Hacker News new | past | comments | ask | show | jobs | submit login

Mac OS calls home every time you execute an application. Apple is well on its way to ensure you can only run things they allow via app store, they would probably already be there if it wasn't for the pesky EU. If you send your computer/phone to Apple for repair you may get back different physical hardware. Those things very much highlight that "your" Apple hardware is not yours and that privacy on Apple hardware does not actually exist, sure they may not share that data with other parties but they definitely do not respect your privacy or act like you own the hardware you purchased. Apple marketing seems to have reached the level indoctrination where everyone just keeps parroting what Apple says as an absolute truth.



They send a hash of the binaries/libraries, and generate a cache locally so it's not sent again. That helps stop you from running tampered-with binaries and frameworks. No user-personal data is sent.

There is no evidence at all that they are trying to ensure you can only run things from the App Store - I run a whole bunch of non-app-store binaries every single day. To make that claim is baseless and makes me de-rate the rest of what you write.

There is always a trade-off between privacy and security. This still falls well under the Google/Android/Chrome level, or indeed the Microsoft/Windows level with its targeted ads, IMHO.

Choose your poison, but this works for me.


> They send a hash

My understanding is that they keep a local file with known malware signatures, just like the malware scanners on every other platform.

> macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly

https://support.apple.com/guide/security/protecting-against-...


Xprotect is a blacklist that runs locally and is rarely used.

The phone home functionality is notarization, where apple does a network call to check that the signature on an executable actually came from apple’s notarization process. It is in essence a reputation system, where developers must be on good terms with apple to have the ability to notarize and get a smooth install experience.


Are you sure about your point?

From what I had in mind, notarization is only done developer side before publishing. Client side it's just a check against Apple certificates to verify that the binary haven't been tampered since notarization, no phoning home should be involved. (Or maybe just to update Apple certificates).


According to this article macOS does do a network request to check the notarization ticket:

https://eclecticlight.co/2023/03/09/how-does-ventura-check-a...

They also check the developer certificate in the OCSP stage.

Both of these are mechanisms where apple can effectively lock out developers from having a smooth install experience for their software at their discretion.


Isn’t this how certificate revocation flows work?


Doesn't Windows do the exact same thing?


I agree and want to emphasize a few things:

1. Most users are not capable of using general purpose computing technology in a wild, networked environment safely.

2. Too many people who matter to ignore insist, "something must be done."

3. And so something shall be done.

4. Apple is navigating difficult waters. As much as I disapprove of how they have chosen a path for iOS, the fact is many people find those choices are high value.

5. I do, for the most part, approve of their choices for Mac OS. I am not sure how they prevent malicious code without maintaining some sort of information for that purpose.

6. We are arriving at a crossroads many of us have been talking about for a long time. And that means we will have to make some hard choices going forward. And how we all navigate this will impact others in the future for a long time.

Look at Microsoft! They are collecting everything! And they absolutely will work with law enforcement anytime, any day, almost any way!

I sure as hell want nothing to do with Windows 11. Most technical people I know feel the same way.

Screenies every 3 to 5 seconds? Are they high? Good grief! Almost feels like raw rape. Metaphorically, of course.

Then we have Linux. Boy am I glad I took the time way back in the 90's to learn about OSS, Stallman, read words from interesting people, Raymond, Perkins, Searles, Lessig, Doctorow, many others!

Linus did all of tech one hell of a solid and here we are able to literally dumpster dive and build whatever we want just because we can. Awesome sauce in a jar right there

, but!

(And this really matters)

...Linux just is not going to be the general answer for ordinary people. At least not yet. Maybe it will be soon.

It is an answer in the form of a crude check and balance against those in power. Remember the "something shall be done" people? Yeah, those guys.

And here we are back to Apple.

Now, given the context I put here, Apple has ended up really important. Working professionals stand something of a chance choosing Mac OS rather than be forced into Windows 11, transparent edition!

And Apple does not appear willing to work against their users best interests, unless they are both compelled to by law, and have lost important challenges to said law.

