How to get trusted timestamp value for pkg?

Question

Created Aug ’22

Replies 2

Boosts 0

Views 1.4k

Participants 2

Hi,

For a signed .app/binary we can get "signing-timestamp" (kSecCodeInfoTimestamp) using SecCodeCopySigningInformation method using SecStaticCodeRef in security framework.

But for pkg SecCode apis don't work & we need to fetch information using xar 509 apis. Using xar_signature_get_x509certificate_data other information like issuer, serial no, validity time,etc is available but the signing time stamp, the time at which the pkg was signed is not available in the dictionary created by using xar_signature_get_x509certificate_data & x509_st.

.

How to get the signature timestamp for pkg?

.

e.x. pkgutil --check-signature zoomusInstallerFull.pkg

Status: signed by a developer certificate issued by Apple for distribution

Notarization: trusted by the Apple notary service

Signed with a trusted timestamp on: 2022-06-27 01:26:22 +0000

Certificate Chain:

Developer ID Installer: Zoom Video Communications, Inc. (BJ4HAAB9B3) Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 6D 70 1A 84 F0 5A D4 C1 C1 B3 AE 01 C2 EF 1F 2E AE FB 9F 5C A6 80 48 A4 76 60 FF B5 F0 57 BB 8C ------------------------------------------------------------------------
Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------
Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’22

But for pkg SecCode apis don't work

Correct. Installer packages aren’t code signed, they’re just signed. This is the reason why we have separate Developer ID Application and Developer ID Installer signing identities.

I don’t think there’s any supported way to get the secure timestamp from an installer package programmatically. The xar APIs only get you the certificate chain (xar_signature_get_x509certificate_count, xar_signature_get_x509certificate_data) and the signed data and its signature (xar_signature_copy_signed_data).

I suspect that your only option here is to:

Run pkgutil and parse the output (bletch!).
File a bug requesting a better way to do this.

If you do the latter, please post your bug number, just for the record.

However, I’m not 100% confident in that answer. There may be an option that I’ve overlooked. If you’d like me to dig deeper, open a DTS tech support incident and we can pick things up in that context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

tusharh64 OP

Feb ’24

Hi @eskimo Using the Feedback assistant app on mac I have raised submitted feedback/bug for the issue. Ticket Id: FB13610634

I tried running pkgutil --check-signature via code & parse it's output. For pkg with small size there is no issue. But if we have a huge file in GBs like the os upgrade InstallAssistant.pkg which is 12.2 GB, on terminal pkgutil --check-signature itself takes around 22sec to post the output.

We direly need an api to get the trusted timestamp for pkg programmatically.

0