- Super blob (embedded signature = 0xfade0cc0)
- Blob (code directory = 0xfade0c02)
- Code signature (DER encoded)
- Blob wrapper (fade0b01)
- Length [4]
- Offset [4]
- Type? [4] = 256? (signature?)
- Unknown [4] 239?
- Ticket
- Trailer length [4] = 66
- Certificate (DER encoded)
- Trailer
- Magic [4] ("g8tk" ? great ticket)
- Version [2] = 2
- Type [2] = 20
- Length/flags?? [4] = 512??
- Reserved [4] = zeros
- Crc32? [4]
- Reserved? [4] = zeros
- Contents code directory hash list
- Digest algorithm [1] = 2 (sha256)
- Code directory hash (sha256)
- Contents (DER encoded / sha256)
- Hash list for each code resource in submission?
- Blob (code directory = 0xfade0c02)
- Trailer magic of "t8lr" might be legacy or only be used for .pkg files
- The notarization service works like a timestamping service that is used in code signing; the notarization ticket ceritifcate can be used to validate the status of an app even if the system is offline
- cdTicketSlot = 0x10002 (virtual)