App translocation, signature checks, XProtect and more explained, with key messages from the log to help you diagnose problems.
How have checks of notarization changed what happens when you open a quarantined app in Catalina? What does XProtect do?
How checks differ when an app is launched from a new path, and the effects of gross changes to the Resources folder, and small changes to code.
Why signature checks are so complex, and a walk through log entries of a notarized app launching normally in macOS 10.14.5.
Important changes for anyone distributing command tools in particular, and a good time to ensure you only ship signed and notarized apps if possible.
Has Gatekeeper been bypassed? Disclosed details of what is claimed to be a new vulnerability may not be all that they appear to be.
Look in Activity Monitor or the log, and you won’t find anything named Gatekeeper, is its a team of different systems, each of which can work on its own. Here’s the detail and a diagram.
App signatures are only checked on app first run – it may once have been true, but is no longer accurate. But can you bypass those additional checks? Is this a vulnerability?
Apple Mobile File Integrity is a combination of a KEXT and a LaunchDaemon which check app signatures, entitlements, and provisioning profiles.
The differences between a full Gatekeeper check, an AMFI check for integrity, and a normal app open, and why signature errors can be tolerated.