How do I verify that a macOS installer pkg file has been notarized? Is there a command-line tool to do this?
Asked
Active
Viewed 1.2k times
2 Answers
21
Unfortunately, there's more than one right answer.
The notarization process works by uploading a package, app, or binary to apple. Apple will then verify it. If the underlying format supports it, you may download that "ticket" and "staple" it. Notable here, is that you do not need to staple the ticket for it to be notarized. Gatekeeper will look it up with apple at runtime.
You can check whether there's a ticket stapled, by using the staple command. But you can use spctl to get a broader answer about whether or not gatekeeper will accept it.
There is an additional wrinkle -- Apple Developer accounts that predate 2019-August are exempt from the notarization requirements. (At least on Mojave.) This can make trying to tell what's going on very confusing.
Some examples on an unsigned, signed, and notarized binary. No staples here.
Using an apple developer account that is several old. Notarization not required for a gatekeeper check:
$ spctl -a -vvv -t install go-hello-unsigned
go-hello-unsigned: rejected
source=no usable signature
$ spctl -a -vvv -t install go-hello-signed-oldapple
go-hello-signed-oldapple: accepted
source=Developer ID
origin=Developer ID Application: Example Inc (oldapple)
$ spctl -a -vvv -t install go-hello-notarized-oldapple
go-hello-notarized-oldapple: accepted
source=Notarized Developer ID
origin=Developer ID Application: Example Inc (oldapple)
Using a newer apple developer account. Subject to the notarization requirements:
$ spctl -a -vvv -t install go-hello-unsigned
go-hello-unsigned: rejected
source=no usable signature
$ spctl -a -vvv -t install go-hello-signed-newapple
go-hello-signed-newapple: rejected
source=Unnotarized Developer ID
origin=Developer ID Application: Kolide, Inc (newapple)
$ spctl -a -vvv -t install go-hello-notarized-newapple
go-hello-notarized-newapple: accepted
source=Notarized Developer ID
origin=Developer ID Application: Kolide, Inc (newapple)
Update
Now that catalina has been released, this has changed slightly. The age of the signing key effects Mojave. Catalina now requires everything be notarized.
seph
- 813
- 6
- 16
-
1Is this true for pkg files as well? – craig65535 Sep 13 '19 at 19:16
-
It's documented that way, but I haven't tested it directly. – seph Sep 13 '19 at 19:37
-
3Yes, it is valid for pkg files as well, I have tested it right now with Notarized vs. Unnotarized .pkg installers and got the expected result for both – yfede Sep 23 '19 at 14:22
14
stapler validate will do this -
$ stapler validate myfile.pkg
Processing: myfile.pkg
The validate action worked!
If
The validate action worked!is printed, the specified pkg file is notarized.If
does not have a ticket stapled to it.is printed, the specified pkg file is either not notarized, or the notarization was never followed up with the stapling step.
tresf
- 7,103
- 6
- 40
- 101
craig65535
- 3,439
- 1
- 23
- 49
-
3it tells you if the notarization ticket is stapled to the package. Which is somewhat different. – seph Sep 13 '19 at 19:38
-
1True, but notarization is a requirement of stapling, so it's a good litmus test to rely on, even if it's not the exact answer the OP was looking for. Without stapling, a computer without an internet connection may show the package as untrusted. – tresf Jan 13 '20 at 18:21