From 32562ea57265ae9a7ace724947a5d472d5202722 Mon Sep 17 00:00:00 2001 From: mmilanta Date: Tue, 10 Mar 2026 09:54:47 +0100 Subject: [PATCH 1/2] fix: skip signing binary for adhoc signatures and code launchers --- src/agent_scan/signed_binary.py | 36 +++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/src/agent_scan/signed_binary.py b/src/agent_scan/signed_binary.py index 57115b8..33196e5 100644 --- a/src/agent_scan/signed_binary.py +++ b/src/agent_scan/signed_binary.py @@ -1,4 +1,5 @@ import logging +import os import re import subprocess import sys @@ -8,6 +9,28 @@ logger = logging.getLogger(__name__) +# Binaries that execute arbitrary user-supplied code. Even when properly signed, +# they don't make the MCP server itself trustworthy — the real code being run +# is whatever script/package the user pointed them at. +_CODE_LAUNCHER_PATTERNS: list[re.Pattern[str]] = [ + re.compile(r"^python\d?(\.\d+)*$"), + re.compile(r"^(node|nodejs|npx|npm|bun|deno)$"), + re.compile(r"^(ruby|irb)$"), + re.compile(r"^php$"), + re.compile(r"^perl$"), + re.compile(r"^(java|javaw)$"), + re.compile(r"^(bash|sh|zsh|fish|dash|ksh|csh|tcsh)$"), + re.compile(r"^cargo$"), + re.compile(r"^(uv|uvx|mise|docker|podman|pipx|poetry|pdm|rye)$"), + re.compile(r"^dotnet$"), +] + + +def _is_code_launcher(command: str) -> bool: + """Return True if the resolved command is a known code-launcher binary.""" + basename = os.path.basename(command) + return any(p.match(basename) for p in _CODE_LAUNCHER_PATTERNS) + def check_server_signature(server: StdioServer) -> StdioServer: """Get detailed code signing information.""" @@ -16,12 +39,25 @@ def check_server_signature(server: StdioServer) -> StdioServer: return server try: command, _ = resolve_command_and_args(server) + + if _is_code_launcher(command): + logger.info( + f"Binary {server.command} ({command}) is a code launcher — " + "signature does not imply trust in the executed code" + ) + return server + result = subprocess.run(["codesign", "-dvvv", command], capture_output=True, text=True, check=False) if result.returncode != 0: return server output = result.stderr + authorities = re.findall(r"Authority=(.+)", output) + if "Apple Root CA" not in authorities: + logger.info(f"Binary {server.command} is signed but not by Apple Root CA (authorities: {authorities})") + return server + if match := re.search(r"Identifier=(.+)", output): binary_identifier = match.group(1) logger.info(f"Binary {server.command} is signed as {binary_identifier}") From 393b1c85bd8266ee3eee5e9da3919345a4293240 Mon Sep 17 00:00:00 2001 From: mmilanta Date: Fri, 13 Mar 2026 09:47:39 +0100 Subject: [PATCH 2/2] fix: add tests --- tests/unit/test_errors.py | 0 tests/unit/test_signed_binary.py | 38 ++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 tests/unit/test_errors.py create mode 100644 tests/unit/test_signed_binary.py diff --git a/tests/unit/test_errors.py b/tests/unit/test_errors.py new file mode 100644 index 0000000..e69de29 diff --git a/tests/unit/test_signed_binary.py b/tests/unit/test_signed_binary.py new file mode 100644 index 0000000..6a2517e --- /dev/null +++ b/tests/unit/test_signed_binary.py @@ -0,0 +1,38 @@ +import pytest + +from agent_scan.models import StdioServer +from agent_scan.signed_binary import _is_code_launcher, check_server_signature + + +@pytest.mark.parametrize( + "command", + [ + "uv", + "uvx", + "docker", + "bash", + ], +) +def test_check_server_signature(command: str): + server = check_server_signature(StdioServer(command=command, args=None)) + assert server.binary_identifier is None + + +@pytest.mark.parametrize( + "command,is_code_launcher", + [ + ("python", True), + ("node", True), + ("npm", True), + ("uv", True), + ("uvx", True), + ("docker", True), + ("bash", True), + ("cargo", True), + ("snyk-macos-arm64", False), + ("github-mcp-server", False), + ("terraform-mcp-server", False), + ], +) +def test_is_code_launcher(command: str, is_code_launcher: bool): + assert _is_code_launcher(command) == is_code_launcher