Hacker News new | past | comments | ask | show | jobs | submit login

> which was different from the developer ID used to sign previous versions of the Transmission installer

and that didn't ring any alarm bells?

For the end user? No, it wouldn’t. As thesimon and jakobegger, respectively, said:

And according to the analysis, this is exactly what they did. They used a different cert to sign their malware. I have to admit that Windows' UAC is better in that regard, as it shows the signees name. But of course this is only useful if you know the "right" name.

Yeah, I think this is a major issue on OS X. For the average user it is impossible to tell who signed an app, if it is sandboxed, and what permissions it has. Hell, using the codesign command to extract entitlements from all binaries in a package is hard even for advanced users... (There is third party tool named RB App Checker which does make these tasks a bit easier, though)

…in this comment thread: https://news.ycombinator.com/item?id=11234966

It did actually, but only for in-app updates [0].

[0]: https://forum.transmissionbt.com/viewtopic.php?f=4&t=17835

It could cause a failure for updates but not fresh installs.

Many people would uninstall and download it over again when running into that kind of error message.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact