Manually check #codesigning #certificate revocation status using OCSP

manual-ocsp-check.txt

# Assumes an Apple-like layout: leaf --> issuer --> CA in exactly 3 certs
# The last arg to codesign specifies the code to check, by bundle or executable path, or process ID

codesign -d -vv --extract-certificates=cert I-didnt-edit-my-config-file
for i in 0 1 2 ; do openssl x509 -inform der -in cert${i} -out cert${i}.pem ; done
openssl ocsp -CAfile cert2.pem -issuer cert1.pem -cert cert0.pem -url $(openssl x509 -in cert0.pem -ocsp_uri -noout)

Example:

╭─ andre@flux ~
╰─ $ codesign -d -vv --extract-certificates=cert `pgrep MetalTest`                                     
Executable=/Users/andre/Library/Developer/Xcode/DerivedData/MetalTest-flrezvpoauyedtalewgrvnugjpen/Build/Products/Debug/MetalTest.app/Contents/MacOS/MetalTest
Identifier=com.EarthGov.MetalTest
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=1106 flags=0x0(none) hashes=48+3 location=embedded
Signature size=4257
Authority=Developer ID Application: Andre LaBranche (UNKTN53737)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Feb 22, 2016, 2:13:59 AM
Info.plist entries=22
TeamIdentifier=UNKTN53737
Sealed Resources version=2 rules=12 files=13
Internal requirements count=1 size=216

╭─ andre@flux ~
╰─ $ for i in 0 1 2 ; do openssl x509 -inform der -in cert${i} -out cert${i}.pem ; done                                  

╭─ andre@flux ~
╰─ $ openssl ocsp -CAfile cert2.pem -issuer cert1.pem -cert cert0.pem -url $(openssl x509 -in cert0.pem -ocsp_uri -noout)
Response verify OK
cert0.pem: good
	This Update: Feb 22 10:19:02 2016 GMT
	Next Update: Feb 23 10:19:02 2016 GMT

https://certificatetools.com/ocsp_checker makes this extremely quick and simple. It does the check for you, but also provides the OpenSSL command with the certificate and CA chain download for you to run locally if you prefer.