
Apple revoked longtime Mac developer's code signing certificate with no warning - lapcatsoftware
https://twitter.com/charlieMonroe/status/1290509083288764428
======
CubsFan1060
Perhaps we should wait to get the whole story to discuss. Didn't we just go
through this with the "Apple doesn't return 30% on refund" fiasco last week?

~~~
lapcatsoftware
Except that it's been verified by many people, and you can verify on your own
Mac, that the developer's certificate has indeed been revoked, and the apps
don't work. That part of the story is indisputable.

~~~
cdubzzz
Sure but the important part of the tweet is “with no warning”. That’s why it
is being posted here.

~~~
charliemil4
Apple sends out emails about a month before your certificate expires - I bet
they didn’t check it and/or thought the expiry would only apply to new builds

*replaced pronouns and specified

~~~
lapcatsoftware
The certificate was revoked, not expired. And expired code signing certs don't
prevent Mac apps from running, they just prevent new builds from being signed.

$ codesign --verify ~/Downloads/Eon_977.dmg

CSSMERR_TP_CERT_REVOKED

------
mkathuri
From the page:
[https://developer.apple.com/documentation/xcode/notarizing_m...](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution)

> Notarization is not App Review. The Apple notary service is an automated
> system that scans your software for malicious content, checks for code-
> signing issues, and returns the results to you quickly. If there are no
> issues, the notary service generates a ticket for you to staple to your
> software; the notary service also publishes that ticket online where
> Gatekeeper can find it.

Perhaps the software connected to a website that was flagged as malicious by
Apple. That’s one way I could see it getting flagged.

~~~
Reason077
The developer's website (software.charliemonroe.net) is blocked by my ISP
(Vodafone UK)'s adult content filter. This is strange as it does not appear to
contain any adult content.

I don't think it's related to it being a "YouTube downloader" app either.
There are many apps with this functionality and, so far as I can tell, none of
the others are blocked.

~~~
blibble
most of the internet is blocked by those mobile carrier content filters

~~~
reaperducer
In 20ish years of using the mobile internet, going back to WAP days, I've
never visited a site that was blocked by a mobile carrier content filter.

~~~
Reason077
I've come across a few strange blocks. Recently when researching bread knives
I found that the website of the French knife company, Opinel, is blocked by at
least two UK mobile carrier's content filters. (www.opinel.com, blocked by
Three and Vodafone. Not blocked by O2.)

Their US site (www.opinel-usa.com) is not blocked, however, nor are the many
online retailers which sell their knives.

------
lqet
I suspect this is why:

> Ever wished you could save a video from the Internet? Search no more, Downie
> is what you're looking for. Easily download videos from thousands of
> different sites.

~~~
jtbayly
Is there something wrong with downloading videos to my computer?

~~~
CodeWriter23
> Is there something wrong with downloading videos to my computer?

Nope. Creating a tool perceived by those with enough lawyers to be a “copy
protection circumvention device” however does run afoul of the DMCA.

~~~
raxxorrax
And platforms doing standing back flips to appease stupid legislation.

Reminds me of YouTube blocking Blender videos... had other reasons though,
don't remember exactly, but it had to do with them not monetizing their videos
and really, really bad support.

~~~
caymanjim
If you think the legislation is stupid, blame the legislators. Companies have
to abide by laws, even stupid ones.

~~~
rbecker
They have to abide by them, not enforce them (unless a court order makes
them). There's no law against distributing operating systems that allow
running of programs that break the law.

------
planb
Another possible explanation: The developer‘s certificate leaked and was
really used to sign malware. Or his github repo was hacked and something evil
was added to his code without him noticing. Maybe I’m just rationalizing,
because if Apple is really going down the road that most commenters here
suspect, then there will be no arm macbook for me unfortunately... :(

~~~
ben509
So, that's plausible, and I'm trying to wrap my head around the operational
model of signed software. Apple has plenty of docs about it [1] [2] [3] but
never really get into "how does this work in the long run when things fail"
beyond blithely noting that users won't be able to run your stuff and a host
of services will start to fail.

A CRL / OSCP makes sense, more or less, for websites as they can simply
abandon a cert.

If the cert leaks, is the remedy really to completely blacklist the
certificate? Because that means that anyone who is able to steal the cert can
effectively blackmail an author.

I'd definitely want to revoke it, but if there's a set of valid releases, it
seems like you'd want to do a partial revocation, e.g. "valid until YYMMDD."
Or have a blacklist / whitelist and mark known good releases.

I can't imagine how they don't have a separation of concerns given that app
certificates must expire.

