can someon confirm that this is a bug or not
on ES_EVENT_AUTH_EXEC I extract the signing_id and the team_id from the exec target.
NSString *signid = esstring_to_nsstring(&msg->event.exec.target->signing_id);
NSString *teamid = esstring_to_nsstring(&msg->event.exec.target->team_id);
when inspected, it seemd that team_id has the same content as sign_id
*** LAUNCH APP : PID 83135 BINARY Sophos Agent (signed signID: com.sophos.endpoint.SophosAgent teamID: com.sophos.endpoint.SophosAgent
I would expect that team_id should contain the TeamIdentifier similar from the codesign output below...
% codesign -dvvv -r- ...
Identifier=com.sophos.endpoint.SophosAgent
TeamIdentifier=2H5GFH3774
Frank Fenn
Sophos Inc.