files/installers/SCS-Current.zip <https://smartcardservices.macosforge.org/files/installers/SCS-Current.zip> The static URL for the most recent installer versions corresponding to each major release of OS X follows the format: http://smartcardservices.macosforge.org/files/installers/SCS-XX.YY-Current.z... XX - 10 YY - Major Release (i.e '09' for OS X Mavericks v10.9) "Current - OS X El Capitan v10.11 <https://smartcardservices.macosforge.org/files/installers/SCS-10.11-Current.zip>” "Current - OS X Yosemite v10.10 <https://smartcardservices.macosforge.org/files/installers/SCS-10.10-Current.zip>” "Current - OS X Mavericks v10.9 <https://smartcardservices.macosforge.org/files/installers/SCS-10.09-Current.zip>” "Current - OS X Mountain Lion v10.8 <https://smartcardservices.macosforge.org/files/installers/SCS-10.08-Current.zip>” "Current - OS X Lion v10.7 <https://smartcardservices.macosforge.org/files/installers/SCS-10.07-Current.zip>” "Current - OS X Snow Leopard v10.6" <https://smartcardservices.macosforge.org/files/installers/SCS-10.06-Current.zip> - Shawn _____________________________________________________________________ Shawn Geddis geddis at {Mac | Me | iCloud} dot com Security and Certifications Engineer, Apple geddis at {apple} dot com Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org <http://smartcardservices.macosfforge.org/>] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org <mailto:scs-cotact@macosforge.org>] SCS Admin: [scs-admin@macosforge.org <mailto:scs-admin@macosforge.org>] _____________________________________________________________________
Thanks. Is there any documentation available that shows where the new tokend installations should go? Does this installation location happen to work for older OSX versions, or is the location only scanned by OSX 10.11? If this location is only for newer versions of OSX, this complicates things for users that install an application on 10.10 or earlier and come to OSX 10.11 to discover their TokenD was obliterated. Smart card development for OSX seems to be a particularly dark art. By chance are there any samples of TokenD modules written using Apple's new blessed token API - the asynchronous nature of the new API seems to be in conflict with TokenD API specifications. On Thu, Oct 1, 2015 at 11:17 AM Shawn A. Geddis <geddis@apple.com> wrote:
Signed Installer posted for OS X El Capitan v10.11 <https://smartcardservices.macosforge.org/post/signed-installer-posted-for-os-x-el-capitan-v1011/> 2015-10-01
Installer posted for OS X El Capitan v10.11.
This SmartCardServices Installer provides the Tokend bundles and cacloginconfig.plist for installation on your OS X El Capitan systems.
Starting with today's (1 Oct 2015) release of the installer for OS X El Capitan v10.11, we are digitally signing the Installer and Tokend bundles for integrity assurance. The installer will be recognized and install properly with Gatekeeper set to default or higher and, on El Capitan, are installed in a new location "/ Library / Security / tokend" to work with System Integrity Protection (SIP) enabled.
____________________________________________________________________________________
*NOTE:* Installer and Tokend bundles from this project are now digitally signed. Older installers (ie. for v10.10, v10.9, ...) will be re-posted, incremented to v2.1, and digitally signed. The installation location will remain as they were on the respective OS releases.
____________________________________________________________________________________
You should verify the integrity of the Tokend(s) you have installed by verifying the digital signature using the following command in Terminal: $ codesign -dvvvv /Library/Security/tokend/<nameoftoken>.tokend
for example: $ codesign -dvvvv /Library/Security/tokend/PIV.tokend
Your results should be similar to the following:
$ *codesign -dvvvv /Library/Security/tokend/PIV.tokend/*
*Executable=/Library/Security/tokend/PIV.tokend/Contents/MacOS/PIV*
*Identifier=org.macosforge.smartcardservices.tokend.piv*
*Format=bundle with Mach-O thin (x86_64)*
*CodeDirectory v=20200 size=1307 flags=0x0(none) hashes=57+3 location=embedded*
*Hash type=sha1 size=20*
*CDHash=9211409073a5f9034a523b891918cbf8030a6b84*
*Signature size=4349*
*Authority=Mac Developer: Shawn Geddis (6NSF8PH78P)*
*Authority=Apple Worldwide Developer Relations Certification Authority*
*Authority=Apple Root CA*
*Signed Time=Sep 29, 2015, 9:06:58 PM*
*Info.plist entries=9*
*TeamIdentifier=L2L8FX9AEK*
*Sealed Resources version=2 rules=12 files=5*
*Internal requirements count=1 size=92*
To ensure you have the original installer posted here and not one that has been modified, please also verify the SHA-256 hash of the .zip you download against the hash posted for the corresponding installer from the installers download page.
http://smartcardservices.macosforge.org/trac/wiki/installers/ <https://smartcardservices.macosforge.org/trac/wiki/installers> ------------------------------
Recall, we also post installers under a “Current” Static URL as well.
