Learn how to verify application code signatures on Mac devices to ensure authenticity and detect tampering. This is essential for security auditing and compliance in enterprise environments.

Basic Code Signature Check

Display detailed code signature information for an application:

#!/bin/bash

# Basic code signature verification
APP_PATH="/Applications/Safari.app"

echo "Checking code signature for: $APP_PATH"
codesign -dv --verbose=4 "$APP_PATH"

Quick Validity Check

Verify if an application is valid and meets signing requirements:

#!/bin/bash

# Quick validity check
APP_PATH="/Applications/Calendar.app"

echo "Validating: $APP_PATH"
codesign -v --verbose "$APP_PATH"

if [ $? -eq 0 ]; then
    echo "✓ Application is valid and properly signed"
else
    echo "✗ Application signature is invalid or tampered"
fi

Enhanced Code Signature Analyzer

Script with comprehensive signature analysis and error handling:

#!/bin/bash

# Function to check code signature
check_code_signature() {
    local app_path="$1"
    
    if [[ ! -d "$app_path" ]]; then
        echo "Error: Application not found at $app_path"
        return 1
    fi
    
    echo "=== Code Signature Analysis ==="
    echo "Application: $app_path"
    echo "Date: $(date)"
    echo "================================"
    
    # Detailed signature information
    echo "📋 Detailed Signature Info:"
    codesign -dv --verbose=4 "$app_path" 2>&1
    
    echo ""
    echo "🔍 Validation Check:"
    
    # Validity check
    if codesign -v --verbose "$app_path" 2>&1; then
        echo "✅ Status: VALID - Application is properly signed"
        return 0
    else
        echo "❌ Status: INVALID - Application signature compromised"
        return 1
    fi
}

# Example usage
APP_PATH="${1:-/Applications/Safari.app}"
check_code_signature "$APP_PATH"

Multiple Apps Security Scanner

Scan multiple applications for signature integrity:

#!/bin/bash

# Applications to scan
APPS_TO_SCAN=(
    "/Applications/Safari.app"
    "/Applications/Calendar.app"
    "/Applications/Mail.app"
    "/System/Applications/Calculator.app"
    "/System/Applications/TextEdit.app"
)

# Function to scan single app
scan_app() {
    local app_path="$1"
    local app_name=$(basename "$app_path" .app)
    
    echo -n "Scanning $app_name... "
    
    if [[ ! -d "$app_path" ]]; then
        echo "❓ NOT FOUND"
        return 1
    fi
    
    if codesign -v "$app_path" 2>/dev/null; then
        echo "✅ VALID"
        return 0
    else
        echo "❌ INVALID"
        
        # Show details for invalid signatures
        echo "   Details:"
        codesign -v --verbose "$app_path" 2>&1 | sed 's/^/   /'
        return 1
    fi
}

# Security scan report
echo "=== MacFleet Security Scan Report ==="
echo "Generated: $(date)"
echo "Device: $(hostname)"
echo "======================================"

valid_count=0
invalid_count=0
missing_count=0

for app_path in "${APPS_TO_SCAN[@]}"; do
    if scan_app "$app_path"; then
        ((valid_count++))
    elif [[ ! -d "$app_path" ]]; then
        ((missing_count++))
    else
        ((invalid_count++))
    fi
done

echo "======================================"
echo "📊 Summary:"
echo "   Valid signatures: $valid_count"
echo "   Invalid signatures: $invalid_count"
echo "   Missing applications: $missing_count"

if [[ $invalid_count -gt 0 ]]; then
    echo ""
    echo "⚠️  WARNING: $invalid_count application(s) have invalid signatures"
    echo "   Recommend investigating potentially tampered applications"
fi

Enterprise Code Signature Audit

Comprehensive audit script for enterprise environments:

#!/bin/bash

# Function to get signature details
get_signature_details() {
    local app_path="$1"
    
    # Get signing authority
    local authority=$(codesign -dv "$app_path" 2>&1 | grep "Authority=" | head -1 | cut -d'=' -f2)
    
    # Get hash type
    local hash_type=$(codesign -dv "$app_path" 2>&1 | grep "Hash type=" | cut -d'=' -f2)
    
    # Get timestamp
    local timestamp=$(codesign -dv "$app_path" 2>&1 | grep "Timestamp=" | cut -d'=' -f2)
    
    echo "Authority: ${authority:-Unknown}"
    echo "Hash Type: ${hash_type:-Unknown}"
    echo "Timestamp: ${timestamp:-None}"
}

# Function for enterprise audit
enterprise_audit() {
    local app_path="$1"
    local app_name=$(basename "$app_path" .app)
    
    echo "🔐 Auditing: $app_name"
    echo "Path: $app_path"
    
    if [[ ! -d "$app_path" ]]; then
        echo "Status: ❓ APPLICATION NOT FOUND"
        return 1
    fi
    
    # Perform validation
    if codesign -v "$app_path" 2>/dev/null; then
        echo "Status: ✅ VALID SIGNATURE"
        get_signature_details "$app_path"
    else
        echo "Status: ❌ INVALID SIGNATURE"
        echo "Security Risk: HIGH"
        
        # Show detailed error
        echo "Error Details:"
        codesign -v --verbose "$app_path" 2>&1 | sed 's/^/  /'
        
        # Check for added files
        echo "Checking for unauthorized modifications..."
        codesign -v --verbose "$app_path" 2>&1 | grep "file added" | sed 's/^/  🚨 /'
    fi
    
    echo "─────────────────────────────────────"
}

# Enterprise audit execution
echo "🏢 MacFleet Enterprise Security Audit"
echo "====================================="

# Audit critical system applications
CRITICAL_APPS=(
    "/Applications/Safari.app"
    "/System/Applications/Finder.app"
    "/Applications/Calendar.app"
    "/Applications/Mail.app"
)

for app in "${CRITICAL_APPS[@]}"; do
    enterprise_audit "$app"
done

echo "Audit completed: $(date)"

Usage with MacFleet

1. Specify the application path in the script
2. Choose between detailed analysis or quick validation
3. Deploy through MacFleet's remote script execution
4. Review results in action history for security compliance

Common Application Paths

Interpreting Results

Valid Signature: Application is authentic and unmodified

/Applications/Safari.app: valid on disk
/Applications/Safari.app: satisfies its Designated Requirement

Invalid Signature: Application has been tampered with

/Applications/Safari.app: a sealed resource is missing or invalid
file added: /Applications/Safari.app/Contents/maliciousfile.sh

Security Considerations

• Regular audits: Schedule periodic signature checks for critical applications
• Investigate anomalies: Any invalid signatures require immediate investigation
• Quarantine suspicious apps: Isolate applications with compromised signatures
• Document findings: Maintain audit trails for compliance purposes

Troubleshooting

Permission denied: Ensure script has necessary file system access Application not found: Verify the correct application path Command not found: codesign is available on all macOS systems

Note: Invalid signatures indicate potential security risks. Investigate and remediate any applications with compromised signatures immediately.