timeline
    1999 : Mac OS 9
         : Code signing
    2012 : OS X 10.8
         : GateKeeper
    2015 : OS X 10.11
         : SIP
    2018 : macOS 10.14
         : AMFI
         : Harden Runtime
    2019 : macOS 10.15
         : Notarizing
    2020 : macOS 11.0
         : Pointer Authentication

Code signing

Wiki：en.wikipedia.org/wiki/Code_s…

en.wikipedia.org/wiki/Classi…

Mac OS 9: Other new features included its on-the-fly file encryption software with code signing and Keychain technologies, Remote Networking and File Server packages, and much improved list of USB drivers.

• Apple User Security Guide：support.apple.com/guide/secur…
• Developer Security Document：developer.apple.com/support/cod…
  • Code Signing Guide-archive
  • macOS Code Signing In Depth-archive

$ codesign

GateKeeper

Wiki：en.wikipedia.org/wiki/Gateke…

Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard and expanded in Mac OS X Snow Leopard.

• Apple User Security Guide：Gatekeeper and runtime protection in macOS

timeline
    2012/01 : OS X 10.7.3
            : spctl命令行
    2012/07 : OS X 10.8/10.7.5
            : 新增GUI界面
    2014/09 : OS X 10.9.5
            : 使用v2 signature
    2016/09 : macOS 10.12
            : GUI隐藏allow any选项

# sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app
$ spctl

System Integrity Protection（SIP）

Wiki：en.wikipedia.org/wiki/System…

• Apple User Support：About System Integrity Protection on your Mac
• Apple User Security Guide：System Integrity Protection
• Developer Security Document：Disabling and Enabling System Integrity Protection
  • System Integrity Protection Guide-archive

其他

• derflounder.wordpress.com/2015/10/01/…

Apple Mobile File Integrity（AMFI）

其他

• www.theiphonewiki.com/wiki/AppleM…
• developer.apple.com/forums/thre…
• eclecticlight.co/2018/12/29/…

amfid refers to related files /Library/Preferences/com.apple.security.coderequirements.plist and com.apple.security.libraryvalidation.plist, neither of which is normally present on standalone Macs, but may be related to provisioning on managed systems.

App Sandbox

• Developer Security Document：developer.apple.com/documentati…
• Developer Xcode Document：developer.apple.com/documentati…

其他

• en.wikipedia.org/wiki/Sandbo…
• www.theiphonewiki.com/wiki/Sandbo…
• apple.fandom.com/wiki/Sandbo…
• wiki.freepascal.org/Sandboxing_…

Entitlement

• developer.apple.com/documentati…

$ codesign

Hardened Runtime

• Developer Security Document：developer.apple.com/documentati…
  • Disable Library Validation Entitlement ：developer.apple.com/documentati…
• Developer Xcode Document：developer.apple.com/documentati…

其他

• wiki.freepascal.org/Hardened_ru…
• eclecticlight.co/2021/01/07/…

$ codesign

Notarizing

timeline
    2019/05 : macOS 10.14.5
            : 新开发者账号的APP
    2019/10 : macOS 10.15
            : 所有的APP

• Developer Security Document：developer.apple.com/documentati…

  If your app works with this kind of hardware, be sure to declare the Disable Library Validation Entitlement to load the corresponding plug-ins.

  • Resolving common notarization issues

  Because of significant differences in the way code signing works prior to macOS 10.9 (see Code Signing Changes in OS X Mavericks 10.9), notarization only works for binaries linked against macOS 10.9 or later

$ notarytool
$ stapler

Pointer Authentication

• Developer Security Document：developer.apple.com/documentati…
• Operating system integrity ：support.apple.com/guide/secur…

其他

• www.qualcomm.com/content/dam…
• lwn.net/Articles/71…