This sample code is associated with my blog post Practical CPU time performance tuning for security software: Part 1 and Part 2. It demonstrates how to check static code signing information using SecStaticCodeCheckValidityWithErrors API and then demonstrates it's impact on the CPU usage when it is used on a large bundle.
Note that the purpose of this sample is not to question Apple’s implementation of SecStaticCodeCheckValidity* on the performance side. Instead, I want to demonstrate that code signing validation is CPU intensive. We should carefully evaluate its impact on CPU/resource consumption and carefully choose when to use it and when not to use it.
git clone [email protected]:Trinity2019/macOSStaticCodeCheck.git
Open checkCSInfoObserveCPU.xcodeproj project and build with Xcode.
2021-06-01 20:38:29.230 checkCSInfoObserveCPU[51925:3972133] SecStaticCodeCheckValidityWithErrors returned err code = -67054
2021-06-01 20:38:29.230 checkCSInfoObserveCPU[51925:3972133] SecStaticCodeCheckValidityWithErrors took 134 seconds to finish.
2021-06-01 20:38:29.248 checkCSInfoObserveCPU[51925:3972133] Signature status: a sealed resource is missing or invalid
2021-06-01 20:38:29.248 checkCSInfoObserveCPU[51925:3972133] Team ID = 59GAB85EFG
2021-06-01 20:38:29.248 checkCSInfoObserveCPU[51925:3972133] Signing ID = com.apple.dt.Xcode
Note: For simplicity, the code assumes Xcode is installed at this path: /Applications/Xcode.app/Contents/MacOS/Xcode and hardcoded it in the main function. You can also change the hardcoded path to something else for testing purposes.
Test environment: Xcode Version 12.4 (12D4e), macOS Big Sur 11.3.1 (20E241), MacBook Pro 2.4 GHz 8-Core Intel Core i9
Note: Depending on the hardware spec, if you run the same program on different machines, %CPU consumption may differ. For example, I've also tested the same program on a virtual machine with 4 cores, and the %CPU consumption range was 100~200% but it took longer to finish.