How deeply does macOS check a signature? What are all the static code validation flags? Should my app leave macOS to perform signature checks?
How checks differ when an app is launched from a new path, and the effects of gross changes to the Resources folder, and small changes to code.
Why signature checks are so complex, and a walk through log entries of a notarized app launching normally in macOS 10.14.5.
Signature checks are complex. On first run with a quarantine flag, they include the contents of the Resources folder, but seldom do after that.
With recent privacy protection, notarization requirements, and extended checking of executable code, it’s getting more common for an app not to launch. What can you do when that happens?
Important changes for anyone distributing command tools in particular, and a good time to ensure you only ship signed and notarized apps if possible.
Has Gatekeeper been bypassed? Disclosed details of what is claimed to be a new vulnerability may not be all that they appear to be.
Look in Activity Monitor or the log, and you won’t find anything named Gatekeeper, is its a team of different systems, each of which can work on its own. Here’s the detail and a diagram.
First full release version, which conforms to macOS clearance convention, and lets you know which flags it has changed.
How this occurs, why, and what to do to manage the problem when it affects you. Complete with a visual summary and references.