xcrun notarytool history --keychain-profile "notary-profile"
xcrun notarytool log <submission-id> --keychain-profile "notary-profile"
Look for "status": "Accepted".
Because anyone can re-sign an IPA, malicious actors inject spyware, adware, or credential stealers. Common payloads include: ams1gn ipa verified
Without source-code verification, trusting a tag like "ams1gn ipa verified" is a leap of faith. Always download from established, long-standing repos. Look for "status": "Accepted"
The format is too long to be a simple hash (e.g., MD5 is 32 hex chars). Could be a base64-encoded result of an integrity check: Without source-code verification
echo "ams1gn ipa verified" | base64
YW1zMWduIGlwYSB2ZXJpZmllZAo=
But that is reversible and not a secure hash. If it were a verification string, it might be a signed message from a secure enclave: ams1gn as identifier, ipa verified as claim.
Likelihood: 10%
If your iOS version is jailbreakable (check canijailbreak.com), you can install any IPA permanently with tweaks like Appsync Unified. This bypasses signature checks entirely but reduces device security.