From f87351e4eede29d1fcbb371ab3584a8fe9448307 Mon Sep 17 00:00:00 2001 From: saturneric Date: Sun, 22 Jun 2025 21:34:57 +0200 Subject: docs(advanced): update macos security details in app-self-check.md - clarify use of developer id certificates and notarization - add details about hardened runtime protections - improve explanation of system-level security enforcement --- src/content/docs/advanced/app-self-check.md | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/src/content/docs/advanced/app-self-check.md b/src/content/docs/advanced/app-self-check.md index 7cff0a1..f935d12 100644 --- a/src/content/docs/advanced/app-self-check.md +++ b/src/content/docs/advanced/app-self-check.md @@ -65,14 +65,25 @@ reliable digital signature verification for EXE/DLL files. ### macOS -On macOS, all application binaries are signed using Apple-recognized developer -certificates and go through Apple Notarization. The Gatekeeper security feature -verifies both the signature and the notarization status of your application -bundle upon installation and launch, ensuring integrity and authenticity. - -Thus, the application’s authenticity and integrity are protected at the system -level, although the internal self-check feature does not perform additional -runtime verification. +On macOS, all application binaries are signed with Apple‐recognized Developer ID +certificates and must pass Apple Notarization. In addition, the app is built +with the Hardened Runtime enabled, which enforces: + +- Library Validation: only loading code-signed system or same-team libraries. +- Code Signing Enforcement: rejecting any binary or plug-in that has been + tampered with. +- Debugging and Injection Prevention: blocking unauthorized debug attachments + and DYLD_INSERT_LIBRARIES-style code injections. +- Entitlements Enforcement: honoring only the explicitly granted entitlements + (e.g. JIT, network, file access). +- Memory Protection: preventing writable pages from being executable (and vice + versa) unless a JIT entitlement is granted. + +Together with Gatekeeper’s signature & notarization checks at install and +launch, Hardened Runtime ensures that your macOS application’s authenticity, +integrity, and runtime security are enforced at the system level, even though +the internal self-check feature does not perform additional runtime signature +validation. ### Linux -- cgit v1.2.3