Who’s been ghost notarizing other people’s apps, and is Catalina wasting time to check whether shell scripts are notarized?
codesign
Validating signatures isn’t straightforward. GUI apps are limited, and command tools confusing and prone to user error.
An unexpected behaviour in the codesign command could cause the app to crash when examining certain app. Now fixed, plus several new features.
It took 5 apps, 4 command tools in 6 commands, 2 developer certificates and an app-specific password for 260 lines of code.
Notarization is already required for some kernel extensions and apps, even in 10.14.5. So how do you tell whether an app or code bundle is notarized?
Testing at the command line, with What’s Your Sign?, and according to the requirements of the signature.
How to perform ad hoc signing, signing with a personal certificate, and set signing up in Xcode.
How can you create your own personal certificate suitable for signing your apps? Uses Certificate Assistant, and free of cost.
Should you use ad hoc signing, or make your own personal certificate? Why would you want to sign a script or app you have made?
How my apps were correctly signed, but using the wrong certificate. They passed all tests here, but would not come out of quarantine normally on other systems.
