How to verify signature of a package

However, if this is used on a signed package, the following error occurs …

The code signing APIs work on code, not installer packages, so this failure is expected.

How can we programmatically verify the signature of a package (pkg), without resorting to calling an external process such as pkgutil?

[incorrect information removed; see rbrockerhoff’s answer below]

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

If the package is a flat XAR file (the first 4 bytes are 'xar!'), you can use the APIs in /usr/include/xar/xar.h.

Basically, open the file with xar_open(), call xar_signature_first() and then iterate over the certificates with xar_signature_get_x509certificate_data(), building a SecCertificateRef for each, then use the certificate array with SecTrustCreateWithCertificates(); then check the SecTrustRef with the X509 policy.

Fun! ;-)

'xar_open' is deprecated: first deprecated in macOS 12.0 - xar is a deprecated file format and should not be used.

Any idea ?