The codesign command is used to sign apps and check the signature of apps. Apps need to be signed more and more and more these days. So, you might need to loop through your apps and verify that they’re signed. You might also choose to stop trusting given signing authorities if one is compromised. To check signing authorities, you can use codesign -dv --verbose=4 /Applications/Firefox.app/ 2>&1 | sed -n '/Authority/p' The options in the above command: -d is used to display information about the app (as opposed to a -s which would actually sign the app) -v increases the verbosity level (without the v’s we won’t see the signing “Authority”) –verbose=4 indicates the level of verbosity…
-
-
Signing Installation Packages
In OS X, installers are known as packages. The trend in OS X is to sign anything going onto a computer so that it can then be installed without concern that the product is not authentic. The productsign command provides the ability to sign packages in much the same way that the codesign command can be used on apps. For example, let’s say that we wanted to sign a package called Alpha.pkg in /tmp with Apple DeveloperID 31415926535897932384626 and have it result in a new package, Omega.pkg in the same directory. The command would be as follows: productsign --sign 'Developer ID Installer: 31415926535897932384626' '/temp/Alpha.pkg' '/temp/Omega.pkg' You can also timestamp the…
-
Determining .app Executables From a Script
I’ve mentioned the codesign tool in previous articles, but today let’s look at a specific use. I recently needed to generate a report of the executable for around 2000 app bundles. Luckily, codesign displays the executable for an app when run with the –display option: codesign --display /Applications/Utilities/Terminal.app The output looks as follows: Executable=/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal Another tool that I haven’t written much about is productsign (also in /usr/sbin of Mac OS X 10.8). I’ll look at that one next, as a means of signing packages.