A macOS menu bar utility that tells you whether a password prompt on your screen is from a real Apple system process — or something pretending to be one.
When macOS asks for your password (to install software, change a setting, etc.), there's no built-in way to confirm the dialog is genuine. A malicious app could display an identical-looking prompt and steal your credentials. AuthTrustIndicator solves this by monitoring the system for Apple's SecurityAgent process and providing a clear visual signal in your menu bar.
- Green lock in the menu bar — a trusted authentication process (
SecurityAgent) is active and its window is visible on screen. - Gray lock — idle, no authentication dialog detected.
- Green border around the auth dialog — optional overlay that highlights the real window so you can visually confirm it's the one being verified.
The app verifies trust by checking the process bundle identifier, name, and executable path (must be under /System/Library/ or /usr/libexec/). A process that merely names itself SecurityAgent but runs from an untrusted location will not trigger the green indicator.
git clone https://github.com/<your-org>/AuthTrustIndicator.git
cd AuthTrustIndicator
make runThis builds dist/AuthTrustIndicator.app and launches it.
The app uses Accessibility APIs to check whether auth windows are actually visible (not just running in the background). On first launch, macOS will prompt for permission in System Settings > Privacy & Security > Accessibility. If the app doesn't appear in the list automatically, add dist/AuthTrustIndicator.app manually with the + button.
The app still works without Accessibility permission (using CoreGraphics window list as a fallback), but visibility detection is more reliable with it.
| Option | Description |
|---|---|
| Accessibility permission | Shows whether the permission is granted. Click to open System Settings. |
| Show icon when idle | Keep the gray lock visible when no auth is happening. On by default. |
| Highlight auth window | Draw a green border around the detected auth dialog. On by default. |
| Launch at login | Start automatically via a user LaunchAgent in ~/Library/LaunchAgents. |
| Command | Description |
|---|---|
make run |
Build the app bundle and launch it |
make build-app |
Build the app bundle only |
make test |
Run unit tests |
make build-prod |
Build, sign with Developer ID, notarize, and staple |
make sign-check |
Show code signature details |
make clean |
Remove build artifacts |
make build-app uses ad-hoc signing, which is fine for local use.
For distribution, make build-prod requires a Developer ID certificate and a notarytool keychain profile:
# One-time setup
xcrun notarytool store-credentials "AUTH_TRUST_NOTARY" \
--apple-id "<apple-id>" \
--team-id "<team-id>" \
--password "<app-specific-password>"
# Build, sign, notarize, and staple
SIGNING_IDENTITY="Developer ID Application: Your Name (TEAMID)" \
NOTARY_KEYCHAIN_PROFILE="AUTH_TRUST_NOTARY" \
make build-prod# Enable
defaults write com.authtrustindicator.app debugLogging -bool YES
# Stream logs
/usr/bin/log stream --style compact --debug \
--predicate 'subsystem == "com.authtrustindicator.app" AND category == "AuthProcessMonitor"'
# Disable
defaults delete com.authtrustindicator.app debugLoggingSources/
AuthTrustCore/ # Pure logic, no UI dependencies
AuthState.swift # .idle / .authInProgress(pid:)
AuthProcessDetector.swift # Whitelist + path trust verification
AuthTrustIndicator/ # AppKit menu bar app
main.swift # Entry point, single-instance guard
AppDelegate.swift # Wires monitor -> UI
AuthProcessMonitor.swift # NSWorkspace + AX observer runtime
StatusItemController.swift # Menu bar icon and menu
AuthWindowHighlighter.swift# Green border overlay
LaunchAtLoginManager.swift # LaunchAgent plist management
Tests/
AuthTrustCoreTests/
AuthProcessDetectorTests.swift
open Package.swift