[1]:
[https://developer.apple.com/support/certificates/](https://developer.apple.com/support/certificates/)

[2]: [https://help.apple.com/developer-
account/#/dev138c9fac7](https://help.apple.com/developer-
account/#/dev138c9fac7)

[3]:
[https://developer.apple.com/library/archive/documentation/Se...](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html)

~~~
lapcatsoftware
> I'd definitely want to revoke it, but if there's a set of valid releases, it
> seems like you'd want to do a partial revocation, e.g. "valid until YYMMDD."
> Or have a blacklist / whitelist and mark known good releases.

Yes, this is definitely possible, and why Developer ID signing has a secure
timestamp, as specified by the --timestamp flag to the /usr/bin/codesign tool.

When Panic's code signing cert was stolen, they revoked it after a certain
date, but old versions of their apps continued to be valid and pass
Gatekeeper.

------
auganov
Original tweet:

> "Hello everyone, today I woke up to my developer account being suspended
> without a single letter why which is why the apps are crashing. Please bear
> with me while I try to get this fixed with Apple. Thank you for
> understanding."

Not being a Mac developer, the wording about revoking the certificate makes it
sound a little more unusual than just their account being banned. Although not
nice, I assume that's something that happens a lot.

~~~
simonh
The developer's account is liked to the certificates used to sign their app
binaries. If MacOS is set to only allow signed binaries to run, that means
this developer's app binaries won't run.

Their customers can work around this by disabling the requirement for signed
binaries, but of course that's not desirable and in corporate environments
might not be allowed.

~~~
auganov
I understand that. Just saying that when you word it as the certificate being
revoked it's not immediately obvious that's a consequence of the developer
account being banned. If the headline was "longtime Apple developer suspended"
quite frankly I'd be much less interested, thinking it's a common occurrence.

------
Reason077
The developer's website (software.charliemonroe.net) is also blocked by my ISP
(Vodafone UK)'s adult content filter. This is strange as it does not appear to
contain any adult content.

I wonder if these things are related?

~~~
dmix
It has an app for downloading videos off YouTube and other video sites. Not
sure how much influence media companies have in the UK but maybe that's why?

I know YouTube downloading services have struggled in the past to stay
operational.

~~~
Reason077
I don't think so. There are many "YouTube downloader" type apps, and none of
the others are blocked as far as I can tell.

~~~
dmix
I guess I'm too used to Android where you need to install a 3rd party APK.

------
lapcatsoftware
Update from the developer: [https://blog.charliemonroe.net/a-day-without-
business/](https://blog.charliemonroe.net/a-day-without-business/)

"after almost 24 hours after 10PM, I got my account re-instated. Apple has
called and apologized for the complications. The issue was caused by my
account being erroneously flagged by automated processes as malicious and was
put on hold."

------
swiley
In other words: you can’t depend on signed mac apps for anything important as
a user even if they keep everything local to your computer. The developer
could do something completely unrelated and your app will suddenly stop
working with no warning.

~~~
ben509
Which it should. If Apple detects that there's a problem with a cert, they
should revoke it.

Presumably, there's a known problem and something _isn 't_ working, even if it
looks like it is.

Arguably, it'd be nice to have a facility (assuming it doesn't already exist)
to override the revocation list, but designing that it isn't bypassed by
social engineering is tough.

------
kenferry
This seems relevant.

“MPlayerX hasn’t been working for almost a year now. Also they still offer my
apps on the App Store, they revoked my (direct) distribution certificate...”

[https://twitter.com/charliemonroe/status/1290629792430280704...](https://twitter.com/charliemonroe/status/1290629792430280704?s=21)

~~~
HeavenFox
MPlayerX was caught bundling installer with malware:
[https://www.reddit.com/r/apple/comments/3bhvh9/psa_do_not_in...](https://www.reddit.com/r/apple/comments/3bhvh9/psa_do_not_install_mplayerx_the_official_site/)

So this could be justified

~~~
floatingatoll
(5 years ago)

------
Tijdreiziger
A few tweets down that thread:

> Non-notarized versions will not work well on newer systems
> ([https://appleinsider.com/articles/19/12/23/apple-will-
> enforc...](https://appleinsider.com/articles/19/12/23/apple-will-enforce-
> app-notarization-for-macos-catalina-in-february)) and mainly I can't
> currently even compile the application.

------
lapcatsoftware
"We’re a small family business making apps for iOS and macOS."
[https://software.charliemonroe.net/](https://software.charliemonroe.net/)

------
pearjuice
Sadly, this is what a walled garden results in. Please don't be surprised,
shocked or even remotely discontent because by signing the ToS you have waived
away any and all of your rights regarding the use and publishing of software
in this walled garden. The only reason an issue like this will get "fixed" is
when this (post/tweet) goes viral and the PR department will work extra hard
to correct this.

