A walk outside the sandbox

Home Blog Cheat Sheets MacOS Tips Area 51 About

Code Signing



  • Apple uses a special language to define code signing requirements. csreq (1) is a command-line tool to manipulate requirements directly.
  • codesign (1) command-line tool allows developers to sign their apps and to display existing signatures.
  • A valid, trusted certificate is needed to sign your app. This can be obtained by registering as a Developer with Appleā€™s Developer Program.

Work with signatures

Display app signature

$ codesign --display --verbose=4 /Applications/
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=264 flags=0x0(none) hashes=3+3 location=embedded
Platform identifier=2
Hash type=sha256 size=32
CandidateCDHash sha256=533c83f3ab50c68c8b3922c91d6e610433612bbf
Hash choices=sha256
Page size=4096
Signature size=4105
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=24
TeamIdentifier=not set
Sealed Resources version=2 rules=12 files=2
Internal requirements count=1 size=72

Verify application soignature

$ codesign --verify --verbose=4 /Applications/
/Applications/ valid on disk
/Applications/ satisfies its Designated Requirement


Code Signing Requirement Language