If you want that, your choices are Apple and Linux!

7. Open, general purpose computing is under threat. Just watch what happens with Arm PC devices and the locked bootloaders to follow just like mobile devices.

Strangely, I find myself wanting to build a really nice Intel PC while I still can do that and actually own it and stand some basic chance of knowing most of what it doing for me. Or TO ME.

No Joke!

As I move off Win 10, it will be onto Linux and Mac OS. Yeah, hardware costs a bit more, and yeah it needs to be further reverse engineered for Linux to run on it too, but Apple does not appear to get in the way of all that. They also do not need to help and generally don't. Otherwise, the Linux work is getting done by great people we all really should recognize and be thankful for.

That dynamic is OK with me too. It is a sort of harsh mutual respect. Apple gets to be Apple and we all get to be who we are and do what we all do with general purpose computers as originally envisioned long ago.

We all can live pretty easily with that.

So, onward we go! This interesting time will prove to be more dangerous than it needs to be.

If it were not for Apple carving out a clear alternative things would look considerably more draconian, I could and maybe almost should say fascist and to me completely unacceptable.


As someone who cut his teeth on computing in the era you refer to, I have a small disagreement about Linux (especially Ubuntu) in your statement.

Apple is priced beyond the reach of many "ordinary people" especially outside the western markets. A cheap (perhaps after market) laptop with Ubuntu on it (often installed by the seller) is something that has been getting a lot of traction among regular users. Most of the things they do are via. a browser so as long as Chrome/FF works, they're good. They often install software that undermines the security that the platform natively offers but still, it's a pretty decent compromise.


Is it this part?

>Linux just is not going to be the general answer for ordinary people.

It so, I hear you. A decade or more ago, I had Ubuntu running as a general use machine for family and friends use.

It seemed almost there back then, and I saw some success.

Today it would be better, yes? I think so

Fact is, it often takes someone doing support to have it work well, and when that is gone, the software slips behind leaving users to get help.

Today, the numbers are much better. That happens less, but still does happen.

Your point on browser apps is solid. I agree, but those come with their own problems.

I see the most success when I set one up, including Void Tools, many visits to FossHUB...

When done, no network needed and one has a GREAT machine, ready for many tasks!

Both ways have merit and the more the merrier!


Yeah. It's a mixed bag for sure. However, the situation on the ground, where I am, looks like it's becoming a semi-mainstream platform.


Well, perhaps we are not so far apart on this.

Your news bolsters the "soon" in my comment above.

I am quite happy to be proven wrong.


> Apple is priced beyond the reach of many "ordinary people" especially outside the western markets.

Used, great condition M1 Airs go for ~$450 around here and will last longer than anything Intel or AMD-based for that price, whether new or used.


I was under the impression most of the “global poor” have a smart phone as their main computing device.


Indeed.

You know I decided to take my old note 8 for a test drive as a PC of sorts. Went ahead and purchased one of those USB 3 port bricks so I could hook up a nice display, keyboard, mouse, removable storage.

Samsung Dex popped up and it works mostly!

I found one could do quite a lot.

That is not the way I would go, but if I had to? Bring it! Plenty can be done, good skills learned.


I agree with you about Apple hardware, BTW.

Fact is, large numbers of people will just end up on Windows 11 :(


Cheap IBM compatibles and pirated DOS were the entry points to computing for many people back in the day. History repeats itself. :)


Thank you, this crystallized a lot for me.


It is nice when that happens. Of course, you are welcome.

If you don't mind sharing your take, what firmed up, I would read it with great interest!


>safely

There is that word again. Favorite tool of tyrants.


Yes. I agree with you, just so we are clear.


> I run a whole bunch of non-app-store binaries every single day

if you are in the US, you need to either register as a developer, or register an apple id and register your app to run it for a week. that's how you run non-app store code. Both of those require permission from apple.

EDIT: Sorry, ios.