*SmartCard Services "Current"* - Most recent Installer (i.e v2.1.0 for OS X El Capitan v10.11)
http://smartcardservices.macosforge.org/files/installers/SCS-Current.zip <https://smartcardservices.macosforge.org/files/installers/SCS-Current.zip> ------------------------------
The static URL for the most recent installer versions corresponding to each major release of OS X follows the format:
*http://smartcardservices.macosforge.org/files/installers/SCS-XX.YY-Current.z... <http://smartcardservices.macosforge.org/files/installers/SCS-XX.YY-Current.zip>*
*XX* - 10
*YY* - Major Release (i.e '09' for OS X Mavericks v10.9)
- "Current - OS X El Capitan v10.11 <https://smartcardservices.macosforge.org/files/installers/SCS-10.11-Current.zip> ” - "Current - OS X Yosemite v10.10 <https://smartcardservices.macosforge.org/files/installers/SCS-10.10-Current.zip> ” - "Current - OS X Mavericks v10.9 <https://smartcardservices.macosforge.org/files/installers/SCS-10.09-Current.zip> ” - "Current - OS X Mountain Lion v10.8 <https://smartcardservices.macosforge.org/files/installers/SCS-10.08-Current.zip> ” - "Current - OS X Lion v10.7 <https://smartcardservices.macosforge.org/files/installers/SCS-10.07-Current.zip> ” - "Current - OS X Snow Leopard v10.6" <https://smartcardservices.macosforge.org/files/installers/SCS-10.06-Current.zip>
- Shawn _____________________________________________________________________ Shawn Geddis geddis at {Mac | Me | iCloud} dot com Security and Certifications Engineer, Apple geddis at {apple} dot com
Smart Card Services Project/Dev Lead:
Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org] _____________________________________________________________________
_______________________________________________ SmartcardServices-Dev mailing list SmartcardServices-Dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/smartcardservices-dev
On Oct 1, 2015, at 11:44 AM, Thomas Harning Jr. <harningt@gmail.com> wrote:
Thanks. Is there any documentation available that shows where the new tokend installations should go?
Does this installation location happen to work for older OSX versions, or is the location only scanned by OSX 10.11? If this location is only for newer versions of OSX, this complicates things for users that install an application on 10.10 or earlier and come to OSX 10.11 to discover their TokenD was obliterated.
Smart card development for OSX seems to be a particularly dark art. By chance are there any samples of TokenD modules written using Apple's new blessed token API - the asynchronous nature of the new API seems to be in conflict with TokenD API specifications.
Thomas, • The Installer Download Page, the Installer and the man page for SmartCardServices notes the new tokend installation path for OS X El Capitan v10.11. • The Path [/Library/Security/tokend/ ] is new for OS X El Capitan v10.11 and higher and is not supported on older versions of OS X v10.x. • Location of Tokend bundles does not affect use by Applications, since this is completely abstracted away. • There currently is no code samples or reference implementations for CryptoTokenKit Clients from Apple nor yet from the project here. • TokenD API specifications ? There never was any API specification to Apple’s knowledge. What reference are you making ? See man page for SmartCardServices…. $ man SmartCardServices SMARTCARDSERVICES(7) BSD Miscellaneous Information Manual SMARTCARDSERVICES(7) NAME SmartCardServices -- overview of smart card support DESCRIPTION SmartCardServices is a set of components which add native support for smart cards to OS X. Supported smart cards appear as separate keychains. A Tokend module for each smart card you wish to use must be installed in /Library/Security/tokend USB SMART CARD READER DRIVERS OS X has built-in support for USB CCID class-compliant smart card read- ers. For other readers, install the reader driver in /usr/local/libexec/SmartCardServices/drivers. Each driver is a bundle. The bundle contains an XML file Info.plist which contains the device's USB vendor ID and product ID. For detailed description of the plist for- mat and how to write a reader driver, see http://pcsclite.alioth.debian.org/api/group__IFDHandler.html SMART CARD APDU LOGGING It is possible to turn on logging for smart cards. Logging is turned on by setting the global preference: sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool yes After a smart card reader is connected (or after reboot) all operations including contents of sent and received APDU messages are then logged into the system log. Logging uses the facility com.apple.security.smart- card.log so it is possible to set up filtering of these logs into custom targets (see asl.conf(5)) To avoid security risks that could occur if logging is turned on indefi- nitely, the logging setting is one-shot - it must be turned on by the command above to start logging again with a new reader. This includes unplugging and replugging the same reader. SEE ALSO sc_auth(8), defaults(1), asl.conf(5), ssh-keychain(8) Mac OS X August 5, 2014 Mac OS X - Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Security and Certifications Engineer, Apple geddis@apple.com Smart Card Services Project/Dev Lead: Project Wiki: [SmartCardServices.MacOSFforge.Org <http://smartcardservices.macosfforge.org/>] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org <mailto:scs-cotact@macosforge.org>] SCS Admin: [scs-admin@macosforge.org <mailto:scs-admin@macosforge.org>] _____________________________________________________________________
On Thu, Oct 1, 2015 at 3:25 PM Shawn Geddis <geddis@icloud.com> wrote:
On Oct 1, 2015, at 11:44 AM, Thomas Harning Jr. <harningt@gmail.com> wrote:
Thanks. Is there any documentation available that shows where the new tokend installations should go?
