Check if App is notarized from app audit token or SecCode/SecStaticCode

First up, I recommend that you familiarise yourself with the code signing requirements language, as documented in the Code Signing Requirement Language. When we add notarisation to the system we extended that language to include a notarized constraint. Thus, you can check whether something is notarised by checking a requirement with that constraint.

You can prototype this from the command line by running codesign and passing it an explicit requirement. For example:

Code Block  
% codesign -v -v -R="notarized" /Applications/BBEdit.app
/Applications/BBEdit.app: valid on disk
/Applications/BBEdit.app: satisfies its Designated Requirement
/Applications/BBEdit.app: explicit requirement satisfied
% codesign -v -v -R="notarized" /Applications/DailyActivityApp.app 
/Applications/DailyActivityApp.app: valid on disk
/Applications/DailyActivityApp.app: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)

This shows that BBEdit is notarised but DailyActivityApp, a test app that I created myself, is not.

In a real product you wouldn’t run codesign but instead check the requirement using the SecCode API. Remember that SecCode lets your run its checks against a process.

As to whether this will meet your real time goal, I’ve no idea. Checking code signatures is generally quite expensive.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"