fix: binary signature check

src/agent_scan/signed_binary.py

@@ -1,4 +1,5 @@
 import logging
+import os
 import re
 import subprocess
 import sys
@@ -8,6 +9,28 @@
 
 logger = logging.getLogger(__name__)
 
+# Binaries that execute arbitrary user-supplied code. Even when properly signed,
+# they don't make the MCP server itself trustworthy — the real code being run
+# is whatever script/package the user pointed them at.
+_CODE_LAUNCHER_PATTERNS: list[re.Pattern[str]] = [
+    re.compile(r"^python\d?(\.\d+)*$"),
+    re.compile(r"^(node|nodejs|npx|npm|bun|deno)$"),
+    re.compile(r"^(ruby|irb)$"),
+    re.compile(r"^php$"),
+    re.compile(r"^perl$"),
+    re.compile(r"^(java|javaw)$"),
+    re.compile(r"^(bash|sh|zsh|fish|dash|ksh|csh|tcsh)$"),
+    re.compile(r"^cargo$"),
+    re.compile(r"^(uv|uvx|mise|docker|podman|pipx|poetry|pdm|rye)$"),
+    re.compile(r"^dotnet$"),
+]
+
+
+def _is_code_launcher(command: str) -> bool:
+    """Return True if the resolved command is a known code-launcher binary."""
+    basename = os.path.basename(command)
+    return any(p.match(basename) for p in _CODE_LAUNCHER_PATTERNS)
+
 
 def check_server_signature(server: StdioServer) -> StdioServer:
     """Get detailed code signing information."""
@@ -16,12 +39,25 @@ def check_server_signature(server: StdioServer) -> StdioServer:
         return server
     try:
         command, _ = resolve_command_and_args(server)
+
+        if _is_code_launcher(command):
+            logger.info(
+                f"Binary {server.command} ({command}) is a code launcher — "
+                "signature does not imply trust in the executed code"
+            )
+            return server
+
         result = subprocess.run(["codesign", "-dvvv", command], capture_output=True, text=True, check=False)
         if result.returncode != 0:
             return server
 
         output = result.stderr
 
+        authorities = re.findall(r"Authority=(.+)", output)
+        if "Apple Root CA" not in authorities:
+            logger.info(f"Binary {server.command} is signed but not by Apple Root CA (authorities: {authorities})")
+            return server
+
         if match := re.search(r"Identifier=(.+)", output):
             binary_identifier = match.group(1)
             logger.info(f"Binary {server.command} is signed as {binary_identifier}")

tests/unit/test_signed_binary.py

@@ -0,0 +1,38 @@
+import pytest
+
+from agent_scan.models import StdioServer
+from agent_scan.signed_binary import _is_code_launcher, check_server_signature
+
+
+@pytest.mark.parametrize(
+    "command",
+    [
+        "uv",
+        "uvx",
+        "docker",
+        "bash",
+    ],
+)
+def test_check_server_signature(command: str):
+    server = check_server_signature(StdioServer(command=command, args=None))
+    assert server.binary_identifier is None
+
+
+@pytest.mark.parametrize(
+    "command,is_code_launcher",
+    [
+        ("python", True),
+        ("node", True),
+        ("npm", True),
+        ("uv", True),
+        ("uvx", True),
+        ("docker", True),
+        ("bash", True),
+        ("cargo", True),
+        ("snyk-macos-arm64", False),
+        ("github-mcp-server", False),
+        ("terraform-mcp-server", False),
+    ],
+)
+def test_is_code_launcher(command: str, is_code_launcher: bool):
+    assert _is_code_launcher(command) == is_code_launcher