This is completely incorrect. You can download a random binary and execute it. You will get a warning dialog saying it’s not signed by a known developer. You are free to ignore that though.


I'm sorry, I was thinking phone in previous comment. Yes, you can run binaries on macos with fiddling (but my comment does apply to ios)


Not ‘with fiddling’ — you can run any software you want on MacOS without altering or adjusting anything.


Depends what you mean by fiddling. But I'm in the process of switching to mac from Linux because my new job has forced it upon me.

I tried installing "Flameshot" via homebrew and it wouldn't run until I went into Finder, right clicked it and clicked open. Luckily it's mentioned in their docs [0] or I would have never guessed to do this.

[0] https://flameshot.org/docs/installation/installation-osx/


I use homebrew every day and have never encountered this. Sounds like an issue with how the software has been packaged.

I also notice two other installation options in your link that do not come with those additional instructions — which to me suggests with whatever they’re doing on homebrew.


That is not the same thing

If I were you, I would relax. At least you are not being shoved onto Win 11.

And then think about that. Seriously. I did. Have a few times off and on over the years as we sink into this mess.

I bet you find an OS that does a bit more than you may otherwise prefer to prevent trouble. If so, fair call in my book.

Just how big of a deal is that?

Compared to Android, Windows 10 and tons of network services and such and what they do not do FOR you, and instead do TO you.

And you can run a respectable and useful installation of Linux on that spiffy Apple hardware when it gets old. So make sure it gets old, know what I mean?

It could all be way worse.


> At least you are not being shoved onto Win 11.

As someone that just got out of a gig where I had to run Docker on MacOS - for the love of god, I would have done almost anything to use Windows 11.

Look - if I'm going to be treated like garbage, advertised to and patronized, at least let me use the system that can run Linux shells without turning into a nuclear reactor.


Re nuclear reactor: higher tier virtualization products work flawlessly. It is a shame what a garbage virtual box turned into over the years.


Lol, nothing is ever easy, is it?

If I did not love computing, I would have bagged on all this long ago.


Nope. A user can just run them if they want to. It is not a big deal.


It’s not “a big deal” if the user knows about, but the phrasing in macOS is maliciously bad - I sent a build from my machine to a coworker and when they “naively” ran it, the pop up that came up didn’t say “this program is unsigned” it said “this program is damaged and will now be deleted” (I don’t remember the exact phrasing but it made it sound like a virus or damaged download, not like an unsigned program).


I don't know about that. Or at least, I won't say they are bad

There are sets of deep roots in play here.

Phrasing struggles are rooted in the differences in these systems, and unless we have spent time in each, struggle seems likely.

That said, I spent time on the Apple side of the computing house early on... I know it helps.


> If you send your computer/phone to Apple for repair you may get back different physical hardware.

I happen to be in the midst of a repair with Apple right now. And for me, the idea that they might replace my aging phone with a newer unit, is a big plus. As I think it would be for almost everyone. Aside from the occasional sticker, I don't have any custom hardware mods to my phone or laptop, and nor do 99.99% of people.

Can Apple please every single tech nerd 100% of the time? No. Those people should stick to Linux, so that they can have a terrible usability experience ALL the time, but feel more "in control," or something.


Why not both? Why can’t we have a good usability experience AND control? In fact, we used to have that via the Mac hardware and software of the 1990s and 2000s, as well as NeXT’s software and hardware.

There was a time when Apple’s hardware was user-serviceable; I fondly remember my 2006 MacBook, with easily-upgradable RAM and storage. I also remember a time when Mac OS X didn’t have notarization and when the App Store didn’t exist. I would gladly use a patched version of Snow Leopard or even Tiger running on my Framework 13 if this were an option and if a modern web browser were available.


NeXT was great and Mac OS X was also nice and had a lovely indie and boutique app ecosystem during the mid-to-late 2000s. Sadly, iOS stole the focus. However, the OP argues Linux usability is bad, which I think is an outdated POV. It really depends on your setup and usecases. For many development usecases, Linux is superior to macOS.

