diff options
| author | saturneric <[email protected]> | 2025-06-22 19:34:57 +0000 |
|---|---|---|
| committer | saturneric <[email protected]> | 2025-06-22 19:34:57 +0000 |
| commit | f87351e4eede29d1fcbb371ab3584a8fe9448307 (patch) | |
| tree | 4dee837156834a6ed11db3f58e403b09f16a90f9 | |
| parent | docs(memory-security): update securelevel names in documentation (diff) | |
| download | Manual-f87351e4eede29d1fcbb371ab3584a8fe9448307.tar.gz Manual-f87351e4eede29d1fcbb371ab3584a8fe9448307.zip | |
docs(advanced): update macos security details in app-self-check.md
- clarify use of developer id certificates and notarization
- add details about hardened runtime protections
- improve explanation of system-level security enforcement
| -rw-r--r-- | src/content/docs/advanced/app-self-check.md | 27 |
1 files changed, 19 insertions, 8 deletions
diff --git a/src/content/docs/advanced/app-self-check.md b/src/content/docs/advanced/app-self-check.md index 7cff0a1..f935d12 100644 --- a/src/content/docs/advanced/app-self-check.md +++ b/src/content/docs/advanced/app-self-check.md @@ -65,14 +65,25 @@ reliable digital signature verification for EXE/DLL files. ### macOS -On macOS, all application binaries are signed using Apple-recognized developer -certificates and go through Apple Notarization. The Gatekeeper security feature -verifies both the signature and the notarization status of your application -bundle upon installation and launch, ensuring integrity and authenticity. - -Thus, the application’s authenticity and integrity are protected at the system -level, although the internal self-check feature does not perform additional -runtime verification. +On macOS, all application binaries are signed with Apple‐recognized Developer ID +certificates and must pass Apple Notarization. In addition, the app is built +with the Hardened Runtime enabled, which enforces: + +- Library Validation: only loading code-signed system or same-team libraries. +- Code Signing Enforcement: rejecting any binary or plug-in that has been + tampered with. +- Debugging and Injection Prevention: blocking unauthorized debug attachments + and DYLD_INSERT_LIBRARIES-style code injections. +- Entitlements Enforcement: honoring only the explicitly granted entitlements + (e.g. JIT, network, file access). +- Memory Protection: preventing writable pages from being executable (and vice + versa) unless a JIT entitlement is granted. + +Together with Gatekeeper’s signature & notarization checks at install and +launch, Hardened Runtime ensures that your macOS application’s authenticity, +integrity, and runtime security are enforced at the system level, even though +the internal self-check feature does not perform additional runtime signature +validation. ### Linux |