I’ve got a personal project compiler I built and it’s hit by this very hard. Testing involves (naturally) generating lots of executables. Running it in a Linux docker container takes around ~1s for all 500 tests. macOS by default takes around a _minute_, and even with the workarounds I’ve found (“allow untrusted software to be run by iterm2”) it takes 5-8 seconds.
It’s a pretty niche use case but it’s deeply frustrating
Related, I found that even after designating an application (iTerm2) as a "Developer Tool" in System Settings -> Privacy & Security, there were circumstances where notarisation checks were still carried out. Particularly, launching tmux then detaching and reattaching would cause the processes to no longer be exempt. This applies to any executable (+x), including shell scripts. I put together a test script that proves it at https://gist.github.com/davebarkerxyz/4111276ae1fb4a7566b271... (the second run is much quicker than the first one after a tmux reattach, but within applications marked as Developer Tools the times should be nearly identical).
Fortunately as of Sequoia (15.4.1), I'm no longer able to reproduce the issue.
> Macs have a cache of SHA-256 hashes of all bundled files of all apps that have been launched. But where exactly is this cache
I always assumed this had to be the case? When you first launch an application gatekeeper takes a long time verifying it, but on subsequent launches it's fast. So _some_ bit seems to be stored somewhere indicating whether or not this is "first launch" and whether full verification needs to be performed (maybe it's the launch services cache?)
As for whether the entire image is verified before _each_ launch, I'm not 100% familiar with the flow but I don't think that's correct, it can be done lazily on a page by page basis. https://developer.apple.com/documentation/endpointsecurity/e...
>In the specific case of process execution, this is after the exec completes in the kernel, but before any code in the process starts executing. At that point, XNU has validated the signature itself and has verified that the cdhash is correct. This second validation means that the hash of all individual page hashes in the Code Directory match the signed cdhash, essentially verifying the signature wasn’t tampered with. However, XNU doesn’t verify individual page hashes until the binary executes and pages in the corresponding pages. XNU doesn’t determine a binary shows signs of tampering until the individual pages page in, at which point XNU updates the code signing flags.
If you can replicate this on an Intel mac where code signature is optional, you could try more rigorous comparisons comparing an unsigned binary vs a signed one. In both cases I'd assume yara signature checks would apply.
> doubt that the built-in system libraries are scanned for malware, because they reside on a separate cryptographically-signed read-only disk volume.
Would be nice to be able to do the same for user apps and only scan on volume updates (when app update) instead of the current constant waste of time and energy
I wonder if this is why Fusion 360 is so slow to start. It's by far the slowest app on my relatively modern M1 MacBook Pro.
EVERYBODY: You can fix the Affinity slow start-up problem on MacOS in a simple step:
Go to your App folder and duplicate the "Affinity Photo 2" app. Then remove the original and use the duplicate.
Now Affinity starts in 2 seconds instead of in 30 seconds on my M3 machine.
TIL: MacOS ships with YARA.
Author here. It's unclear why HN is interested in this post, because it's just a response to another blogger's recent posts, which weren't even submitted to HN. Visitors aren't going to have the background context.
My original post "Mac app launches slowed by malware scan" was submitted to HN last year, though it received 0 comments at the time. https://lapcatsoftware.com/articles/2024/2/3.html
[flagged]