Does this installation location happen to work for older OSX versions, or is the location only scanned by OSX 10.11? If this location is only for newer versions of OSX, this complicates things for users that install an application on 10.10 or earlier and come to OSX 10.11 to discover their TokenD was obliterated.
Smart card development for OSX seems to be a particularly dark art. By chance are there any samples of TokenD modules written using Apple's new blessed token API - the asynchronous nature of the new API seems to be in conflict with TokenD API specifications.
Thomas,
• The Installer Download Page, the Installer and the man page for SmartCardServices notes the new tokend installation path for OS X El Capitan v10.11.
• The Path [/Library/Security/tokend/ ] is new for OS X El Capitan v10.11
and higher and is not supported on older versions of OS X v10.x. • Location of Tokend bundles does not affect use by Applications, since this is completely abstracted away.
• There currently is no code samples or reference implementations for
CryptoTokenKit Clients from Apple nor yet from the project here. • TokenD API specifications ? There never was any API specification to Apple’s knowledge. What reference are you making ?
The specification that each of the TokenD modules implement. I referenced an API that exists but does not appear to be documented (at least publicly). I brought these up as I am on a team maintaining a product with a TokenD module for our smart card support and have run into stumbling blocks with supporting the new operating systems with no reliable channel on changes aside from poking and prodding behavior as best as I can when new beta releases come out. See man page for SmartCardServices….
Thanks for this - I'll keep an eye on man-page changes.
$ man SmartCardServices
SMARTCARDSERVICES(7) BSD Miscellaneous Information Manual SMARTCARDSERVICES(7)
NAME SmartCardServices -- overview of smart card support
DESCRIPTION SmartCardServices is a set of components which add native support for smart cards to OS X.
Supported smart cards appear as separate keychains. A Tokend module for each smart card you wish to use must be installed in /Library/Security/tokend
USB SMART CARD READER DRIVERS OS X has built-in support for USB CCID class-compliant smart card read- ers. For other readers, install the reader driver in /usr/local/libexec/SmartCardServices/drivers. Each driver is a bundle. The bundle contains an XML file Info.plist which contains the device's USB vendor ID and product ID. For detailed description of the plist for- mat and how to write a reader driver, see http://pcsclite.alioth.debian.org/api/group__IFDHandler.html
SMART CARD APDU LOGGING It is possible to turn on logging for smart cards. Logging is turned on by setting the global preference:
sudo defaults write /Library/Preferences/com.apple.security.smartcard Logging -bool yes
After a smart card reader is connected (or after reboot) all operations including contents of sent and received APDU messages are then logged into the system log. Logging uses the facility com.apple.security.smart- card.log so it is possible to set up filtering of these logs into custom targets (see asl.conf(5))
To avoid security risks that could occur if logging is turned on indefi- nitely, the logging setting is one-shot - it must be turned on by the command above to start logging again with a new reader. This includes unplugging and replugging the same reader.
SEE ALSO sc_auth(8), defaults(1), asl.conf(5), ssh-keychain(8)
Mac OS X August 5, 2014 Mac OS X
- Shawn _____________________________________________________________________ Shawn Geddis geddis@{Mac | Me | iCloud}.com Security and Certifications Engineer, Apple geddis@apple.com
Smart Card Services Project/Dev Lead:
Project Wiki: [SmartCardServices.MacOSFforge.Org] Mailing Lists: [Lists.MacOSForge.Org/mailman/listinfo <http://lists.macosforge.org/mailman/listinfo>] SCS Contact: [scs-cotact@macosforge.org] SCS Admin: [scs-admin@macosforge.org] _____________________________________________________________________
participants (3)
-
Shawn A. Geddis
-
Shawn Geddis
-
Thomas Harning Jr.