How to check whether an app or dmg is signed or not?

Question

I have created app and dmg for a Java application. I am signing as well as verifying dmg and app via codesign.

codesign -s "mycomapany name" myproduct.dmg/myproduct.app

Verifying both using following command -

codesign -v myproduct.dmg/myproduct.app

On executing this command for app and dmg separately it is not giving any message to confirm whether they are signed or not?

Like executing command - jarsigner -verify -certs myproduct.jar returns that "jar verified."

How can I verify that dmg and app are signed properly.

Thanks

Answer 1

To get more output from the codesign command, add a second -v argument after the first one:

codesign -v -v myproduct.dmg/myproduct.app

This is equivalent to:

codesign --verify --verbose myproduct.dmg/myproduct.app

The codesign command also has an exit value that you can use to get its result:

Examples for signed app:

codesign -v myproduct.dmg/myproduct.app
echo $?
Output: 0

codesign -v myproduct.dmg/myproduct.app && echo SIGNED!
Output: SIGNED!

codesign -v myproduct.dmg/myproduct.app || echo UNSIGNED!
No output

Examples for unsigned app:

codesign -v myproduct.dmg/unsigned.app
echo $?
Output: 1

codesign -v myproduct.dmg/unsigned.app && echo SIGNED!
No output

codesign -v myproduct.dmg/unsigned.app || echo UNSIGNED!
Output: UNSIGNED!