Skip to content

Glossary

Gatekeeper

The macOS feature that gates first-launch of downloaded apps based on signature, notarization, and quarantine. Implemented by syspolicyd.

Gatekeeper is the macOS feature that decides whether a freshly-downloaded binary is allowed to run on first launch. It's the layered front-line malware defense for novel binaries.

The decision logic:

  1. Does the binary have a quarantine xattr (was it downloaded)? If no, Gatekeeper doesn't apply.
  2. Is the binary code-signed by an Apple-trusted identity (App Store, Developer ID, Apple itself)?
  3. Is the binary notarized?
  4. Based on those answers, allow silently, prompt the user, or refuse outright.

Gatekeeper is implemented by syspolicyd — a userspace daemon. The command-line tool to interact with it is spctl:

spctl --assess --verbose /path/to/Foo.app

syspolicyd decisions are cached: once it says "yes" to a binary, future launches skip the check until the binary changes or quarantine is reset.

Gatekeeper only gates launch. Once launched, the sandbox and other runtime checks decide what the app can do.

See also: code signing, notarization, and the Gatekeeper article.