I've encountered some applications that are validly signed (as reported by codesign dvv / SecStaticCodeCheckValidity
), but the notarization ticket has been revoked:
% codesign -v revoked.app
% stapler validate revoked.app
The ticket for revoked.app has been revoked. Gatekeeper will prevent it from running.
% spctl -a -vvv -t install revoked.app
revoked.app: notarization indicates this code has been revoked
What is the recommended / supported approach to perform this check programmatically? In other words, replicate stapler validate
or spctl -a -vvv -t install
but with APIs). Ideally an API that returns errSecCSRevokedNotarization
I can extract the app's code signing information, cdhashes
or notarization ticket (from Contents/CodeResources
). Was toying with SecAssessmentTicketLookup
and SecTrustEvaluateWithError
but so far, no luck.
And SecRequirementCreateWithString(CFSTR("notarized")...
and SecStaticCodeCheckValidity
just returns errSecCSReqFailed
which yes is correct, but doesn't tell us that the ticket was revoked.