Skip to content

Tagged: #security

The gauntlet every newly-downloaded app passes through — quarantine xattr, signature check, notarization check, user prompt. Where each decision is made and how to debug it.
Every Mach-O on a Mac is signed; every signature chains to an Apple root cert. Here's what the kernel actually verifies, what notarization adds, and how the SEP roots it all.
A separate ARM core, its own OS, a hardware mailbox. Here's how the main CPU talks to the SEP, what operations cross the boundary, and why kernel exploits don't compromise FileVault.
Inside the macOS sandbox — a Scheme-derived policy language, a compiler in libsandbox, and a kernel evaluator that runs on every controlled syscall.
Six interlocking layers — code signing, AMFI, entitlements, sandbox profiles, SIP, TCC, and the SEP — that together decide what code is allowed to do on a Mac.