Weird remotedesktop folder in usr/local - safe?

To determine the origin you have several tools at hand:

  • Code signing. Check the code signing of the app/pkg:

    codesign -dv --verbose=4 /usr/local/remotedesktop/RemoteDesktopChangeClientSettings.pkg 
    

    This yields the following:

    Executable=/usr/local/remotedesktop/RemoteDesktopChangeClientSettings.pkg/Contents/Info.plist
    Identifier=com.apple.pkg.RemoteDesktopChangeClientSettings
    Format=installer package bundle
    CodeDirectory v=20100 size=176 flags=0x0(none) hashes=1+3 location=embedded
    Hash type=sha1 size=20
    CandidateCDHash sha1=888c8c6a6abd2f544020594e7d6f4dc31a7e01b8
    Hash choices=sha1
    CDHash=888c8c6a6abd2f544020594e7d6f4dc31a7e01b8
    Signature size=4072
    Authority=Software Signing
    Authority=Apple Code Signing Certification Authority
    Authority=Apple Root CA
    Info.plist entries=24
    TeamIdentifier=not set
    Sealed Resources version=2 rules=12 files=21
    Internal requirements count=1 size=96
    

    Seems legit and (comparing it to other apps) from Apple itself. If the app/pkg was signed by another company at least one of the Authority lines would show a different vendor/developer.

  • Check the receipt bom files:

    grep --include=\*.bom -rnw '/System/Library/Receipts/' -e "RemoteDesktopChangeClientSettings"
    

    which will probably yield:

    Binary file /System/Library/Receipts//com.apple.pkg.RemoteDesktopClient.bom matches
    

    Check the corresponding plist file and you will get the installer package: RemoteDesktopClient 3.9.2. Seems also legit Apple. Now you can lsbom ... the file. See man lsbom.

    A second Receipts folder with non-Apple boms/plists is in the /Library folder!


There are probably some more methods to check if the file is legit or not which I'll try to add later.


I also see a /usr/local/remotedesktop/RemoteDesktopChangeClientSettings.pkg package on my MacBook Pro running macOS 10.13.1 (High Sierra).

$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.13.1
BuildVersion:   17B1003

$ cd /usr/local/remotedesktop

$ /bin/ls -la
total 0
drwxr-xr-x   3 root  wheel   96 Nov 14 10:34 .
drwxr-xr-x  11 root  wheel  352 Dec 14 15:19 ..
drwxr-xr-x   3 root  wheel   96 Feb 14  2017 RemoteDesktopChangeClientSettings.pkg

I upgraded to High Sierra on November 14th.

Checking the signature using pkgutil, I see that the package has been signed by an untrusted certificate:

$ pkgutil --check-signature RemoteDesktopChangeClientSettings.pkg
Package "RemoteDesktopChangeClientSettings.pkg":
   Status: signed by untrusted certificate
   Certificate Chain:
    1. Software Signing
       SHA1 fingerprint: 22 03 02 9E 85 EF B1 82 8B 92 8C 3B 65 45 F0 03 CC 0E 51 5C
       -----------------------------------------------------------------------------
    2. Apple Code Signing Certification Authority
       SHA1 fingerprint: FA D8 1F 57 1D 72 D2 BA B0 BA B2 17 F9 80 DB 88 03 77 4B 85
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

On trying to open the package, I see this warning: invalid certificate warning

When I click on the Show Certificate button, I see that the certificate has expired: expired certificate

So, it's probably not advisable to install this version of the RemoteDesktopChangeClientSettings.pkg package :-)