How to check timestamp of code signature?

Hi,


how can I check if a code signature contains a signed timestamp?


$ codesign -s "Developer ID..." --options runtime -f --timestamp MyApp.app
MyApp.app: replacing existing signature
$ codesign --display -v MyApp.app 2>&1 | grep 2020
Timestamp=30. Apr 2020 at 14:25:45


Is this a secure timestamp? Or just a timestamp without signature?

In my understanding --timestamp=none should disable secure timestamping:


$ codesign -s "Developer ID..." --options runtime -f --timestamp=none MyApp.app
MyApp.app: replacing existing signature
$ codesign --display -v MyApp.app 2>&1 | grep 2020
Signed Time=30. Apr 2020 at 14:24:24


Why do I get a a "Signed Time" here??

Up vote post of jogri Down vote post of jogri
2.0k views
Posted by
jogri
Reply
Add a Comment

Accepted Reply 

Timestamp
indicates a secure timestamp from the Apple timestamp service. In contrast, 
Signed Time
is an insecure timestamp, that is, it’s whatever value was returned by the clock on the Mac that did the signing.

For more details, see the doc comments for 

kSecCodeInfoTimestamp
and 
kSecCodeInfoTime
in 
<Security/SecCode.h>
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Timestamp
indicates a secure timestamp from the Apple timestamp service. In contrast, 
Signed Time
is an insecure timestamp, that is, it’s whatever value was returned by the clock on the Mac that did the signing.

For more details, see the doc comments for 

kSecCodeInfoTimestamp
and 
kSecCodeInfoTime
in 
<Security/SecCode.h>
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

we've successfully created native code to parse the Timestamp from the binary. this is a few orders of magnitude faster than calling codesign (which also insists on returning localized date formats which is just *insanity* for parsing programatically). the Timestamp is just yyyyMMddHHmmssZ0 somewhere at the end of the binary.


now we'd like to parse the 'Signed Time' (kSecCodeInfoTime) directly too (especially because this is often not even returned by 'codesign' unless you point it at some embedded framework on pre-Catalina systems!), but we didn't make headways there. it certainly doesn't seem to be stored in 'yyyyMMddHHmmss' format in the main executable.


mighty and wise eskimo, do you have any technical information here?

Posted by
absinth
Up vote reply of absinth Down vote reply of absinth
Add a Comment

we've successfully created native code to parse the 

Timestamp
from the binary.

Using the 

SecCode
API? Or grovelling through the binary itself?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment