Could my binary contain a signature that asserted that it only uses Chrome API calls and never ventures further into a machine trespass?
Would this need some sort of blockchain service? Thoughts against my wild scrying would be appreciated..
At first this post seemed almost like trolling, but I guess you are asking seriously :D
As far as I know, there's no such thing, and due to how modern OSes work you can't really "proof" that your binary doesn't call OS APIs or anything like that.
It's certainly possible to verify and only allow specific API calls for non-native code (e.g. JS), but for native binaries there isn't such a thing.
Also, the "blockchain" term is orthogonal to this matter - it has nothing to do with verifying API calls.
you can't really "prove" that your binary doesn't call OS APIs
I'd love to understand why you can't do this. Could you not see whether a binary ever used a syscall instruction?
Because it is an undecidable problem.
The only universal way to know the result of arbitrary program is to run it. And whenever running a program (in Turing-complete language), you have to face the non-halting problem. You will never know whether the program will end or at some point generate a syscall.
Sandboxing works by imposing limit on API, but not by deciding whether a program call certain API.
For clarification- def. not trolling and would never do that on here but as a philosophical temperament I am not unused to accidental annoying.
To explain blockchain comment, I see Ethereum being used to make various economies, not just new art assets with NFT but to provide encryption services. Apple vets binaries, presumably by observing them with elaborate tooling. If it is not possible to provide automatic safeguards, I see two possibilities: more browser platform takeover, or a new economy that incentivises the certification of binaries, somehow. It may be that there just isn't enough market demand for assurances right now. But interesting to think about this.