Just some one-liners you may find useful… I’ve written about codesign a few times in the past. To see a detailed description of how an app was signed:
codesign -dvvvv /Applications/Firefox.app
This also gives you the bundleID for further inspection of an app. But there are a number of tools you can use to check out signing and go further into entitlements and sandboxing. You can check the
asctl sandbox check --bundle com.microsoft.outlook
The response would be similar to
/Applications/Microsoft Outlook.app:
signed with App Sandbox entitlements
In the above, we see that Outlook has entitlements to do some stuffs. But where do you see an indication of what it can do? There are a number of sandbox profiles located in /usr/share/sandbox and the more modern /System/Library/Sandbox/Profiles/ and Versions/A/Resources inside each framework should have a .sb file – but those are the Apple sandbox profiles. Additionally, you can see what each app has access to using the container_check.rb script:
/usr/libexec/AppSandbox/container_check.rb -c com.microsoft.outlook --for-user charles.edge --stdout
Simply strip the -c followed by the container and you’ll get a list of all apps. When you’re building and testing sandbox profiles for apps you plan to compile, you may want to test them. To do so, use sandbox
sandbox-exec -f /usr/share/sandbox/lockdown.sb /Applications/TextEdit.app/Contents/MacOS/TextEdit
As of 10.14, any app looking to access Location Services, Contacts, Calendars, Reminders, Photos, Camera, Microphone, Accessibility, the hard drive, Automation services, Analytics, or Advertising kit will prompt the user to accept that connection. This is TCC, or Privacy Preferences. You can programmatically remove items but not otherwise augment or view the data, via the tccutil command along with the only verb currently supported, reset:
tccutil reset SERVICE com.smileonmymac.textexpander