What's Your Sign?

Verifying a file's cryptographic signature can deduce its origin or trustability. Unfortunately there's no simple way to view a file's signature via the UI.
"What's Your Sign" adds a menu item to Finder. Simply right-, or control-click on any file to display its cryptographic signing information!
Supported OS: OS X 10.13+
Current version: 3.0.1 (change log)
Zip's SHA-1: 3EACCAAA56C0E8782BBFB9AC44890B832DFC30F5
Source Code: WhatsYourSign



What's Your Sign is a utility with a straightforward goal: to make it easy to view any file's cryptographic signing information directly from the user interface. A file or binary's cryptographic signature is important because it can identify its creator (e.g., Apple, a third party, etc.). Moreover, it helps determine if a file can be trusted. For instance, binaries signed by Apple are generally trustworthy, while unsigned files may be untrusted or even malicious.

To install What's Your Sign, first download the zip archive containing the application installer. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:

Then, simply double-click on 'WhatsYourSign Installer.app'. Click 'Install' (or 'Upgrade') to install the tool:
Double click on 'WhatsYourSign Installer.app' and click 'Install'

Once What's Your Sign is installed, you can control-click or right-click on any file and select the 'Signing Info' option from the menu to view details about the file's cryptographic signature.
Right-, or control-click on any file to display its signing information.
Clicking on the 'Signing Info' menu option will display an informative window that displays the selected file's cryptographic signing information (or lack thereof).

Files that are signed by Apple proper will contain a green lock icon:
Calculator is signed by Apple.
Files that are signed, but do not belong to Apple proper (i.e are from the Mac App Store, or simply signed with an Apple Developer ID) will contain a black lock icon:
What's Your Sign is signed by with Objective-See's Developer ID (and has been notarized by Apple).
Note:
Most legitimate 3rd-party apps should also be notarized.

Finally, files that are unsigned or whose signing certificate has been revoked, will contain a red unlock icon:
An application that is infected with the KeRanger ransomware has had its certificate revoked.
Note:
As the vast majority of legitimate applications are signed (and notarized) items that are signed with an ah-hoc signature, or wholly unsigned, should be treated with caution.

Items whose code signing certificate has been revoked by Apple, are almost always malicious.


What's Your Sign will also compute hashes for any item. Simply click on the 'View Hashes' text to view an item's MD5, SHA1, and SHA256 hashes:
Click 'View Hashes' to view an item's hashes.
Note:
For Application bundles the hash values represent the hash of application's executable binary.

For any item with entitlements, What's Your Sign will extract and display them. (For more information on entitlements, see Apple's documentation on the subject). Simply click on the 'View Entitlements' option to see an item's entitlements:
Click 'View Entitlements' to view an item's entitlements.
To uninstall What's Your Sign simply re-run the 'WhatsYourSign Installer.app' Clicking the 'Uninstall' button will fully remove What's Your Sign from your Mac: figure>
Double click on 'WhatsYourSign Installer.app' and click 'Uninstall'.
Frequently Asked Questions

Q: How can I tell if What's Your Sign is installed and running?
A: Simply right- or control- click on any file (in Finder, the desktop, etc). If a 'Signing Info' option is available in the dropdown menu, that means What's Your Sign is installed.

You can also check if the /Applications/WhatsYourSign.app directory exists and contains WhatsYourSign.appex bundle in the /Contents/Plugins directory.

Q: Why are there multiple What's Your Sign processes running?
A: What's Your Sign integrates with Finder as a ("Finder Sync") plugin. The operating system determines how and when to load the What's Your Sign plugin, and it may load multiple instances of it. Therefore, it is completely normal to see multiple instances of What's Your Sign running!

Q: Why does What's Your Sign access the network?
A: The system API's (e.g., SecAssessmentTicketLookup) used to check a file's notarization status may connect to Apple's notarization servers.
The application does not use the network for any other reason.