macos_installer_handler.py: Add signature check

2026-04-23 19:40:15 +10:00 · 2024-04-30 16:58:40 -06:00
parent a06b1f578e
commit ddb71e6776
2 changed files with 7 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,8 @@
  - Payloads:
    - Remove redundant/unused files bundled in payloads.dmg
 - Resolve unpatching Nvidia Web Drivers failing to clean up `/Library/Extensions`
+- Implement preflight code signature checks for macOS installer creation
+  - Ensures validity of `createinstallmedia` binary before execution

 ## 1.4.3
 - Update non-Metal Binaries for macOS Sonoma:
--- a/opencore_legacy_patcher/support/macos_installer_handler.py
+++ b/opencore_legacy_patcher/support/macos_installer_handler.py
@@ -139,7 +139,12 @@ class InstallerCreation():
            logging.info(f"Failed to copy installer to {ia_tmp}")
            return False

+        # Verify code signature before executing
        createinstallmedia_path = str(Path(installer_path) / Path("Contents/Resources/createinstallmedia"))
+        if subprocess.run(["/usr/bin/codesign", "-v", "-R=anchor apple", createinstallmedia_path]).returncode != 0:
+            logging.info(f"Installer has broken code signature")
+            return False
+
        plist_path = str(Path(installer_path) / Path("Contents/Info.plist"))
        if Path(plist_path).exists():
            plist = plistlib.load(Path(plist_path).open("rb"))