Endpoint Security sign_id & team_id on AUTH_EXEC

Question

can someon confirm that this is a bug or not

on ES_EVENT_AUTH_EXEC I extract the signing_id and the team_id from the exec target.

NSString *signid = esstring_to_nsstring(&msg->event.exec.target->signing_id);

NSString *teamid = esstring_to_nsstring(&msg->event.exec.target->team_id);

when inspected, it seemd that team_id has the same content as sign_id

*** LAUNCH APP : PID 83135 BINARY Sophos Agent (signed signID: com.sophos.endpoint.SophosAgent teamID: com.sophos.endpoint.SophosAgent

I would expect that team_id should contain the TeamIdentifier similar from the codesign output below...

% codesign -dvvv -r- ...

Identifier=com.sophos.endpoint.SophosAgent

TeamIdentifier=2H5GFH3774

Frank Fenn

Sophos Inc.

System Extensions

1k

Posted by

frankfenn

Reply

Add a Comment

Answer 1

That definitely seems like a bug. Please file it as such, then post your bug number here, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 2

Feedback Ticket # : FB7321319

Posted by

frankfenn

Add a Comment

Answer 3

Feedback Ticket # : FB7321319

Thank you!

It’s likely that your bug will end up being closed as a dup of the bug we’re using to track this internally (r. 55656117). I’m hoping that this will be fixed before 10.15 goes GM. If/when there’s a new seed of 10.15 beta, drop me a line here and I’ll take another look at the state of this.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 4

it looks like beta 10 has fixed the issue

Frank Fenn

Sophos Inc.

Posted by

frankfenn

Add a Comment

Endpoint Security sign_id & team_id on AUTH_EXEC

Replies