I have created signed some binaries with Apple development certificates and then revoked the certificate from developer account. After revocation of certificate, gatekeeper is not blocking the execution of binaries. Even evaluating these revoked certificates in keychain is showing valid certification and successful evaluation . Same applies for Installer certificate. I tried checking revocation status of binary using method "SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod)" but we are getting trust result as 'kSecTrustResultUnspecified'. Please tell me how to check if certificate is revoked using any utility. Also let me know if I am missing anything in revocation check call.

@eskimo Does Mac support Counter Signature and Detached Signature? If yes, then which API call from security framework is used to get those signature informations ?

@eskimo What are the possible processes which we can mute in System extension so that we do not get unnecessary events? e.g. MDS process which runs for spotlight indexing.

When users tries to edit file on Local drive, my application denies that action in OPEN AUTH event. I do not see any change in file access time. But when users tries to edit file on Pen drive, my application denies that action in OPEN AUTH event. I do see change in access time. Why there is such a difference ?

In case we copy file to finder using ctrl+c -> ctrl+v we get "ES_EVENT_TYPE_AUTH_CLONE" event. In case we block that event, we get 2-3 times 'ES_EVENT_TYPE_AUTH_CLONE' event with same destination file name. Any idea how to avoid those extra 2-3 events of 'ES_EVENT_TYPE_AUTH_CLONE'?

Please help me in finding Endpoint Security events for below systems calls. SYS_kdebug_trace SYS_open_nocancel SYS_posix_spawn SYS_proc_info SYS_rmdir SYS_vfork SYS_copyfile SYS_mkdir SYS_chmod SYS_chown