Mac Application Penetration Test


Trying to build a Mac Application Penetration Test Checklist….

How to Check if a macOS App is Notarized

Version: macOS 11.7.1

You can check if a macOS application is notarized by using the spctl command-line utility. spctl evaluates if the system allows execution, installation, and other operations on files.

The first example is an app that is not notarized. spctl shows the status as rejected and the source indicates Unnotarized Developer ID. Run this on the application itself, the application folder in /Applications, and the installer file.

$ spctl -a -vvv -t install rejectedsource=Unnotarized Developer IDorigin=Developer ID Application: <redacted developer account>

The second example is a notarized app. spctl shows the status as accepted.

$ spctl -a -vvv -t install acceptedsource=Notarized Developer IDorigin=Developer ID Application: <redacted developer account>

The table below describes the spctl options.

-aStands for assess and requests spctl to perform an assessment of the given file.
-vvvSpecifies increased output verbosity.
-t installSpecifies the type of assessment. install assesses installation.


SuspiciousPackage is a tool useful to inspect .pkg files (installers) and see what is inside before installing it. These installers have preinstall and postinstall bash scripts that malware authors usually abuse to persist the malware.

3 thoughts on “Mac Application Penetration Test

  1. Its like you read my thoughts! You appear to understand so much
    about this, such as you wrote the book in it or something.
    I believe thast you simply could do with some percent to power the message house a little bit, but insstead
    of that, that is excellent blog. A fantastic read.
    I will definitely be back.

Leave a Reply

Your email address will not be published. Required fields are marked *