I have a simple app bundle with the following structure:
myapp.app/Contents/
myapp.app/Contents/MacOS/myapp
myapp.app/Contents/Resources/empty.lproj
myapp.app/Contents/Info.plist
myapp.app/Contents/PkgInfo
If I execute
codesign -s "Developer ID" myapp.app/Contents/Info.plist
I can check that the file got signed with
codesign -d -v myapp.app/Contents/Info.plist
which gives the following output
Executable=/pathToApp/quicknanobrowser.app/Contents/Info.plist
Identifier=Info
Format=generic
CodeDirectory v=20100 size=113 flags=0x0(none) hashes=1+2 location=embedded
Signature size=1278
Signed Time=26 Jan 2016 12:31:24
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80
Where is the data that the file was signed stored? The folder structure did not change (no new files), the size of the file did not change. Is it stored in some filesystem specific metadata? Is it possible to access / read this metadata?
For non mach-o binaries, codesign stores the signature in per-file metadata called HFS+ extended attributes:
ls -l@ Info.plist
com.apple.cs.CodeDirectory 142
com.apple.cs.CodeRequirements 180
com.apple.cs.CodeSignature 8551
You can peek at the contents of these attributes with xattr
xattr -p com.apple.cs.CodeSignature Info.plist
but the tool seems to like dumping in hexadecimal. There doesn't seem to be a shell shorthand for accessing the attributes, although you used to be able to get at the Resource Fork (also an extended attribute) by appending /rsrc to the filename (e.g. cat blah/rsrc).