The codesign command is used to sign apps and check the signature of apps. Apps need to be signed more and more and more these days. So, you might need to loop through your apps and verify that they’re signed. You might also choose to stop trusting given signing authorities if one is compromised. To check signing authorities, you can use
codesign -dv --verbose=4 /Applications/Firefox.app/ 2>&1 | sed -n '/Authority/p'
The options in the above command:
Then we pipe the output into a simple sed and get the signing chain. Or don’t. For example, if you’re scripting don’t forget a sanity check for whether an object isn’t signed. For example, if we just run the following for a non-signed app:
codesign -dv --verbose=4 /Applications/Utilities/XQuartz.app/
The output would be as follows:
/Applications/Utilities/XQuartz.app/: code object is not signed at all
krypted January 12th, 2017