~~~
raxxorrax
Don't know why you are downvoted since you are completely correct. It is
unfair to the developer but we wouldn't even have this discussion if people
rejected app stores.

I like that more developers just reject software certification processes.
There is zero benefit aside from lock in.

~~~
coldcode
Other than open season on the users with malware out the wazoo. But who cares
about security. Do you buy healthcare from the back of a pickup truck?

~~~
the_af
I don't think it follows that malware is the only possible alternative to
walled gardens.

You could still have trust mechanisms while downloading from sites where the
_author_ , not the walled garden, has the control.

~~~
zepto
A lot of _authors_ want to do things that violate the user’s trust, but are
hard to detect.

Wouldn’t it be better to have the _user_ have the control?

The walled garden does have problems, but I generally don’t see anyone adding
any value to our understanding of _how_ to replace it with something better.

~~~
the_af
> _Wouldn’t it be better to have the user have the control?_

It would, but the user has no control of the walled garden either. It's a
situation where both the user and the author have little to no control, as
well as poor feedback.

I'm not sure walled gardens, with their arbitrary rules, and opaque audit and
review processes (which include not knowing how detailed their reviews are),
are really a trusty safeguard against malicious authors. Whether you believe
walled gardens protect you from malware depends on your definition of
"malware".

It's not true that without the App Store there's a world of dangers out there.
Author reputation goes a long way.

~~~
zepto
If you don’t believe that there are dangers out there for general users
installing software from the internet, I don’t know what to tell you.

History certainly proves otherwise, as do the number of attempts at putting
malware _into_ app stores.

I’d go as far as to say that you are certainly wrong about this and you can
trivially verify this by even the most cursory examination of software threat
models.

Author reputation goes almost nowhere these days. It’s quite obvious why.
There are a huge number of authors producing software.

It’s impossible for more than a few authors to develop a reputation, and even
those that do face impersonation.

As to you not being sure how much protection ‘walled gardens’ give. They
aren’t perfect, but they clearly work, and you can trivially verify that.

If you think the author or the user can solve these problems without an
intermediary, it bears some explanation as to _how_ exactly this could work.

Can you explain?

~~~
the_af
Somehow the world outside walled gardens exists and it's not a danger-infested
world. What's worse, you can't really argue for the quality controls of walled
gardens such as the App Store because they are not transparent -- at most you
can guess with trial and error.

You haven't explained how the _user_ has more control with walled gardens, a
bold and unsupported assertion (I believe we both agree the author has _less_
control with walled garden, at least).

> _It’s impossible for more than a few authors to develop a reputation, and
> even those that do face impersonation._

The first part is a matter of opinion (and I disagree with you). As for the
latter: do you _really_ believe the only technical solution to author
impersonation is a walled garden? No other form of establishing trust is
possible to you? Interesting.

> _I’d go as far as to say that you are certainly wrong about this and you can
> trivially verify this by even the most cursory examination of software
> threat models._

