Weird remotedesktop folder in usr/local - safe?
To determine the origin you have several tools at hand:
-
Code signing. Check the code signing of the app/pkg:
codesign -dv --verbose=4 /usr/local/remotedesktop/RemoteDesktopChangeClientSettings.pkg
This yields the following:
Executable=/usr/local/remotedesktop/RemoteDesktopChangeClientSettings.pkg/Contents/Info.plist Identifier=com.apple.pkg.RemoteDesktopChangeClientSettings Format=installer package bundle CodeDirectory v=20100 size=176 flags=0x0(none) hashes=1+3 location=embedded Hash type=sha1 size=20 CandidateCDHash sha1=888c8c6a6abd2f544020594e7d6f4dc31a7e01b8 Hash choices=sha1 CDHash=888c8c6a6abd2f544020594e7d6f4dc31a7e01b8 Signature size=4072 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist entries=24 TeamIdentifier=not set Sealed Resources version=2 rules=12 files=21 Internal requirements count=1 size=96
Seems legit and (comparing it to other apps) from Apple itself. If the app/pkg was signed by another company at least one of the Authority lines would show a different vendor/developer.
-
Check the receipt bom files:
grep --include=\*.bom -rnw '/System/Library/Receipts/' -e "RemoteDesktopChangeClientSettings"
which will probably yield:
Binary file /System/Library/Receipts//com.apple.pkg.RemoteDesktopClient.bom matches
Check the corresponding plist file and you will get the installer package: RemoteDesktopClient 3.9.2. Seems also legit Apple. Now you can
lsbom ...
the file. Seeman lsbom
.A second Receipts folder with non-Apple boms/plists is in the /Library folder!
There are probably some more methods to check if the file is legit or not which I'll try to add later.
I also see a /usr/local/remotedesktop/RemoteDesktopChangeClientSettings.pkg package on my MacBook Pro running macOS 10.13.1 (High Sierra).
$ sw_vers
ProductName: Mac OS X
ProductVersion: 10.13.1
BuildVersion: 17B1003
$ cd /usr/local/remotedesktop
$ /bin/ls -la
total 0
drwxr-xr-x 3 root wheel 96 Nov 14 10:34 .
drwxr-xr-x 11 root wheel 352 Dec 14 15:19 ..
drwxr-xr-x 3 root wheel 96 Feb 14 2017 RemoteDesktopChangeClientSettings.pkg
I upgraded to High Sierra on November 14th.
Checking the signature using pkgutil, I see that the package has been signed by an untrusted certificate:
$ pkgutil --check-signature RemoteDesktopChangeClientSettings.pkg
Package "RemoteDesktopChangeClientSettings.pkg":
Status: signed by untrusted certificate
Certificate Chain:
1. Software Signing
SHA1 fingerprint: 22 03 02 9E 85 EF B1 82 8B 92 8C 3B 65 45 F0 03 CC 0E 51 5C
-----------------------------------------------------------------------------
2. Apple Code Signing Certification Authority
SHA1 fingerprint: FA D8 1F 57 1D 72 D2 BA B0 BA B2 17 F9 80 DB 88 03 77 4B 85
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
On trying to open the package, I see this warning:
When I click on the Show Certificate button, I see that the certificate has expired:
So, it's probably not advisable to install this version of the RemoteDesktopChangeClientSettings.pkg package :-)