Signature Verification
Verify existing code signatures on any application. KestrelSign provides a detailed breakdown of the signature status, certificate chain, and notarization ticket.
Running a Verification
You can verify signatures from within a project or as a standalone operation. From the project dashboard, click Verify to check the current state of your application's signature.
KestrelSign runs platform-appropriate verification commands and presents the results in a clear, readable format rather than raw command output.
What Gets Checked
macOS
KestrelSign uses codesign --verify --deep --strict to validate
the signature. The verification covers:
- Signature validity -- is the signature intact and unmodified
- Certificate chain -- does the signing certificate chain to Apple's root
- Hardened runtime -- is the hardened runtime flag present
- Deep verification -- are all nested components (frameworks, helpers) properly signed
- Notarization status -- has a notarization ticket been stapled
- Gatekeeper assessment -- will Gatekeeper allow this app to run
Windows
KestrelSign uses signtool verify /pa /v to validate
Authenticode signatures. The verification covers:
- Signature validity -- is the Authenticode signature valid
- Certificate details -- issuer, subject, expiry date
- Timestamp -- is the signature timestamped, and is the timestamp valid
- Certificate chain -- does the certificate chain to a trusted root
Verification Results
Results are displayed with clear pass/fail indicators for each check. If any check fails, KestrelSign provides an explanation of the issue and suggests remediation steps.
You can also generate an HTML report of the verification results for your records or for compliance documentation.
Verifying Third-Party Applications
You do not need a project to verify a signature. You can point KestrelSign at any application to check its signature status. This is useful for verifying builds from your CI/CD pipeline or checking third-party software before deployment.