Skip to content

Glossary

Code signing

The cryptographic signature embedded in every Mach-O binary on a modern Mac. Validates the binary is unmodified and identifies its author.

Every Mach-O binary on a modern Mac is signed. The signature lives inside the binary itself in an LC_CODE_SIGNATURE load command and includes a SHA-256 hash of every code page, a certificate chain identifying the signer, an entitlements blob, and a timestamp.

apple-oss-distributions/SecurityOSX/libsecurity_codesigning/lib/SecCode.cppThe userspace side — what codesign(1) actually does.View on GitHub(line )

The kernel computes page hashes lazily as code pages fault in. A mismatch (someone modified the binary on disk) kills the page fault and the process. You can't run modified signed code without re-signing it with a valid identity.

Signing identities form tiers:

  • Apple-signed — every binary under /System.
  • App Store — Apple's own pipeline plus entitlement vetting.
  • Developer ID — third-party apps notarized after a malware scan.
  • Ad-hoc / self-signed — developer builds, software users compile.

See also: AMFI, Entitlement, SIP, and the security architecture article.