Security data files: how they’ve changed in Catalina

Each of the main security services in macOS, like Gatekeeper and XProtect, relies on data which is commonly stored in separate files so that it can be updated easily outside of full macOS system updates. Most of these updates are pushed silently by Apple, unannounced, and you aren’t even sent a notification when they’ve been updated.

macOS Catalina brings the greatest changes in security data files that I can recall: with the introduction of the read-only System volume, almost all of them have moved to new locations on the writeable Data volume, so that they can be updated more easily. Catalina also changes the behaviour of Gatekeeper, which now checks notarization when a quarantined app is first run, and XProtect, which runs its checks on every app when it is opened on every occasion.

This article details each of the main security data files found in macOS 10.15 Catalina, together with others involved in related system functions. As Apple doesn’t document any of them beyond mentioning their existence and simplified role, the information given is the best that I can find currently.

Main Security Data

Gatekeeper Configuration Data (GK Opaque)
Latest version: 181, not updated since 10.15 release.
This is an SQLite database which is placed on the Data volume in /private/var/db/gkopaque.bundle/Contents/Resources/gkopaque.db and is believed to provide blacklists for Gatekeeper’s security system, which checks the code signatures of apps.

Gatekeeper E Configuration Data (GKE)
Latest version: 8.0, 11 October 2019.
This is an SQLite database which is placed on the Data volume in /private/var/db/gke.bundle/Contents/Resources/gk.db with an additional file gke.auth, which are believed to provide blacklists for Gatekeeper’s security system, possibly relating to notarization tickets. gke.auth is believed to contain data for checking signed disk images, and seems to have remained largely unchanged since Sierra. gk.db is new with Catalina.

MRT Configuration Data
Latest version: 1.50, not updated since 10.15 release.
This is Apple’s Malware Removal Tool stored on the Data volume at Library/Apple/System/Library/CoreServices/MRT.app, so that it can remove any malware which macOS detects. It doesn’t use a separate data file, instead embedding its details with the executable code.

TCC Compatibility Bundle
Latest version: 150.18, not updated since 10.15 release.
This is a bundle on the Data volume at Library/Apple/Library/Bundles/TCC_Compatibility.bundle which contains AllowApplicationsList.plist, which appears to be a global whitelist pushed by Apple for privacy overrides whenever TCC starts up. This was essentially new for Mojave, and has changed substantially again in Catalina.

XProtectPlistConfigData
Latest version: 1.0 2107, 29 October 2019 with 10.15.1 update.
These are the whitelists and blacklists used by XProtect, as detailed here. They go into the bundle stored on the Data volume at Library/Apple/System/Library/CoreServices/XProtect.bundle, in the files Contents/Resources/XProtect.meta.plist, Contents/Resources/XProtect.plist and Contents/Resources/XProtect.yara. New with Catalina (introduced with beta releases) is the SQLite database file named gk.db in its resources, whose purpose is unknown. This is linked to from the System volume via a symbolic link at /System/Library/CoreServices.

XProtectPlistConfigData 1
Latest version: 1.0 2106, 15 October 2019 with Supplemental Update to 10.15.
This is a duplicate copy of the whitelists and blacklists used by XProtect, but lacks the gk.db database, and is stored on the System volume at /System/Library/CoreServices/XProtect.bundle 1. Currently, this appears to be a read-only backup copy, and was first installed with the 10.15 Supplemental Update.

KextExcludeList
Latest version: 15.1.1, 29 October 2019 with 10.15.1 update.
This is a list of kernel extensions which are to be treated as exceptions to Catalina’s new security rules, and is stored on the Data volume in Library/Apple/System/Library/Extensions/AppleKextExcludeList.kext, at Contents/Resources/ExceptionLists.plist. Its equivalent in previous versions of macOS has been static, but this is new with Catalina.

Others

CompatibilityNotificationData
Latest version: 1.0.8, not updated since 10.15 release
This is a bundle on the Data volume at Library/Apple/Library/Bundles/CompatibilityNotificationData.bundle which contains CompatibilityNotificationData.plist, listing version ranges of third-party products which will be notified as being (in)compatible.

CoreTypes
Latest version: no number, not updated since 10.15 release
This is a bundle on the Data volume at System/Library/CoreServices/CoreTypes.bundle, which contains a library of five further bundles including AppExceptions.bundle, iLifeMediaBrowserTypes.bundle, MachineTypes.bundle, MobileDevices.bundle, and RawCameraTypes.bundle. I have yet to examine these in detail, and will report on them in a future article.

EFI Allow List
Latest version: no number, 6 October 2019.
A bundle containing files listing all the allowed versions (and signatures?) of EFI firmware for Macs running Mojave. Stored in /usr/libexec/firmwarecheckers/eficheck/EFIAllowListShipping.bundle and used by the eficheck tool for its weekly EFI firmware checks. Introduced in High Sierra, as detailed here. Oddly, this currently appears to be on the System volume.

IncompatibleAppsList
Latest version: 15.178, not updated since 10.15 release
This is a bundle on the Data volume at Library/Apple/Library/Bundles/IncompatibleAppsList.bundle which contains IncompatibleAppsList.plist, listing over 200 known incompatible versions of third-party products.

Last updated: 29 October 2019.