1

I'm running MacOS Catalina. How can I tell if a particular MacOS App downloaded from the Internet is notarized and/or sandboxed?

Darrell Root
  • 159

2 Answers2

1

I'm not sure if this helps but if you open System Information and in the side bar, go down to Software > Applications, you should see all the applications installed on your Mac. Clicking on any app will show you their certificates, version, and where you obtained these applications (i.e. from Mac App Store, Apple, identified developer or unknown).

To access System Information you can open it from a Spotlight Search, or click on the About this Mac in the Apple Menubar, and click on System Report.

Hope this helps.

AVelj
  • 1,399
  • That helps to some extent. I can see that applications are signed and obtained from an identified developer. I think that at least means its notarized. – Darrell Root Mar 06 '20 at 04:46
  • 1
    @DarrellRoot Being from an identified developer doesn't imply notarization. I don't think it's possible for an app to be notarized unless it's signed, but it's entirely possible for a non-notarized app to be signed by an identified developer. – Gordon Davisson Mar 06 '20 at 05:54
  • 1
    In regards to sandboxing, perhaps this question may help https://apple.stackexchange.com/questions/52675/how-do-i-find-out-what-entitlements-an-app-has – AVelj Mar 06 '20 at 08:43
  • 1
    @AVelj Yes, the “codesign -d —entitlements :- /Applications/Whatever.app” answer from that question looks like the best answer for showing sandboxing. – Darrell Root Mar 07 '20 at 17:53
1

You can tell this with taccy from the Eclectic Light Company. It reports directly on whether an app is notarized (although I find its "Developer ID" checkbox behavior confusing -- it doesn't check it if the app is notarized, even though notarized apps are developer-ID signed).

taccy doesn't explicitly report whether the app is sandboxed, but you can tell from the detailed display. If the "Entitlements" section says "Property list incorrect format", that seems to indicate it's not sandboxed. Here's an example of its report on an old (pre-sandbox and notarization) version of Firefox:

(taccy showing Firefox 65.0.1 is not notarized, is signed by an identified developer, and has an "incorrect format" Entitlements list.)

Gordon Davisson
  • 33,702