In order to verify the signature of an application on disk, we can use SecStaticCodeCheckValidityWithErrors, which works as expected.However, if this is used on a signed package, the following error occurs The operation couldn’t be completed. (OSStatus error -67062.)Error 67062 also represents that an application is not signedIt appears that SecStaticCodeCheckValidityWithErrors only works with binary code or application bundles. To confirm this, calling codesign also fails to verify the signature of a package: codesign -dvvv myPackage.pkg myPackage.pkg: code object is not signed at allHow can we programmatically verify the signature of a package (pkg), without resorting to calling an external process such as pkgutil?
3
0
3.9k