How to Show & Verify Code Signatures for Apps in Mac OS X
Code signed applications allow security conscious users to verify the creator and hash of a particular app to help confirm it has not been corrupted or tampered with. This is rarely necessary for average Mac users, particularly those who obtain their software from the Mac App Store or other trusted sources since the apps are certified, but verifying the digital signature of an app can be extremely helpful for users who get apps from third party sources.
Verifying a code signature is particularly important for those getting software and installers from p2p and distributed sources, perhaps a torrent site or newsgroups, IRC, public ftp, or another network resource. For a practical example, let’s say a user can’t access the Mac App Store for whatever reason, but needs to download an OS X installer application and thus relies on a third party source. Such a situation is when it would be important to know and verify that the installer has not been tampered with and is legitimately coming from Apple, and aside from checking sha1 hash directly, the easiest way to do that is to check the code signature and cryptographic hash of the app in question.
To get started, launch Terminal, found in /Applications/Utilities/. We’ll be using the aptly named ‘codesign’ command, complete with the -dv and –verbose=4 flags to show identifying information about any application, including it’s hash type, hash checksum, and signing authority.
The basic syntax is as follows:
code sign -dv --verbose=4 /Path/To/Application.app
For example, let’s check the signature on Terminal.app, located in /Applications/Utilities/
codesign -dv --verbose=4 /Applications/Utilities/Terminal.app
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=5227 flags=0x0(none) hashes=255+3 location=embedded
Hash type=sha1 size=20
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Sealed Resources version=2 rules=13 files=996
Internal requirements count=1 size=68
What you’re looking for are the hash type, hash, and authority entries. In this case the hash type is sha1 and the signed authority is Apple, which is what you’d expect.
Yes, you can also use the command line to just check sha1 or md5 hashes of application installers and downloads and compare them to a legitimate source, but that won’t reveal the code signing and certificate details.
Keep in mind that most code signed software that has been modified by an unauthorized party will be rejected by Gatekeeper in OS X, unless Gatekeeper has been disabled or otherwise circumvented, but even with Gatekeeper left on it’s theoretically possible for an enterprising goon to find a way around it, and of course software that hasn’t been certified by a identified developer can always be launched around Gatekeeper anyway.