Block list is cleared on update?

[e40]

I noticed that my santa block lists were not in effect a month or so ago. So, I wrote a script to add them back. I just updated to the latest release and ran the script and it reported my items were not blocked and blocked them.

Is this a known issue or am I doing something wrong?

[pmarkowsky]

Could you describe more about what your script is doing?

Also could you elaborate on what you mean by your Santa block lists?

[e40]

Here's the script, which I ran after the previous installation:

#! /usr/bin/env bash
# Prevent certain programs from launching

apps=(
    "/System/Applications/Books.app"
    "/System/Applications/Maps.app"
    "/System/Applications/Music.app"
    "/System/Applications/News.app"
    "/System/Applications/Siri.app"
    "/System/Applications/Stocks.app"
    "/System/Applications/Mail.app"
)

set -ueE -o pipefail

prog="$(basename "$0")"

function usage {
    [ "${*-}" ] && echo "$prog: $*" 1>&2
    cat 1>&2 <<EOF
Usage: $prog [--switch1] [--switch2 blah]

blah blah blah fix me blah blah blah
EOF
    exit 1
}

function errordie {
    [ "${*-}" ] && echo "$prog: $*" 1>&2
    exit 1
}

if ! type -p santactl > /dev/null; then
    errordie "Cannot find santactl, please install it before running $prog"
fi

verbose=nonnull

while [ $# -gt 0 ]; do
    case $1 in
        -q) verbose= ;;
        --) ;;
        *)  usage extra args: "$@" ;;
    esac
    shift
done

lockfile="/tmp/${prog}.lock"

# ensure that only one copy of this script is running at any given time
lockfile -r 0 "$lockfile" || errordie program is already running

tempfile="/tmp/${prog}temp1$$"
tempfile2="/tmp/${prog}temp2$$"
rm -f "$tempfile"
rm -f "$tempfile2"
# shellcheck disable=SC2317
function exit_cleanup {
    rm -f "$tempfile"
    rm -f "$tempfile2"
    rm -f "$lockfile"
}
# shellcheck disable=SC2317
function err_report {
    echo "Error on line $(caller)" 1>&2
}
trap err_report   ERR
trap exit_cleanup EXIT

{
    for app in "${apps[@]}"; do
        [ -d "$app" ] || errordie "$app does not exist"
    done

    for app in "${apps[@]}"; do
        santactl fileinfo "$app" > "$tempfile" ||
            errordie "failed: santactl fileinfo $app"
        if grep -Eq "Rule.*Blocked" "$tempfile"; then
            [ "$verbose" ] && echo "$app is already blocked"
        elif grep -Eq "Rule.*Allowed" "$tempfile"; then
            echo "$app is not blocked, blocking"
            if ! sudo santactl rule --block --path "$app" --message "$app" >& "$tempfile2"; then
                cat "$tempfile2" 1>&2
                errordie "failed to block $app"
            fi
        else
            cat "$tempfile" 1>&2
            errordie "unexpect output file fileinfo (see above)"
        fi
    done

    exit 0
}

[pmarkowsky]

Ok so looking at your script this line sudo santactl rule --block --path "$app" --message "$app" will create a SHA256 (BINARY) rule for the bundle.

This means that any time the binary is updated e.g. as part of an OS update your rule will no longer match as the SHA256 value will have changed. If you just want to block all versions you should try blocking on a more stable identifier like Signing ID.

You can do this by adding the --signingid flag to your line above e.g. sudo santactl rule --block --signingid --path "$app" --message "$app"

[e40]

Cool. Thanks!

[e40]

Oh, and I did update to macOS 15.4 and the latest Santa at the same time, so I misattributed it to the Santa install.