Go to your App folder and duplicate the "Affinity Photo 2" app. Then remove the original and use the duplicate.
Now Affinity starts in 2 seconds instead of in 30 seconds on my M3 machine.
The blog post doesn't mention this app - am I missing something?
It’s a pretty niche use case but it’s deeply frustrating
I always assumed this had to be the case? When you first launch an application gatekeeper takes a long time verifying it, but on subsequent launches it's fast. So _some_ bit seems to be stored somewhere indicating whether or not this is "first launch" and whether full verification needs to be performed (maybe it's the launch services cache?)
As for whether the entire image is verified before _each_ launch, I'm not 100% familiar with the flow but I don't think that's correct, it can be done lazily on a page by page basis. https://developer.apple.com/documentation/endpointsecurity/e...
>In the specific case of process execution, this is after the exec completes in the kernel, but before any code in the process starts executing. At that point, XNU has validated the signature itself and has verified that the cdhash is correct. This second validation means that the hash of all individual page hashes in the Code Directory match the signed cdhash, essentially verifying the signature wasn’t tampered with. However, XNU doesn’t verify individual page hashes until the binary executes and pages in the corresponding pages. XNU doesn’t determine a binary shows signs of tampering until the individual pages page in, at which point XNU updates the code signing flags.
If you can replicate this on an Intel mac where code signature is optional, you could try more rigorous comparisons comparing an unsigned binary vs a signed one. In both cases I'd assume yara signature checks would apply.
Yes, of course.
How do you go from that to "a cache of SHA-256 hashes of all bundled files of all apps that have been launched"?
>Specifically, the code signing information (code directory hash) is hung off the vnode within the kernel, and modifying the file behind that cache will cause problems. You need a new vnode, which means a new file, that is, a new inode. Documented in WWDC 2019 Session 703 All About Notarization - see slide 65 (PDF).
This seems to be described in https://eclecticlight.co/2024/04/29/apfs-beyond-to-vfs-and-v... but I'm just a layman here. I don't quite understand the benefits of this caching if you have to recompute them to detect mismatch anyway. [1]
And I realize now the initial gatekeeper scan is probably just controlled by presence of quarantine bit, the result themselves are probably not cached.
Edit: Now I'm not so sure, spctl has a --ignore-cache option. So the result of gatekeeper is indeed cached somehow. And presumably as you noted it's a cache miss for this which causes the long application launch delay.
[1] https://github.com/golang/go/issues/42684 has a bit more info on this, I'm happy to see that even seasoned experts are confused about these things.
It appears that Howard Oakley is once again very confused. Unfortunately, his blog is sometimes a foundation of misinformation, which drives me nuts. The Apple technical note that he links to is talking about a process updating itself at runtime while its code signing information is cached by the kernel in memory. Oakley has somehow warped that into a some kind of disk cache, using the odd phrasing "saved to the kernel's cache against the vnode".
> spctl has a --ignore-cache option. So the result of gatekeeper is indeed cached somehow.
Yes. I think it's in /var/db? But again, it's not a cache of the hashes of every file in the app bundle. What would the system even do with that? Not only is there no evidence for the existence of such a thing, but its existence would make no practical sense. Oakley is simply grasping for something that takes a significant amount of time computationally, without giving much consideration to what would be done with the products of that computation.
> And presumably as you noted it's a cache miss for this which causes the long application launch delay.
No, I've showed that it's a periodic malware scan.
11.012004 com.apple.syspolicy.exec Recording cache miss for <private>
20.898736 AppleSystemPolicy Waking up reference: 174
The first of the two messages is from `syspolicyd` and is reporting that it has no cached malware scan result for a file it was asked to scan. The malware scan is triggered by an up-call within the AppleSystemPolicy kernel extension during a MACF hook (`proc_notify_exec_complete`, `file_check_library_validation`, or `file_check_mmap`) if the kext doesn’t have a cached malware scan result for the vnode of the file in question.
The second log message is from the AppleSystemPolicy kernel extension when it receives the result of the malware scan and permits the process to resume execution.
It's a little puzzling that the original analysis is published based on speculation, without any real attempt at verifying that the data supports their hypothesis. Looking at `top` or Activity Monitor during the slow launch would show which process is performing work. A spindump captured during the slow launch would reveal what work it is doing. The system log store captures the process and subsystem that logged any given message. A few minutes in Binary Ninja or Hopper gives you a rough idea of what the code that emits the log is doing.
"The only feature in macOS that I know of that matches that description is what Apple terms XProtect, and there are only two (in Sequoia, previously one) sets of Yara rules in macOS. Now if I’m missing something, please tell me where those other Yara rules are." https://eclecticlight.co/2025/04/22/why-some-apps-launch-ver...
"Well, the only Yara rules that I know of in macOS are those in the XProtect bundle. Do you know of any others?" https://eclecticlight.co/2025/04/30/why-some-apps-sometimes-...
Fortunately as of Sequoia (15.4.1), I'm no longer able to reproduce the issue.
Would be nice to be able to do the same for user apps and only scan on volume updates (when app update) instead of the current constant waste of time and energy
lapcat•19h ago
My original post "Mac app launches slowed by malware scan" was submitted to HN last year, though it received 0 comments at the time. https://lapcatsoftware.com/articles/2024/2/3.html
username223•18h ago
lapcat•18h ago
Is that even possible?
Anyway, I just think my 2024 post is a better place to start, because it explains the issue directly, whereas this new post simply refutes another blogger and argues that there's nothing new beyond my 2024 post. That interpersonal drama/conflict probably isn't going to be understandable or useful to readers.
tough•17h ago
dang•16h ago