Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Manually check #codesigning #certificate revocation status using OCSP
# Assumes an Apple-like layout: leaf --> issuer --> CA in exactly 3 certs
# The last arg to codesign specifies the code to check, by bundle or executable path, or process ID
codesign -d -vv --extract-certificates=cert I-didnt-edit-my-config-file
for i in 0 1 2 ; do openssl x509 -inform der -in cert${i} -out cert${i}.pem ; done
openssl ocsp -CAfile cert2.pem -issuer cert1.pem -cert cert0.pem -url $(openssl x509 -in cert0.pem -ocsp_uri -noout)
Example:
╭─ andre@flux ~
╰─ $ codesign -d -vv --extract-certificates=cert `pgrep MetalTest`
Executable=/Users/andre/Library/Developer/Xcode/DerivedData/MetalTest-flrezvpoauyedtalewgrvnugjpen/Build/Products/Debug/MetalTest.app/Contents/MacOS/MetalTest
Identifier=com.EarthGov.MetalTest
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=1106 flags=0x0(none) hashes=48+3 location=embedded
Signature size=4257
Authority=Developer ID Application: Andre LaBranche (UNKTN53737)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=Feb 22, 2016, 2:13:59 AM
Info.plist entries=22
TeamIdentifier=UNKTN53737
Sealed Resources version=2 rules=12 files=13
Internal requirements count=1 size=216
╭─ andre@flux ~
╰─ $ for i in 0 1 2 ; do openssl x509 -inform der -in cert${i} -out cert${i}.pem ; done
╭─ andre@flux ~
╰─ $ openssl ocsp -CAfile cert2.pem -issuer cert1.pem -cert cert0.pem -url $(openssl x509 -in cert0.pem -ocsp_uri -noout)
Response verify OK
cert0.pem: good
This Update: Feb 22 10:19:02 2016 GMT
Next Update: Feb 23 10:19:02 2016 GMT
@lspiehler

This comment has been minimized.

Copy link

commented Jun 3, 2019

https://certificatetools.com/ocsp_checker makes this extremely quick and simple. It does the check for you, but also provides the OpenSSL command with the certificate and CA chain download for you to run locally if you prefer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.