macOS Code Signing Validation

Code signing allows security-conscious users to know if an application is from an authentic source, unmodified, or even corrupt.

Manually checking the authenticity of applications is typically not needed for the average Mac user, because the majority of users obtain their software from the Mac App Store which is certified.

macOS and some versions of OS X run Gatekeeper which warns and rejects an application from being installed by checking if an unknown developer created it. Gatekeeper will enable users to open applications without any warnings if they are signed.

Everyone should be aware of any apps integrity from any source. It never hurts to validate outside of Apples built-in security features.


Manual validation

Personally, when I manually check an app, I look for hash type, hash checksum, and authority for validation.
We will be using the codesign command in Terminal.

Verify authority:

codesign -dvvv /path/Foo.app

Note: Applications distributed on the Mac App Store are all signed by Apple’s certificate.

Gatekeeper like verification:

codesign --verify --deep --strict --verbose=2 /path/Foo.app/

Leave a Reply