Last active
May 7, 2020 22:48
-
-
Save dreness/12edab056de2b6c92a21 to your computer and use it in GitHub Desktop.
Manually check #codesigning #certificate revocation status using OCSP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Assumes an Apple-like layout: leaf --> issuer --> CA in exactly 3 certs | |
# The last arg to codesign specifies the code to check, by bundle or executable path, or process ID | |
codesign -d -vv --extract-certificates=cert I-didnt-edit-my-config-file | |
for i in 0 1 2 ; do openssl x509 -inform der -in cert${i} -out cert${i}.pem ; done | |
openssl ocsp -CAfile cert2.pem -issuer cert1.pem -cert cert0.pem -url $(openssl x509 -in cert0.pem -ocsp_uri -noout) | |
Example: | |
╭─ andre@flux ~ | |
╰─ $ codesign -d -vv --extract-certificates=cert `pgrep MetalTest` | |
Executable=/Users/andre/Library/Developer/Xcode/DerivedData/MetalTest-flrezvpoauyedtalewgrvnugjpen/Build/Products/Debug/MetalTest.app/Contents/MacOS/MetalTest | |
Identifier=com.EarthGov.MetalTest | |
Format=bundle with Mach-O thin (x86_64) | |
CodeDirectory v=20200 size=1106 flags=0x0(none) hashes=48+3 location=embedded | |
Signature size=4257 | |
Authority=Developer ID Application: Andre LaBranche (UNKTN53737) | |
Authority=Developer ID Certification Authority | |
Authority=Apple Root CA | |
Signed Time=Feb 22, 2016, 2:13:59 AM | |
Info.plist entries=22 | |
TeamIdentifier=UNKTN53737 | |
Sealed Resources version=2 rules=12 files=13 | |
Internal requirements count=1 size=216 | |
╭─ andre@flux ~ | |
╰─ $ for i in 0 1 2 ; do openssl x509 -inform der -in cert${i} -out cert${i}.pem ; done | |
╭─ andre@flux ~ | |
╰─ $ openssl ocsp -CAfile cert2.pem -issuer cert1.pem -cert cert0.pem -url $(openssl x509 -in cert0.pem -ocsp_uri -noout) | |
Response verify OK | |
cert0.pem: good | |
This Update: Feb 22 10:19:02 2016 GMT | |
Next Update: Feb 23 10:19:02 2016 GMT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://certificatetools.com/ocsp_checker makes this extremely quick and simple. It does the check for you, but also provides the OpenSSL command with the certificate and CA chain download for you to run locally if you prefer.