PS for OSX:: Runs 'ps ax' and verify the code signature of every running proccess using apple's 'codesign' tool

ps_osx.sh

#!/bin/sh
IFS=$'\n'

#help text
usage="$(basename "$0") [-h or -?] [-i] [-a] [-s] [-d] [-u] [-s] [-b] 

Runs 'ps ax' and verify the code signature of every running proccess using apple's 'codesign' tool

-h/-? :: help for command
   -i :: dont show an inital count before analyzing each process
   -a :: dont log processes signed by apple directly
   -s :: dont log processes signed for the appstore
   -d :: dont log processes signed by a known developer
   -u :: dont log processes NOT signed at all
   -f :: dont show a final count after analyzing each process
   -b :: dont log the processes shortname (basename) only but include its full path"

#flags
logHeader=1
logApple=1
logStore=1
logDev=1
logUnknown=1
logSummary=1
useShortNames=1

#read args
while getopts "h?iasdufb" opt; do
	case "$opt" in
	h|\?)
		echo "$usage"
		exit 0
		;;
	i)  logHeader=0
		;;
	a)  logApple=0
		;;
	s)  logStore=0
		;;
	d)  logDev=0
		;;
	u)  logUnknown=0
		;;
	f)  logSummary=0
		;;
	b)  useShortNames=0
		;;
	esac
done

#gather all running
procs=()
ps=`ps ax -o command`
cProcesses=`echo "$ps" |wc -l | xargs`

for command in $ps 
do
	exec=`echo $command | cut -d " " -f 1`
	if [[ $exec == -* ]] 
	then
		exec=${exec:1}
	fi

	proc=`which $exec`
	procs+=($proc)
done

#unique it
uniques=(`for i in "${procs[@]}"; do echo $i; done | sort -u`)

if [ "$logHeader" -eq "1" ]; then
	echo "${#procs[@]} running processes"
	echo "${#uniques[@]} unique binaries"
fi

#check signatures
cApple=0
cStore=0
cDev=0
cUnknown=0
for proc in "${uniques[@]}"; do
	res=`codesign --display --verbose=4 $proc 2>&1`
	isApple=`echo "$res" | grep "Authority=Apple Code Signing Certification Authority"`
	isStore=`echo "$res" | grep "Authority=Apple Worldwide Developer Relations Certification Authority"`
	isDev=`echo "$res" | grep "Authority=Developer ID Application:"`
	
	if [ "$useShortNames" -eq "1" ]; then
		proc=`basename $proc`
	fi
	
	if [ -n "$isApple" ]; then
		if [ "$logApple" -eq "1" ]; then
			echo "* '$proc' is signed (Apple directly)"
		fi
		cApple=$((cApple+1))
	elif [ -n "$isDev" ]; then
		if [ "$logDev" -eq "1" ]; then
			isDev=${isDev:35}
			echo "? '$proc' is signed. (Known developer, $isDev)"
		fi
		cDev=$((cDev+1))
	elif [ -n "$isStore" ]; then
		if [ "$logStore" -eq "1" ]; then
			echo "* '$proc' is signed. (Software from Appstore)"
		fi
		cStore=$((cStore+1))
	else
		if [ "$logUnknown" -eq "1" ]; then
			echo "! '$proc' is unsigned. (Unknown identity)"
		fi
		cUnknown=$((cUnknown+1))
	fi
done

if [ "$logSummary" -eq "1" ]; then
	echo "$cApple apple processes
$cStore apps from the AppStore
$cDev developer signed programs
$cUnknown unknown processes found"
fi  

to install it:

1. download the raw code,
2. save it to a file (e.g. ps_osx.sh)
3. run chmod a+x ps_osx.sh in the terminal where you downloaded the file to

Sample output:

361 running processes
280 unique binaries
* 'AutoMute' is signed. (Software from Appstore)
? 'Dropbox' is signed. (Known developer,  Dropbox, Inc.)
? 'garcon' is signed. (Known developer,  Dropbox, Inc.)
? 'Fabric' is signed. (Known developer,  Crashlytics, Inc.)
? 'CSYMGenerator' is signed. (Known developer,  Crashlytics, Inc.)
? 'Flux' is signed. (Known developer,  Michael Herf)
* 'Magnet' is signed. (Software from Appstore)
* 'Mail' is signed (Apple directly)
....
269 apple processes
3 apps from the AppStore
6 developer signed programs
2 unknown processes found