The codesign command is used to sign apps and check the signature of apps. Apps need to be signed more and more and more these days. So, you might need to loop through your apps and verify that they’re signed. You might also choose to stop trusting given signing authorities if one is compromised. To check signing authorities, you can use
codesign -dv --verbose=4 /Applications/Firefox.app/ 2>&1 | sed -n '/Authority/p'
The options in the above command:
Then we pipe the output into a simple sed and get the signing chain. Or don’t. For example, if you’re scripting don’t forget a sanity check for whether an object isn’t signed. For example, if we just run the following for a non-signed app:
codesign -dv --verbose=4 /Applications/Utilities/XQuartz.app/
The output would be as follows:
/Applications/Utilities/XQuartz.app/: code object is not signed at all
krypted January 12th, 2017
In OS X, installers are known as packages. The trend in OS X is to sign anything going onto a computer so that it can then be installed without concern that the product is not authentic. The productsign command provides the ability to sign packages in much the same way that the codesign command can be used on apps. For example, let’s say that we wanted to sign a package called Alpha.pkg in /tmp with Apple DeveloperID 31415926535897932384626 and have it result in a new package, Omega.pkg in the same directory. The command would be as follows:
productsign --sign 'Developer ID Installer: 31415926535897932384626'
You can also timestamp the signing by adding a –timestamp option or disable trusted timestamps with the –timestamp=none. You can also indicate a keychain using the –keychain option or –cert to indicate a certificate to embed in the archive. Once signed, you can then test the signing using the spctl command along with the –assess option. The –type option would also indicate a type of install, resulting in the following for Omega.pkg:
spctl --assess --type install /temp/Omega.pkg
krypted August 31st, 2012
Posted In: Mac OS X
I’ve mentioned the codesign tool in previous articles, but today let’s look at a specific use. I recently needed to generate a report of the executable for around 2000 app bundles. Luckily, codesign displays the executable for an app when run with the –display option:
codesign --display /Applications/Utilities/Terminal.app
The output looks as follows:
Another tool that I haven’t written much about is productsign (also in /usr/sbin of Mac OS X 10.8). I’ll look at that one next, as a means of signing packages.
krypted August 27th, 2012
Posted In: Mac OS X