OS X badly codesigned app still launched without warnings

Question

My OS X app has been cracked by modifying the main executable. It has been signed with a valid developer ID.

I was expecting some warnings when launching this cracked version on a default OS X install as the codesign is not valid anymore. I'm surprised that it still launches without any problem with GateKeeper default rule "App Store or validated dev only"

Why does OS X still launches this non valid app without any warning like "This app is damaged"? Is there any change I need to do in my codesign so that users has at least to change GateKeeper rule to "Everywhere" when launching this crack?

$ spctl -a -t exec -vv CrackedApp.app/
CrackedApp.app/: invalid signature (code or signature have been modified)

$ codesign --verify --deep --verbose=4 CrackedApp.app/
CrackedApp.app/: invalid signature (code or signature have been modified)
In architecture: x86_64

Answer 1

Remember that GateKeeper takes effect only upon launching a file with the quarantine attribute set. Files directly downloaded through Safari, Mail, Messages, and other Apple software set the quarantine attribute automatically. Once you click through the "Are you sure you want to open it?" alert, the quarantine flag is cleared and GateKeeper is no longer consulted. If you want the equivalent of a GateKeeper check every time your application runs, then you'll need to implement your own static code signature check using an API such as SecStaticCodeCheckValidity. Of course, if people are already modifying your executable, then they could just as well modify it to bypass this additional code-signature check.