How to Show & Verify Code Signatures for Apps in Mac OS X

Code signed applications allow security conscious users to verify the creator and hash of a particular app to help confirm it has not been corrupted or tampered with. This is rarely necessary for average Mac users, particularly those who obtain their software from the Mac App Store or other trusted sources since the apps are certified, but verifying the digital signature of an app can be extremely helpful for users who get apps from third party sources.

Verifying a code signature is particularly important for those getting software and installers from p2p and distributed sources, perhaps a torrent site or newsgroups, IRC, public ftp, or another network resource. For a practical example, let’s say a user can’t access the Mac App Store for whatever reason, but needs to download a Mac OS X installer application and thus relies on a third party source. Such a situation is when it would be important to know and verify that the installer has not been tampered with and is legitimately coming from Apple, and aside from checking sha1 hash directly, the easiest way to do that is to check the code signature and cryptographic hash of the app in question.

How to Check Code Signature for Apps on Mac

To get started, launch Terminal, found in /Applications/Utilities/. We’ll be using the aptly named ‘codesign’ command, complete with the -dv and –verbose=4 flags to show identifying information about any application, including it’s hash type, hash checksum, and signing authority.

The basic syntax is as follows:

codesign -dv --verbose=4 /Path/To/Application.app

For example, let’s check the signature on Terminal.app, located in /Applications/Utilities/

codesign -dv --verbose=4 /Applications/Utilities/Terminal.app
Executable=/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
Identifier=com.apple.Terminal
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=5227 flags=0x0(none) hashes=255+3 location=embedded
Platform identifier=1
Hash type=sha1 size=20
CDHash=0941049019f9fa3499333fb5b52b53735b498aed6cde6a23
Signature size=4105
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=996
Internal requirements count=1 size=68

What you’re looking for are the hash type, hash, and authority entries. In this case the hash type is sha1 and the signed authority is Apple, which is what you’d expect.

Yes, you can also use the command line to just check sha1 or md5 hashes of application installers and downloads and compare them to a legitimate source, but that won’t reveal the code signing and certificate details.

Keep in mind that most code signed software that has been modified by an unauthorized party will be rejected by Gatekeeper in Mac OS X, unless Gatekeeper has been disabled or otherwise circumvented, but even with Gatekeeper left on it’s theoretically possible for an enterprising goon to find a way around it, and of course software that hasn’t been certified by a identified developer can always be launched around Gatekeeper anyway.

You can read more about code signing on Wikipedia and on the Apple Developer guide to code signing here.

Do you ever check if apps are signed? It can be a valid way to determine what some processes and apps are, and also can be helpful for troubleshooting. Give it a try the next time you’re wondering what something is and if it’s signed or not!