Apple

Because an app being quarantine depends on which app you used to download the image file or whatever you download from the internet. If you use Safari or Chrome they will be good citizens and will set up a bit that marks that file as downloaded from the internet. It is because of this that Gatekeeper can intervene and block the execution of an unsigned app or app that was modified after signing. However, there are many apps that do not do this (such any windows app, or even torrent / email clients that are common on the Mac) and Gatekeeper can be easily bypassed as you saw. That is why Apple implemented the SIP in the latest versions of the OS as well as rootless entitlements, etc, that are other security layers that try to prevent attackers from injecting malicious code into running apps, or to unload sensitive KEXT or to load malicious KEXT into the kernel, or to use the debugger against sensitive apps, etc. However, I’ve seen some security people talking about that Apple must improve the security at the kernel level, because some installers and some parts of the file system which have the highest privileges a process can get may be vulnerable to attack, but that’s another kind of story.

Hi all,

I have a signed app that had a flaw (something was changed after signing). When downloaded directly to a Mac from the server, the app was scanned on startup (the "Verifying" alert appears), the flaw was detected and the Gatekeeper assessment failed as damaged. However, when the same dmg is downloaded to a Windows system and then copied to the Mac, the app launches normally. The "Verifying" alert does not appear at all. So the questions are:

1. How can that happen?
2. Is that a security hole in the Gatekeeper system?

Thanks,
Michael