That isn't an argument. That's just you saying "I'm right and you're wrong".

~~~
zepto
Can you say where I said a walled garden was the only way to solve any of the
problems?

In fact I have consistently agreed about the problems levied against the
walled garden model.

I haven’t asserted that the user has more control with a walled garden,
although I think they do in practice have more control with an App Store than
with nothing.

I’d be curious how you came to the impression that I did - can you explain
where I made that claim?

My claim is that walled gardens do introduce problems, but that they currently
solve much greater problems for both users and developers than the ones they
introduce.

The claim that it’s just safe for people to install software because it’s not
dangerous out there is obviously false.

You can say this is just me saying ‘I’m right and you are wrong’, or you can
do the most basic research on the amount of cybercrime and plain old scams and
how much of it involves malware or impersonation of one kind or another.

If you think this problem doen’t exist, it would make sense that you don’t see
the benefit of App stores, however to deny that it exists in this way is quite
surprising, to say the very least.

The issue of reputation isn’t a matter of opinion. It’s a fact. How can I say
that? All industries with a significant number of creators and a significant
number of consumers have intermediaries. Only the most famous independent
producers are independent.

If you can find a counterexample, I would be interested to know about it.

As for believing that the only solution to the issue of impersonation is a
walled garden - I don’t know the answer to that.

Maybe some kind of distributed reputation and trust system that doesn’t
involve a powerful intermediary is possible.

Perhaps some kind of blockchain or web of trust can be developed.

I’m not at all sure that this is possible - Apple’s attestation mechanism uses
hardware keys to to create signatures that join a device, a particular user
and an app binary.

Without the ability to link all three of these it’s hard to see how a software
only solution would work.

But even if an alternative is technically possible, it quite obviously doesn’t
exist today. If it did, you’d have just linked to it, and I’d have probably
ordered whatever device would allow me to participate.

If you want to continue claim that App stores solve no real problems or that
the problems are trivial, there are no dangers out there etc, then be my
guest. I can’t change that belief in you.

If on the other hand, we have good solutions to those problems that don’t
require an App Store, then I would love to know about them and if it’s true,
I’ll happily concede that I’m wrong.

------
veidr
I feel bad for the developer. But every time I see stories like this, I also
feel a little jolt of validation regarding my choice as a developer to leave
the Apple ecosystem in 2008.

At the time, the App Store (iOS) was new, and I was working on porting our
SSH-based encrypted remote access tool[1] from Mac to iPhone. I had been doing
mainly Mac OS X development for almost 10 years.

I had the proof-of-concept port from Mac to iOS working, but the amount of
insane hoops I had to jump through (because it used "strong encryption" (we
forked PuTTY SSH)) seemed, initially, like a trip the DMV. It gradually
started feeling more like the movie Brazil.

I remember going directly from WWDC to the local office of _(searches old
files)_ the "Bureau of Industry and Security" (wat) and talking to some guy
who had NO idea what I was talking about when I told him my company was trying
to make an iPhone app that used encryption and that Apple had told me I needed
to get his agency's approval. (Nice guy, though.)

Ultimately, working through the Apple documentation, I learned I had to do a
bunch of weird stuff, like sign up for antique government systems that only
worked on Windows XP, and provide personal info, and make a PIN, and submit an
application to SNAP-R, and submit a "BIS-748P supporting document: how the
Product meets the criteria of the Cryptography Note as mass market encryption
software" along with a "BIS-748P supporting document: additional information
to supplement our application for review and commodity classification request,
in accordance with Supplement No. 6 to Part 742 of the EAR" along with
"BIS-748P supporting document: sample marketing copy and brochure text" and a
"BIS-748P supporting document: illustrations depicting the software in
operation" and then finally a "BIS-748P supporting document: source code
listings for all encryption-related source code used in the product"... that
last was a ridiculous 500-page or so hard copy printout of the source code to
PuTTY with the few dozen places we'd changed it (to make it multithreaded to
fit better with our app architecture, haha, because I was young and dumb
then).

And, while I forget a lot of the details (I've just copy-pasted those now,
after finding the relevant old files), I remember _vividly_ the moment,
sitting there in a Tokyo hotel business center assembling this heavy paper
package to FedEx to BIS and just suddenly thinking... wait though — maybe this
isn't a game I want to play. We didn't have to do any of this to ship a Mac
app — any risk of legal noncompliance was ours, of course, but in reality
there was no actual risk. This was all for Apple to cover _their_ ass.

If some government bureaucrat didn't like my application, my app wouldn't ship
and the past year of work would be for nothing. And somehow that made me
acutely aware that the same thing would be true if _Apple_ for some reason
didn't like my app. Like... what if they were planning to roll out similar
rich, Mac-centric remote access features in the next OS update. Or, even if
they approved it, but later just didn't want to deal some issue that arose
around it — they could just revoke my app any time they pleased.

(As seems to be the case with the app in this thread.)

I thought about this for a couple more weeks, and then I took a corporate job
doing internal systems development. The app was never finished.

The lack of my app obviously didn't hurt Apple. But looking back, I do feel
like the lack of having to deal Apple — and that whole weird power imbalance,
of being a peasant plowing fields owned by Apple, hoping to receive some part
of the fruits of my labor — probably helped me live a more serene, untroubled
life.

[1]: iGet Touch (phone apps were still called "blah blah Touch" then, just
like many Mac apps from the early 2000s were idiotically prefixed with "i"
(^_^); back then) was never finished — but it was basically a native iOS
version of the Mac version, long dead but still archived here:
[http://nakahara-informatics.com/iget](http://nakahara-informatics.com/iget)

~~~
gowld
Big companies can't avoid following being caught violating the law as easily
as micro operations.

------
staplers
I suspect it has something to do with Apple wading into content publishing and
the alliances it would strengthen to suppress even suspected piracy.

------
sschueller
How long until you will no longer be able to install unsigned apps on your
mac?

------
kogir
Interesting that a few of the apps were also (voluntarily?) pulled from the
developer’s website, so we can’t inspect them.

