Stepping through the stages in security checks made on a notarized Mach-O binary command tool, in Ventura 13.4.1 2 years ago, and now in Sequoia 15.4.1.
amfid
Most could live with slight delays when launching major apps. But when they’re as long as 30 seconds, and it’s an Apple silicon Mac, an explanation is required.
SHA-256 hashes are used in code signatures and security as a means of identification and verification. They bring a substantial computational burden, and can be very slow in some Intel Macs. Plus a new version of Dintch for integrity checks.
Why can apps take many seconds or even minutes to launch on some Macs? More results to puzzle and perplex, and a strategy to address the problem.
Opening Pages can take several seconds, and other apps can hang around for 30 seconds before they’re ready to use. Is it XProtect, online certificate checks, or what?
How checks differ when an app is launched from a new path, and the effects of gross changes to the Resources folder, and small changes to code.
Why signature checks are so complex, and a walk through log entries of a notarized app launching normally in macOS 10.14.5.
Look in Activity Monitor or the log, and you won’t find anything named Gatekeeper, is its a team of different systems, each of which can work on its own. Here’s the detail and a diagram.
App signatures are only checked on app first run – it may once have been true, but is no longer accurate. But can you bypass those additional checks? Is this a vulnerability?
Apple Mobile File Integrity is a combination of a KEXT and a LaunchDaemon which check app signatures, entitlements, and provisioning profiles.
The Eclectic Light Company 