Where does codesign store the signature for a signed text file on OSX?

Question

I have a simple app bundle with the following structure:

myapp.app/Contents/
myapp.app/Contents/MacOS/myapp
myapp.app/Contents/Resources/empty.lproj
myapp.app/Contents/Info.plist
myapp.app/Contents/PkgInfo

If I execute

codesign -s "Developer ID" myapp.app/Contents/Info.plist

I can check that the file got signed with

codesign -d -v myapp.app/Contents/Info.plist

which gives the following output

Executable=/pathToApp/quicknanobrowser.app/Contents/Info.plist
Identifier=Info
Format=generic
CodeDirectory v=20100 size=113 flags=0x0(none) hashes=1+2 location=embedded
Signature size=1278
Signed Time=26 Jan 2016 12:31:24
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80

Where is the data that the file was signed stored? The folder structure did not change (no new files), the size of the file did not change. Is it stored in some filesystem specific metadata? Is it possible to access / read this metadata?

Rhythmic Fistman Rhythmic Fistman · Accepted Answer · 2016-01-26T11:46:34

For non mach-o binaries, codesign stores the signature in per-file metadata called HFS+ extended attributes:

ls -l@ Info.plist

com.apple.cs.CodeDirectory  142 
com.apple.cs.CodeRequirements   180 
com.apple.cs.CodeSignature  8551

You can peek at the contents of these attributes with xattr

xattr -p com.apple.cs.CodeSignature Info.plist

but the tool seems to like dumping in hexadecimal. There doesn't seem to be a shell shorthand for accessing the attributes, although you used to be able to get at the Resource Fork (also an extended attribute) by appending /rsrc to the filename (e.g. cat blah/rsrc).

Where does codesign store the signature for a signed text file on OSX?

1 Answers