The codesign command is used to sign apps and check the signature of apps. Apps need to be signed more and more and more these days. So, you might need to loop through your apps and verify that they’re signed. You might also choose to stop trusting given signing authorities if one is compromised. To check signing authorities, you can use
codesign -dv --verbose=4 /Applications/Firefox.app/ 2>&1 | sed -n '/Authority/p'
The options in the above command:
- -d is used to display information about the app (as opposed to a -s which would actually sign the app)
- -v increases the verbosity level (without the v’s we won’t see the signing “Authority”)
- –verbose=4 indicates the level of verbosity
- 2>&1 redirects stderr to stdout
- /Applications/Firefox.app/ – the path to the app we’re checking (or signing if you’re signing)
Then we pipe the output into a simple sed and get the signing chain. Or don’t. For example, if you’re scripting don’t forget a sanity check for whether an object isn’t signed. For example, if we just run the following for a non-signed app:
codesign -dv --verbose=4 /Applications/Utilities/XQuartz.app/
The output would be as follows:
/Applications/Utilities/XQuartz.app/: code object is not signed at all
krypted January 12th, 2017
Posted In: Apps, Mac OS X, Mac OS X Server
Tags: app, Apple, check app signatures, codesign, MAC, productsign, signing, who signed my app