Checking apps for a "GateKeeper" Developer ID?

Is there any way for a Mac user currently running Snow Leopard or Lion to check, maybe from the Terminal command-line, whether some application downloaded from the net was digitally signed with an Apple issued Developer ID?

If so, what might be the benefits for a Mac user to do such checking now?

Apple has been encouraging Mac developers to digitally sign their Mac applications with an Apple issued Developer ID, which Apple announced will be used by the Mac OS at some point in the future.


Solution 1:

If you have the developer tools installed, you can view the signing information for a binary using this command:

codesign -dvvv <path to app.app>

The output looks like this:

Executable=/Volumes/Big Disk/F376/Projects/<My App>
Identifier=<My Bundle ID>
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=3958 flags=0x0(none) hashes=189+5 location=embedded
Hash type=sha1 size=20
CDHash=761b0d1XXXXXXXXXX0dc8dd42e38eb445fb5341f
Signature size=8504
Authority=Developer ID Application: XXXXXX
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=May 7, 2013 3:07:59 PM
Info.plist entries=30
Sealed Resources rules=4 files=128
Internal requirements count=1 size=224

Solution 2:

Without getting too far off topic, you can check whether any binary has been signed in preparation for Gatekeeper by using the otool or pagestuff command line tools that Xcode will install as part of the optional downloads.

enter image description here

If you don't want to install these, you can also use xcode-select and xcrun to run these tools from where they sit within the Xcode app that is downloaded into /Applications.

Here is an app that appears to be signed and ready to go for Gatekeeper - MarsEdit

mac:Applications me$ xcrun otool -l /Applications/MarsEdit.app/Contents/MacOS/MarsEdit |grep LC_CODE_SIGNATURE
      cmd LC_CODE_SIGNATURE
mac:Applications me$ xcrun pagestuff /Applications/MarsEdit.app/Contents/MacOS/MarsEdit -a | grep signature
File Page 241 contains data of code signature (x86_64)
File Page 242 contains data of code signature (x86_64)
File Page 243 contains data of code signature (x86_64)
File Page 423 contains data of code signature (i386)
File Page 424 contains data of code signature (i386)
File Page 425 contains data of code signature (i386)
File Page 426 contains data of code signature (i386)

Now, this doesn't even start to tell you if the key is valid when checked against your keychain. That requires the developer to use a key that Apple has signed and Apple to have sent to your mac the appropriate signing key to verify that the developer key is "trusted".

Since this is quite complicated, you could just turn on the checking (please save all critical work and PLEASE BACK UP YOUR MAC BEFORE DOING THIS) on 10.7.3:

  • sudo spctl --enable #if you don't know what sudo is you should skip this until you understand the wrong command could erase your system or your files. All of them, totally gone.

It looks like spctl is enhanced for 10.7.4 but I haven't explored it more than reading the man page for the tool. It clearly will be the way to check if a specific app is cleared or not as well as to perform lower level enabling / disabling of various rules and checks that will be support the marketing term of Gatekeeper.

As for why you might check, it would only be for idle curiosity or some sort of bragging rights if you are not actually a developer that needs to test this and be sure your code runs on both OS (Mountain Lion and Lion).

For most people, knowing what Gatekeeper is would be good enough. For the curious - here is a nice reading list:

  • About Gatekeeper - from the desk of Steven Frank at Panic
  • Turning on Gatekeeper in Lion 10.7.3
  • Detailed Gatekeeper engineering documentation - an ideal sleep aid, perhaps?