For a signed .app/binary we can get "signing-timestamp" (kSecCodeInfoTimestamp) using SecCodeCopySigningInformation method using SecStaticCodeRef in security framework.
But for pkg SecCode apis don't work & we need to fetch information using xar apis. Using xar_signature_get_x509certificate_data other information like issuer, serial no, validity time,etc is available but the signing time stamp, the time at which the pkg was signed is not available in the dictionary created by using xar_signature_get_x509certificate_data & x509_st. There is no api to get the trusted timestamp.
I tried running pkgutil --check-signature via code & parse it's output. For pkg with small size there is no issue. But if we have a huge file in GBs like the os upgrade InstallAssistant.pkg which is 12.2 GB, on terminal pkgutil --check-signature itself takes around 22sec to post the output.
How to get the timestamp, the value after "Signed with a trusted timestamp on:" for pkg programmatically?
e.x. pkgutil --check-signature zoomusInstallerFull.pkg
Status: signed by a developer certificate issued by Apple for distribution
Notarization: trusted by the Apple notary service
Signed with a trusted timestamp on: 2022-06-27 01:26:22 +0000
Certificate Chain:
Developer ID Installer: Zoom Video Communications, Inc. (BJ4HAAB9B3) Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 6D 70 1A 84 F0 5A D4 C1 C1 B3 AE 01 C2 EF 1F 2E AE FB 9F 5C A6 80 48 A4 76 60 FF B5 F0 57 BB 8C ------------------------------------------------------------------------
Developer ID Certification Authority Expires: 2027-02-01 22:12:15 +0000 SHA256 Fingerprint: 7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03 F2 9C 88 CF B0 B1 BA 63 58 7F ------------------------------------------------------------------------
Apple Root CA Expires: 2035-02-09 21:40:36 +0000 SHA256 Fingerprint: B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C 68 C5 BE 91 B5 A1 10 01 F0 24