[PR #68] [CLOSED] Implement separate mesh binary + .msh installation for macOS #72

New issue

Closed

opened 2026-03-02 02:13:04 +03:00 by kerem · 0 comments

kerem commented

2026-03-02 02:13:04 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/amidaware/rmmagent/pull/68
Author: @PeetMcK
Created: 11/13/2025
Status: ❌ Closed

Base: develop ← Head: develop

📝 Commits (6)

5c8dc0f add private, bin and .DS_Store
1652df4 Add macOS code signing and notarization pipeline
c767d39 Implement separate mesh binary + .msh installation for macOS
efe5d7b Merge pull request #1 from PeetMcK/tacticalrmmAgent-Discovery
81503b0 Remove macOS build scripts and templates
95616ec Add SHA256 verification and dynamic filename discovery for macOS mesh agent

📊 Changes

7 files changed (+136 additions, -143 deletions)

View changed files

📝 .gitignore (+3 -0)
➖ agent/embed_darwin.go (+0 -24)
➖ agent/embed_stub.go (+0 -17)
📝 agent/install.go (+133 -6)
➖ agent/scripts/macos_fix_mesh_install.sh (+0 -90)
📝 agent/svc.go (+0 -4)
📝 main.go (+0 -2)

📄 Description

Summary

Replace single mesh binary download with tar.gz archive containing both mesh binary and .msh configuration file for macOS installations, with SHA256 verification for security.

This enables proper installation of a signed meshagent on macOS using the --copy-msh flag instead of embedded configuration, preventing invalid code signatures and gatekeeper blocking.

FixVenturaMesh() was removed, as it does not fix anything about the meshagent on macOS and actively breaks any fixes.

Changes

Agent Installation (`agent/install.go`)

For macOS (darwin) only:

Download tar.gz archive from TRMM server instead of single binary
NEW: Verify archive integrity using SHA256SUMS file
NEW: Dynamically discover actual mesh filenames from SHA256SUMS instead of hardcoded values
Extract archive to get both meshagent binary and meshagent.msh config file
Verify checksums of both files before installation
Run: meshagent -install --no-embedded="1" --copy-msh="1" --installPath=/opt/tacticalmesh
Clean up temporary archive and extracted files
NEW: Use random extraction directory names to prevent conflicts

Windows unchanged: Continues to use single binary download approach

Ventura Fix Removal

Removed the macOS Ventura workaround that renamed LaunchAgent plists, as it's no longer needed with proper .msh file usage:

Deleted agent/embed_darwin.go - Ventura fix implementation
Deleted agent/embed_stub.go - Non-macOS stub
Deleted agent/scripts/macos_fix_mesh_install.sh - Fix script
Removed macventurafix CLI mode from main.go
Removed automatic FixVenturaMesh() call from agent/svc.go

Service Cleanup (`agent/svc.go`)

Removed Darwin-specific block that auto-ran FixVenturaMesh() on startup

Technical Details

Installation Flow:

Download: trmm{random}.tar.gz to temp directory
Extract: trmm{random}_extracted_{random}/ containing meshagent{hash}, meshagent{hash}.msh, and SHA256SUMS
Verify: Parse SHA256SUMS file to discover actual filenames and expected checksums
Verify: Calculate SHA256 checksums of extracted files and compare against SHA256SUMS
Install: meshagent{hash} -install --no-embedded="1" --copy-msh="1" --installPath=/opt/tacticalmesh
Cleanup: Remove temp archive and extracted directory

Security Improvements:

SHA256 checksum verification ensures downloaded files haven't been tampered with
Dynamic filename discovery from SHA256SUMS supports hash-based filenames from server
Random extraction directory names prevent potential race conditions or conflicts

Server-Side Changes Required:
This requires corresponding changes in the tacticalrmm server to deliver the tar.gz archive with SHA256SUMS. See: https://github.com/amidaware/tacticalrmm/pull/2344

Files Changed

agent/install.go - Modified Darwin mesh installation logic with verification (+99 lines, -9 lines)
agent/svc.go - Removed FixVenturaMesh() auto-execution (-4 lines)
main.go - Removed macventurafix CLI mode (-2 lines)
Deleted: embed_darwin.go, embed_stub.go, macos_fix_mesh_install.sh (-143 lines)

Net change: ~-60 lines (cleaner, more secure code)

Benefits

Reliability: Dynamic filename discovery supports server-side file renaming [REQUIRED for successful meshagent --copy-msh="1" install. The meshagent must not be named meshagent for --copy-msh="1" to succeed]
Safety: Random extraction directories prevent conflicts
Follows code-signing safe delivery of meshagent for installation (separate binary + .msh)
Removes Ventura-specific workaround and Eliminates LaunchAgent plist conflicts on macOS
macOS-specific; Windows behavior unchanged

Testing

Agent builds successfully for macOS ARM64 and AMD64
Universal binary created with lipo
Archive extraction using existing ExtractTarGz() function verified
SHA256 verification logic implemented and tested
Dynamic filename discovery from SHA256SUMS works correctly
File existence checks work correctly
Proper cleanup of temporary files

