Installations script for ESET Protect Agent

[Jelte 0]

Hi

The installation script for ESET Protect Agent for Mac is failing.

The installation script is made for bash, but zsh is nowadays the default for macOS.

In the installation script the XML with postflight config is created by echo every setting to a xml file.

Is it possible to change that to use the build in plistbuddy?

Here is the script I'm using now to fill the xml file:

local_params_file="/tmp/postflight.plist"

echo "$local_params_file" >> "$files2del"

/usr/libexec/PlistBuddy "$local_params_file" \

-c "clear dict" \

-c "add :Hostname string $eraa_server_hostname" \

-c "add :SendTelemetry string $eraa_enable_telemetry" \

-c "add :Port string $eraa_server_port" \

-c "add :PeerCertContent string $eraa_peer_cert_b64"

 

[ -n "$eraa_ca_cert_b64" ] && /usr/libexec/PlistBuddy "$local_params_file" -c "add :CertAuthContent string $eraa_ca_cert_b64"

[ -n "$eraa_product_uuid" ] && /usr/libexec/PlistBuddy "$local_params_file" -c "add :ProductGuid string $eraa_product_uuid"

[ -n "$eraa_initial_sg_token" ] && /usr/libexec/PlistBuddy "$local_params_file" -c "add :InitialStaticGroup string $eraa_initial_sg_token"

[ -n "$eraa_policy_data" ] && /usr/libexec/PlistBuddy "$local_params_file" -c "add :CustomPolicy string $eraa_policy_data"

 

[ -n "$eraa_peer_cert_pwd" ] && /usr/libexec/PlistBuddy "$local_params_file" \

-c "add :PeerCertPassword string $eraa_peer_cert_pwd" \

-c "add :PeerCertPasswordIsBase64 string yes"

 

[ "$eraa_http_proxy_use" = "1" ] && /usr/libexec/PlistBuddy "$local_params_file" \

-c "add :UseProxy string $eraa_http_proxy_use" \

-c "add :ProxyHostname string $eraa_http_proxy_hostname" \

-c "add :ProxyPort string $eraa_http_proxy_port" \

-c "add :ProxyUsername string $eraa_http_proxy_user" \

-c "add :ProxyPassword string $eraa_http_proxy_password"

The old part that should do the same:

echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" >> "$local_params_file"

echo "<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"hxxp://www.apple.com/DTDs/PropertyList-1.0.dtd\">" >> "$local_params_file"

echo "<plist version=\"1.0\">" >> "$local_params_file"

echo "<dict>" >> "$local_params_file"

 

echo " <key>Hostname</key><string>$eraa_server_hostname</string>" >> "$local_params_file"

echo " <key>SendTelemetry</key><string>$eraa_enable_telemetry</string>" >> "$local_params_file"

 

echo " <key>Port</key><string>$eraa_server_port</string>" >> "$local_params_file"

 

if test -n "$eraa_peer_cert_pwd"

then

echo " <key>PeerCertPassword</key><string>$eraa_peer_cert_pwd</string>" >> "$local_params_file"

echo " <key>PeerCertPasswordIsBase64</key><string>yes</string>" >> "$local_params_file"

fi

 

echo " <key>PeerCertContent</key><string>$eraa_peer_cert_b64</string>" >> "$local_params_file"

 

if test -n "$eraa_ca_cert_b64"

then

echo " <key>CertAuthContent</key><string>$eraa_ca_cert_b64</string>" >> "$local_params_file"

fi

if test -n "$eraa_product_uuid"

then

echo " <key>ProductGuid</key><string>$eraa_product_uuid</string>" >> "$local_params_file"

fi

if test -n "$eraa_initial_sg_token"

then

echo " <key>InitialStaticGroup</key><string>$eraa_initial_sg_token</string>" >> "$local_params_file"

fi

if test -n "$eraa_policy_data"

then

 

echo " <key>CustomPolicy</key><string>$eraa_policy_data</string>" >> "$local_params_file"

fi

 

if test "$eraa_http_proxy_use" = "1"

then

echo " <key>UseProxy</key><string>$eraa_http_proxy_use</string>" >> "$local_params_file"

echo " <key>ProxyHostname</key><string>$eraa_http_proxy_hostname</string>" >> "$local_params_file"

echo " <key>ProxyPort</key><string>$eraa_http_proxy_port</string>" >> "$local_params_file"

echo " <key>ProxyUsername</key><string>$eraa_http_proxy_user</string>" >> "$local_params_file"

echo " <key>ProxyPassword</key><string>$eraa_http_proxy_password</string>" >> "$local_params_file"

fi

 

echo "</dict>" >> "$local_params_file"

echo "</plist>" >> "$local_params_file"

So the new one is shorter, and more robust

The issue with zsh is solved by adding an escape in front of the doctype declaration.

But the approach using plistbuddy is a way more nicer, and more readable.

 

Jelte

 

[MartinK 378]

Thanks for hints. We are aware of this limitation but we do preferred bash as it was working (at least with explicit use) on all supported macOS versions, but we will have to look whether we can possibly make it work with both interpreters or completely switch to zsh as more and more systems are including it.
And I will add one note regarding plistbuddy -> it was used in older releases, but it had to be abandoned as this tool had an issues with longer strings (for example certificates that might have exceeded 4KB size).