Archive

Archive for January 20, 2023

Verifying installer package signing and notarization using pkgutil

January 20, 2023 Leave a comment

Recently I needed a way to verify whether an installer package was signed and notarized. I’ve been using Apple’s stapler tool as my usual go-to for verifying notarization. However, the stapler tool needs for Xcode to to be installed and I needed a solution that worked regardless of Xcode or the Xcode Command Line Tools being installed on the Mac in question.

After some digging, I found that pkgutil‘s check-signature function on macOS Monterey and later works great for this and doesn’t have any dependencies on Xcode or the Xcode Command Line Tools. The pkgutil tool is installed as part of macOS and the check-signature function displays the following on Monterey and later:

If a package is not signed:

Screenshot 2023 01 20 at 10 25 38 AM

If a package is signed with a certificate:

Screenshot 2023 01 20 at 10 24 52 AM

If a package is signed with a certificate and trusted by Apple’s notarization service:

Screenshot 2023 01 20 at 10 23 29 AM

To use the check-signature function, you should be able to use the command shown below (substituting /path/to/installer.pkg with the actual directory path of the installer package you want to check.):


/usr/sbin/pkgutil –check-signature /path/to/installer.pkg

view raw

gistfile1.txt

hosted with ❤ by GitHub

%d bloggers like this: