How do I verify that a macOS pkg is notarized

Unfortunately, there's more than one right answer.

The notarization process works by uploading a package, app, or binary to apple. Apple will then verify it. If the underlying format supports it, you may download that "ticket" and "staple" it. Notable here, is that you do not need to staple the ticket for it to be notarized. Gatekeeper will look it up with apple at runtime.

You can check whether there's a ticket stapled, by using the staple command. But you can use spctl to get a broader answer about whether or not gatekeeper will accept it.

There is an additional wrinkle -- Apple Developer accounts that predate 2019-August are exempt from the notarization requirements. (At least on Mojave.) This can make trying to tell what's going on very confusing.

Some examples on an unsigned, signed, and notarized binary. No staples here.

Using an apple developer account that is several old. Notarization not required for a gatekeeper check:

$ spctl -a -vvv -t install go-hello-unsigned
go-hello-unsigned: rejected
source=no usable signature

$ spctl -a -vvv -t install go-hello-signed-oldapple
go-hello-signed-oldapple: accepted
source=Developer ID
origin=Developer ID Application: Example Inc (oldapple)

$ spctl -a -vvv -t install go-hello-notarized-oldapple
go-hello-notarized-oldapple: accepted
source=Notarized Developer ID
origin=Developer ID Application: Example Inc (oldapple)

Using a newer apple developer account. Subject to the notarization requirements:

$ spctl -a -vvv -t install go-hello-unsigned
go-hello-unsigned: rejected
source=no usable signature

$ spctl -a -vvv -t install go-hello-signed-newapple 
go-hello-signed-newapple: rejected
source=Unnotarized Developer ID
origin=Developer ID Application: Kolide, Inc (newapple)

$ spctl -a -vvv -t install go-hello-notarized-newapple
go-hello-notarized-newapple: accepted
source=Notarized Developer ID
origin=Developer ID Application: Kolide, Inc (newapple)

Update

Now that catalina has been released, this has changed slightly. The age of the signing key effects Mojave. Catalina now requires everything be notarized.


stapler validate will do this -

$ stapler validate myfile.pkg 
Processing: myfile.pkg
The validate action worked!
  • If The validate action worked! is printed, the specified pkg file is notarized.

  • If does not have a ticket stapled to it. is printed, the specified pkg file is either not notarized, or the notarization was never followed up with the stapling step.