According to this, in macOS Ventura, Gatekeeper should detect changes to signed & notarized applications not only before the first start of the downloaded application, but on every application start.
Our application is an electron app, so it consists of a lot of *.js files. I tried changing one of the *.js files (I inserted a comment at the beginning of the file), and I also changed a *.json file which contains confirgurations.
Neither of the changes bothered Gatekeeper. I could happily start the tampered app without any warning. Is that an expected behaviour? I'm aware that *.js files are not directly executable by the OS, but they still contain executable code, and changing *.js files can of course seriously break the application.
UPDATE
when I execute gateKeeper after editing my config.json file, by using the command spctl -a -vvv -t execute "/Applications/MyApp.app", the system responds with the message: a sealed resource is missing or invalid. If I revert the change, the message is accepted. So GateKeeper does notice the change. So how comes that the application can still be executed by the user?
