Check if App is notarized from app audit token or SecCode/SecStaticCode

Hi guys,

is there a way of checking if app is notarized from app audit token or SecCode/SecStaticCode. In a firewall app I need to check if app is notarized.

I'm able to detect if app comes from Apple or other developer, source of the app - macOS System, App Store, Developer, but I need to quickly check if app that comes from Developer is Notarized - it shouldn't take more than a few milliseconds, ideally less than 1ms.
From terminal I tried spctl to see if app is Notatized, but that takes 5 - 7 seconds to get the result.
Is there any interface in SystemSecurity or other framework get this info?

Thanks.
First up, I recommend that you familiarise yourself with the code signing requirements language, as documented in the Code Signing Requirement Language. When we add notarisation to the system we extended that language to include a notarized constraint. Thus, you can check whether something is notarised by checking a requirement with that constraint.

You can prototype this from the command line by running codesign and passing it an explicit requirement. For example:

Code Block
% codesign -v -v -R="notarized" /Applications/BBEdit.app
/Applications/BBEdit.app: valid on disk
/Applications/BBEdit.app: satisfies its Designated Requirement
/Applications/BBEdit.app: explicit requirement satisfied
% codesign -v -v -R="notarized" /Applications/DailyActivityApp.app
/Applications/DailyActivityApp.app: valid on disk
/Applications/DailyActivityApp.app: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)


This shows that BBEdit is notarised but DailyActivityApp, a test app that I created myself, is not.

In a real product you wouldn’t run codesign but instead check the requirement using the SecCode API. Remember that SecCode lets your run its checks against a process.

As to whether this will meet your real time goal, I’ve no idea. Checking code signatures is generally quite expensive.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Check if App is notarized from app audit token or SecCode/SecStaticCode
 
 
Q