
I can be Apple, and so can you – Bypassing some macOS signature checks - eps
https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/
======
eps
From the ArsTechnica article [1]:

 _According to the researchers, the mechanism many macOS security tools have
used since 2007 to check digital signatures has been trivial to bypass. As a
result, it has been possible for anyone to pass off malicious code as an app
that was signed with the key Apple uses to sign its apps._

...

 _" To be clear, this is not a vulnerability or bug in Apple’s code...
basically just unclear/confusing documentation that led to people using their
API incorrectly," Wardle told Ars. "Apple updated [its] documents to be more
clear, and third-party developers just have to invoke the API with a more
comprehensive flag (that was always available)."_

[1] [https://arstechnica.com/information-
technology/2018/06/simpl...](https://arstechnica.com/information-
technology/2018/06/simple-technique-bypassed-macos-signature-checks-by-third-
party-tools/)

