In my application I validate the authenticity of my own binaries by checking that the Team Identifier in the code signature matches a predefined value.
Currently I do not perform a full signature validation that verifies the certificate chain up to Apple’s root CA. When attempting to do this using SecStaticCodeCheckValidityWithErrors (or validateWithRequirement), the operation sometimes takes several minutes. During that time the calling thread appears blocked, and the system logs show:
trustd: [com.apple.securityd:SecError] Malformed anchor records, not an array
Because of this delay, I decided to rely only on the Team Identifier. My question is:
Can it be assumed that if a Mach-O binary contains a Team Identifier in its code signature, then it must have been signed with a valid Apple Developer certificate? Or are there cases where a binary could contain a Team ID but still not be signed by Apple’s trust chain?
Thanks for the help !