Before macOS 10.15 Catalina, we knew of two Gatekeeper databases, both stored in /var/db:

• gkopaque.bundle, which contains quite a substantial database in gkopaque.db within its resources, which is usually updated quite frequently;
• gke.bundle, which contains the single resource gke.auth, which had in the past been presumed to be disk-related, and changed very seldom.

Since beta releases of Catalina, many have noticed the addition of a new database file gk.db to the resources in gke.bundle, which has already been updated twice since its appearance. It has gone from version 7.2, the same as in Mojave, to 7.6 in the release version of 10.15, and last week Apple pushed an update named Gatekeeper Compatibility Data 1.0 which brought it to version 8.0.

In contrast, the previously active gkopaque.bundle has remained at version 181 over the same period.

The presumption in the past has been that the gkopaque.db database in gkopaque.bundle contains a blacklist of developer certificate information, including revocations, used when Gatekeeper performs its first run checks on executable software.

If that’s the role of the gkopaque.bundle, the new role of gke.bundle might relate to notarization tickets, but at the moment that is pure speculation. It’s also unclear at present whether Apple intends updating gke.bundle as seldom as in the past, or as frequently as it has gkopaque.bundle. These pushed updates are relatively hard to track, as they have recently consisted only of the resource files gk.db and gkopaque.db, and therefore lack any BOM (‘bill of materials’) listing contents and install paths.

To help Catalina users keep track of these new Gatekeeper data updates, I have now added them fully to my free apps SilentKnight, LockRattler, and the silnite command tool.

SilentKnight 1.3

Previously, because gke.bundle has changed so infrequently, SilentKnight hasn’t checked the installed version. In this new release, when run on Catalina, SilentKnight reports and checks both gkopaque.bundle (as before) and gke.bundle (new).

In Catalina only, it now gives Gatekeeper versions for gkopaque.bundle followed by gke.bundle, both in the small boxes at the top and in the fuller report below. If either of those is out of date with the version expected from the database, they are flagged with a warning. Future pushed updates will continue to be listed and installed as with other updates.

This update is available from here: silentknight13
from Downloads above, from the Product Page, and through the app’s auto-update mechanism. Although it doesn’t alter behaviour on Mojave and earlier, I recommend it for all users.

LockRattler 4.23

Unlike SilentKnight, LockRattler has always reported both gkopaque.bundle and gke.bundle version numbers, the latter as the Disk version. This new release of LockRattler changes the term used when running in Catalina only to read GKE version. I have also updated its Help book to explain these issues.

Here’s LockRattler 4.23 in Mojave:

and here it is in a fully updated version of Catalina:

This update is available from here: lockrattler423
from Downloads above, from the Product Page, and through the app’s auto-update mechanism. Although it doesn’t alter behaviour much, I recommend it for all users.

silnite 2

silnite is a command tool equivalent of SilentKnight, intended mainly for use on networks of Macs, so that you can check for and install updates remotely. As with SilentKnight, its first version doesn’t check or report the version of gke.bundle, but this new version does when running in Catalina.

This update is available from here: silnite2
from Downloads above, and from the Product Page. Although it doesn’t alter behaviour when running in Mojave and earlier, I recommend it for all users. It is properly notarized for installation and use in Catalina.

I suspect that this isn’t the last that we’ve heard of the gke.bundle in Catalina, and will keep you posted on developments.

Thanks to Al Varnell for generous help in deciphering what has been going on.