By creating a dylib without code, just redefining the signed code verification function with a "return ok" method from another signed library and using text relocation, the entire code signing requirement gets circumvented.
In p0sixspwn, the _.dylib redefines these functions:
- _kMISValidationOptionValidateSignatureOnly (_kCFUserNotificationTokenKey from CoreFoundation)
- _kMISValidationOptionExpectedHash (_kCFUserNotificationTimeoutKey from CoreFoundation)
- _MISValidateSignature (_CFEqual from CoreFoundation)
TODO: some more detailed description missing here.
- maybe others too