Validate code signature as well.

SecretAgentKit/SecretAgentKit.h

@@ -7,10 +7,13 @@
 //
 
 #import <Foundation/Foundation.h>
+#import <Security/Security.h>
 
 // Forward declaration of proc_pidpath from libproc.h
 int proc_pidpath(int pid, void * buffer, uint32_t  buffersize);
 
+OSStatus SecCodeCreateWithPID(int32_t, SecCSFlags, SecCodeRef *);
+
 //! Project version number for SecretAgentKit.
 FOUNDATION_EXPORT double SecretAgentKitVersionNumber;
 

SecretAgentKit/SigningRequestProvenance.swift

@@ -25,12 +25,14 @@ extension SigningRequestProvenance {
         public let pid: Int32
         public let name: String
         public let path: String
+        public let validSignature: Bool
         let parentPID: Int32?
 
-        init(pid: Int32, name: String, path: String, parentPID: Int32?) {
+        init(pid: Int32, name: String, path: String, validSignature: Bool, parentPID: Int32?) {
             self.pid = pid
             self.name = name
             self.path = path
+            self.validSignature = true
             self.parentPID = parentPID
         }
 

SecretAgentKit/SigningRequestTracer.swift

@@ -1,5 +1,6 @@
 import Foundation
 import AppKit
+import Security
 
 struct SigningRequestTracer {
 
@@ -32,7 +33,11 @@ struct SigningRequestTracer {
         let pathPointer = UnsafeMutablePointer<UInt8>.allocate(capacity: Int(MAXPATHLEN))
         _ = proc_pidpath(pid, pathPointer, UInt32(MAXPATHLEN))
         let path = String(cString: pathPointer)
-        return SigningRequestProvenance.Process(pid: pid, name: procName, path: path, parentPID: ppid)
+        var secCode: Unmanaged<SecCode>!
+        let flags: SecCSFlags = [SecCSFlags.considerExpiration, SecCSFlags.enforceRevocationChecks]
+        SecCodeCreateWithPID(pid, SecCSFlags(), &secCode)
+        let valid = SecCodeCheckValidity(secCode.takeRetainedValue(), flags, nil) == ERR_SUCCESS
+        return SigningRequestProvenance.Process(pid: pid, name: procName, path: path, validSignature: valid, parentPID: ppid)
     }
 
 }