The Trust Chain

In the previous post, we looked at the foundation. Today, we look at the front door. How does macOS know if the app you just downloaded is safe to run? It uses a combination of Gatekeeper, Code Signing, and Notarization.

This is an implementation of the “Trust Chain” model. If every link in the chain verifies, the app is allowed to execute.

The Verification Flowchart

When a user double-clicks an app, the following checks occur in order:

  [ User Downloads App ]
            |
            v
+-----------------------+
| 1. Quarantine Check   |  (Is file tagged as 'downloaded'?)
+-----------+-----------+
            |
            v
+-----------------------+
| 2. Code Signature     |  (Is the binary signed? Is it intact?)
+-----------+-----------+
            |
            v
+-----------------------+
| 3. Gatekeeper Check   |  (Is the Dev ID recognized by Apple?)
+-----------+-----------+
            |
            v
+-----------------------+
| 4. Notarization Check |  (Did Apple scan this for malware?)
+-----------+-----------+
            |
            v
      [ App Launches ]

Deep Dive: Code Signing

Code signing uses public-key cryptography. The developer signs the app with a private key, and macOS verifies it using the public key stored in the app’s embedded certificate.

Anatomy of a Code Signature:

You can inspect the code signature of any app using the codesign tool. Let’s check the Terminal app itself:

codesign -dvvv /System/Applications/Utilities/Terminal.app

Output Analysis:

Identifier=com.apple.Terminal
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
TeamIdentifier=not set

• Authority: Shows the certificate chain. It must trace back to the Apple Root CA.
• Identifier: The unique bundle ID.

The Notarization Requirement

Starting with macOS Catalina, simply signing an app isn’t enough. Apps must be Notarized. This means the developer uploads the app to Apple’s servers, where it is scanned for malware and known vulnerabilities. If it passes, Apple issues a “ticket” that is stapled to the app.

This prevents scenarios where a legitimate developer account is compromised to sign malware.

The spctl Tool

Gatekeeper is managed by spctl (SecPolicyAssessment). You can see the current rules for the system:

spctl --status

• assessments enabled: Gatekeeper is active.
• assessments disabled: Gatekeeper is effectively turned off (Not recommended).

References

1. WWDC Session 710: App Security: The Trust Chain. (2019).
2. Apple Developer Documentation: Notarizing macOS Software Before Distribution.