Tag Archives: plugins

Checking certificate expiry on Lion Server with Nagios

Mac OS X Server has had simple notifications on critical disk space, software updates, and certificate expiry for a while now.

For those of you who would like a neat way to integrate more customisable certificate expiry checks into a Nagios workflow, I have added check_certificate_expiry.sh into my OSX-Monitoring-Tools project today. It will allow you to specify a warning threshold, and then check expiry dates of all certificates in /etc/certificates.

OSX-Monitoring-Tools on GitHub


OSX Nagios Monitoring Tools & Scripts

Keeping an eye on your Mac OS X server instances can be a bit painful, with Apple’s inbuilt notification options limited to emails when software updates, expired certs, or super full volumes pop up. Having real time and historical data on your services health and performance can help with your troubleshooting workflow, and getting a near instant notification of an impending drive failure sure beats trudging out at midnight to an emergency maintenance callout.

For years, I have deployed the ever improving Groundwork Monitor to monitor our internal and customer infrastructure, and their recently announced Core licence provides free monitoring for up to 50 devices. Groundwork’s Nagios core brings with it a wealth of plugins for monitoring servers, network devices, and a plethora of services, but a Mac administrator might struggle to find plugins that can provide nice performance data, or even provide valid output on OSX without 5 hours of dependency building.

Below is a link to my new project hosted on GitHub. These are the scripts and tools I have authored over the years to monitor OSX and associated infrastructure. After a thorough cleaning of some old code, i’ll add the rest, as well as anything new, with a plan to keep them in development, and open to everyone:

Visit the project on GitHub

Over the next little while, i’ll also be posting some articles on how you can leverage the standard Nagios plugins to monitor services and hardware on the Mac platform too. I hope these additions make your life a little easier.


Verifying plugin bundles using code signing

Code signing your apps is a great way of verifying that they haven’t been messed with before an end user executes your code, but you can also utilise the same techniques to implement a very secure plugin system for your apps.

If your application implements a plugin architecture based on NSBundles, you can use the following snippet in your loading code to ensure that each plugin is signed by an appropriate certificate.

You will need to create a certificate authority, and then have that sign a code signing certificate for your plugins. Doing it this way means that you can provide valid signing certificates to third parties to create plugins for your app if desired. TechRepublic have a good article on creating a CA in Keychain Access on your Mac.

Update (14 July 2012): Updated the snippet to be ARC compliant.

- (BOOL) validateSignature:(NSBundle*)pluginBundle {
NSTask * task = [[NSTask alloc] init];
NSPipe * pipe = [NSPipe pipe];
NSFileHandle * handle = [pipe fileHandleForReading];
NSData * taskData;
NSString * taskString;
NSArray* args = [NSArray arrayWithObjects:@"--verify", [NSString stringWithFormat:@"-R=anchor = \"%@\"", [[NSBundle mainBundle] pathForResource:@"BlargsoftCodeCA" ofType:@"cer"]], [pluginBundle bundlePath], nil];
[task setLaunchPath:@"/usr/bin/codesign"];
[task setStandardOutput:pipe];
[task setStandardError:pipe];
[task setArguments:args];
[task launch];
[task waitUntilExit];
taskData = [handle readDataToEndOfFile];
taskString = [[NSString alloc] initWithData:taskData encoding:NSASCIIStringEncoding];

if ([task terminationStatus] != 0) {
// Something went wrong. Check for specific errors

if ([taskString rangeOfString:@"modified"].length > 0 || [taskString rangeOfString:@"a sealed resource is missing or invalid"].length > 0) {
// The plugin has been modified or resources removed since being signed. You probably don't want to load this.
NSLog(@"Plugin modified - not loaded"); // log a real error here
} else if ([taskString rangeOfString:@"failed to satisfy"].length > 0) {
// The plugin is missing resources since being signed. Don't load.
// throw an error
NSLog(@"Plugin not signed by correct CA - not loaded"); // log a real error here
} else if ([taskString rangeOfString:@"not signed at all"].length > 0) {
// The plugin was not code signed at all. Don't load.
NSLog(@"Plugin not signed at all - don't load."); // log a real error here
} else {
// Some other codesign error

return FALSE;

} else {

// The plugin passed validation!
return TRUE;