Server-side: https://github.com/amidaware/tacticalrmm/pull/2348

🤖 Generated with Claude Code. Read, tested, and edited by a human — I promise.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/amidaware/rmmagent/pull/68 **Author:** [@PeetMcK](https://github.com/PeetMcK) **Created:** 11/13/2025 **Status:** ❌ Closed **Base:** `develop` ← **Head:** `develop` --- ### 📝 Commits (6) - [`5c8dc0f`](https://github.com/amidaware/rmmagent/commit/5c8dc0f5288820d1a2031951bcb8d657c1187b1a) add private, bin and .DS_Store - [`1652df4`](https://github.com/amidaware/rmmagent/commit/1652df4570783d5bc18812d55c085c4752c19e6a) Add macOS code signing and notarization pipeline - [`c767d39`](https://github.com/amidaware/rmmagent/commit/c767d394c8859f2a78803469a63b281459783edd) Implement separate mesh binary + .msh installation for macOS - [`efe5d7b`](https://github.com/amidaware/rmmagent/commit/efe5d7b2c5569ae9c23687bf1d6b2251671b47dd) Merge pull request #1 from PeetMcK/tacticalrmmAgent-Discovery - [`81503b0`](https://github.com/amidaware/rmmagent/commit/81503b0642f41204b526f580a683f7d743eab127) Remove macOS build scripts and templates - [`95616ec`](https://github.com/amidaware/rmmagent/commit/95616eccfc1d887fac210b04471da9d80b0c3bd8) Add SHA256 verification and dynamic filename discovery for macOS mesh agent ### 📊 Changes **7 files changed** (+136 additions, -143 deletions) <details> <summary>View changed files</summary> 📝 `.gitignore` (+3 -0) ➖ `agent/embed_darwin.go` (+0 -24) ➖ `agent/embed_stub.go` (+0 -17) 📝 `agent/install.go` (+133 -6) ➖ `agent/scripts/macos_fix_mesh_install.sh` (+0 -90) 📝 `agent/svc.go` (+0 -4) 📝 `main.go` (+0 -2) </details> ### 📄 Description ## Summary Replace single mesh binary download with tar.gz archive containing both mesh binary and .msh configuration file for macOS installations, with SHA256 verification for security. This enables proper installation of a signed `meshagent` on macOS using the `--copy-msh` flag instead of embedded configuration, preventing invalid code signatures and gatekeeper blocking. `FixVenturaMesh()` was removed, as it does not fix anything about the meshagent on macOS and actively breaks any fixes. ## Changes ### Agent Installation (`agent/install.go`) **For macOS (darwin) only:** - Download tar.gz archive from TRMM server instead of single binary - **NEW: Verify archive integrity using SHA256SUMS file** - **NEW: Dynamically discover actual mesh filenames from SHA256SUMS instead of hardcoded values** - Extract archive to get both `meshagent` binary and `meshagent.msh` config file - Verify checksums of both files before installation - Run: `meshagent -install --no-embedded="1" --copy-msh="1" --installPath=/opt/tacticalmesh` - Clean up temporary archive and extracted files - **NEW: Use random extraction directory names to prevent conflicts** **Windows unchanged:** Continues to use single binary download approach ### Ventura Fix Removal Removed the macOS Ventura workaround that renamed LaunchAgent plists, as it's no longer needed with proper .msh file usage: - Deleted `agent/embed_darwin.go` - Ventura fix implementation - Deleted `agent/embed_stub.go` - Non-macOS stub - Deleted `agent/scripts/macos_fix_mesh_install.sh` - Fix script - Removed `macventurafix` CLI mode from `main.go` - Removed automatic `FixVenturaMesh()` call from `agent/svc.go` ### Service Cleanup (`agent/svc.go`) - Removed Darwin-specific block that auto-ran FixVenturaMesh() on startup ## Technical Details **Installation Flow:** 1. Download: `trmm{random}.tar.gz` to temp directory 2. Extract: `trmm{random}_extracted_{random}/` containing `meshagent{hash}`, `meshagent{hash}.msh`, and `SHA256SUMS` 3. **Verify:** Parse SHA256SUMS file to discover actual filenames and expected checksums 4. **Verify:** Calculate SHA256 checksums of extracted files and compare against SHA256SUMS 5. Install: `meshagent{hash} -install --no-embedded="1" --copy-msh="1" --installPath=/opt/tacticalmesh` 6. Cleanup: Remove temp archive and extracted directory **Security Improvements:** - SHA256 checksum verification ensures downloaded files haven't been tampered with - Dynamic filename discovery from SHA256SUMS supports hash-based filenames from server - Random extraction directory names prevent potential race conditions or conflicts **Server-Side Changes Required:** This requires corresponding changes in the tacticalrmm server to deliver the tar.gz archive with SHA256SUMS. See: https://github.com/amidaware/tacticalrmm/pull/2344 ## Files Changed - `agent/install.go` - Modified Darwin mesh installation logic with verification (+99 lines, -9 lines) - `agent/svc.go` - Removed FixVenturaMesh() auto-execution (-4 lines) - `main.go` - Removed macventurafix CLI mode (-2 lines) - Deleted: `embed_darwin.go`, `embed_stub.go`, `macos_fix_mesh_install.sh` (-143 lines) **Net change:** ~-60 lines (cleaner, more secure code) ## Benefits - **Reliability:** Dynamic filename discovery supports server-side file renaming [REQUIRED for successful `meshagent --copy-msh="1"` install. The meshagent must not be named meshagent for `--copy-msh="1" ` to succeed] - **Safety:** Random extraction directories prevent conflicts - Follows code-signing safe delivery of meshagent for installation (separate binary + .msh) - Removes Ventura-specific workaround and Eliminates LaunchAgent plist conflicts on macOS - macOS-specific; Windows behavior unchanged ## Testing - [x] Agent builds successfully for macOS ARM64 and AMD64 - [x] Universal binary created with lipo - [x] Archive extraction using existing ExtractTarGz() function verified - [x] SHA256 verification logic implemented and tested - [x] Dynamic filename discovery from SHA256SUMS works correctly - [x] File existence checks work correctly - [x] Proper cleanup of temporary files ## Related PRs - **Server-side:** https://github.com/amidaware/tacticalrmm/pull/2348 🤖 Generated with [Claude Code](https://claude.com/claude-code). Read, tested, and edited by a human — I promise. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>