Extract the root certificates on a Mac and find the ones authorized for code signing

apple-code-signing-certs.sh

#!/bin/bash

# Directory to put results; will rm -f *.pem *.txt */*.pem */*.txt in it
# Code signing certs will be put in "$RESULTS"/code-signing-certs
#
# On my Mac (10.9.5), I see 7 code signing certs, not all of them Apple's.
# I haven't dug in enough to know if these CAs can therefore issue
# code-signing certs that Gatekeeper will accept.
RESULTS=results

KEYCHAINS="/System/Library/Keychains/*.keychain /Library/Keychains/System.keychain"

set -e

mkdir -p "$RESULTS"
rm -f "$RESULTS"/*.pem "$RESULTS"/*.txt "$RESULTS"/*/*.pem "$RESULTS"/*/*.txt

echo "Getting certs ..."
for kc in $(eval "ls $KEYCHAINS"); do
  echo "$kc"
  out="$RESULTS"/$(basename "${kc%.keychain}").pem;
  security export -k "$kc" -t certs -o "$out";
done
echo

echo "Extracting certs to separate files ..."
for f in "$RESULTS"/*.pem; do
  echo -n "$(basename "$f"): "
  d="${f%.pem}"; mkdir -p "$d"
  i=0; cat "$f" | while read line; do
    case "$line" in
      -----BEGIN*)
        i=$(($i+1)); echo -n "$i "
        out="$d/$i.pem"; echo "$line" > "$out" ;;
      *)
        echo "$line" >> "$out" ;;
    esac
  done
  echo
done
echo

echo "Converting certs to human-readable text ..."
for f in "$RESULTS"/*/*.pem; do
    openssl x509 -in "$f" -inform pem -text -noout -out "${f%.pem}".txt
done

echo "Finding code-signing certs ..."
mkdir -p "$RESULTS"/code-signing-certs
i=0; for f in "$RESULTS"/*/*.txt; do
  if fgrep 'Code Signing' "$f" >/dev/null; then
    i=$(($i+1)); echo -n "$i "
    cp "$f" "$RESULTS"/code-signing-certs/$i.txt
  fi
done
echo