As an add-on to ISC Handler Lenny Zeltser's earlier diary on extracting certificates from signed Windows binaries, here's how to do the same on a Mac. Given that today's blog over at F-Secure documents a screenshot-taking Mac spyware that is signed with a developer ID, signed bad .apps might actually be more prevalent than expected.
To verify and extract signatures and certificates on an Apple .app, you can do (example Mail.app)
codesign -dvvvv --extract-certificates /Applications/Mail.app
This will save the certificates in DER format, named codesign0, codesign1, etc. These can then be displayed as usual with OpenSSL
openssl x509 -inform DER -in codesign0 -text
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.