[aequitas]

Apple doesn't check binary hashes but developer certificates these binaries are signed with. Which there are a lot less of (ie. firefox and thunderbird share the same certificate).

[tgv]

From what I understood, Gatekeeper still sends an application specific hash/ticket when an application is opened, not just a dev certificate (e.g. https://lapcatsoftware.com/articles/catalina-executables.htm...). Did that change in Big Sur?

[_qulr]

The notarization check is on first launch of an app, but it doesn't occur on subsequent launches, unlike the certificate revocation check.

[tgv]

But the first lookup would have to stay, with all the implications that the proposed alternative (download a list of all certs/tickets) was meant to overcome.