I run NixOS on a plain X11 environment with a browser, an editor and a terminal. It's really boring. For my favorite development stacks, everything works. Flakes make workflow easy to reproduce, and it's also easy to make dramatic setup changes at OS level thanks to declarativeness and immutability.


If you're interacting with other humans, or with the consumer internet, you'll run into thousands of situations where my default setup (macOS, Chrome) "just works," and your setup will require some extra effort.

You may be smart enough to figure it out, but most people (even many smart tech people) get tired of these constant battles.

Here's an example from earlier this evening: I was buying a plane ticket from Japan Air Lines. Chrome automagically translates their website from Japanese to English. Other browsers, e.g. Firefox, and even Safari, do not - I checked. Is there a workaround or a fix? I'm sure you could find one, given time and effort. But who wants to constantly deal with these hassles?

Another very common example is communication apps. Or any time you're exchanging data in some proprietary format. Would it be great if no one used proprietary formats? Yes! Is that the world we live in? No. Can I force the rest of the world to adopt open standards, by refusing to communicate with them? No.


The world has moved on from desktop environments to multi-device integration like Watch, Phone, AirTags, Speakers, TV and in that way Linux usability is certainly worse than MacOS.


Oh sort of. That is for sure a thing, but not THE thing.

I would argue people are being tugged in that direction more than it being simply better.

You can bet when people start to get to work building things --all sorts of things, not just software, they find out pretty quickly just how important a simple desktop running on a general purpose computer really is!


It could help to compare to other makers for a minute: if you need to repair your Surface Pro, you can easily remove the SSD from the tray, send your machine and stick it back when it comes repaired (new or not)

And most laptops at this point have removable/exchangeable storage. Except for Apple.


> remove the SSD from the tray, send your machine and stick it back when it comes repaired

Apple has full-disk encryption backed by the secure enclave so its not by-passable.

Sure their standard question-set asks you for your password when you submit it for repair.

But you don't have to give it to them. They will happily repair your machine without it because they can boot their hardware-test suite off an external device.


I get your point, but we can also agree "send us your data, we can't access it anyway, right ?" is a completely different proposition from physically removing the data.

In particular if a flaw was to be revealed on the secure enclave or encryption, it would be too late to act on it after the machines have been sent in for years.

To be clear, I'm reacting on the "Apple is privacy focused" part. I wouldn't care if they snoop my bank statements on disk, but as a system I see them as behind what other players are doing in the market.


> if a flaw was ...

I hear the point you're making and I respect the angle, its fair-enough, but ...

The trouble with venturing into what-if territory is the same applies to you...

What if the disk you took out was subjected to an evil-maid attack ?

What if the crypto implementation used on the disk you took out was poor ?

What if someone had infiltrated your OS already and been quietly exfiltrating your data over the years ?

The trouble with IT security is you have you trust someone and something because even with open-source, you're never going to sit and read the code (of the program AND its dependency tree), and even with open-hardware you still need to trust all those parts you bought that were made in China unless you're planning to open your own chip-fab and motherboard plant ?

Its the same with Let's Encrypt certs, every man and his dog are happy to use them these days. But there's still a lot of underlying trust going on there, no ?

So all things considered, if you did a risk-assessment, being able to trust Apple ? Most people would say that's a reasonable assumption ?


> even with open-source, you're never going to sit and read the code (of the program AND its dependency tree)

You don't have to. The fact that it's possible for you to do so, and the fact that there are many other people in the open source community able to do so and share their findings, already makes it much more trust-worthy than any closed apple product.


THIS!

Back when I was new to all of this, the idea of people evaluating their computing environment seemed crazy!

Who does that?

Almost nobody by percentage, but making sure any of us CAN is where the real value is.


Jia Tan has entered the chat.


I hope you bring that up as an example in favor on open-source, as an example that open-source works. In a closed-source situation it would either not be detected or reach the light of day.


In a closed source situation people using a pseudonym don't just randomly approach a company and say "hey can I help out with that?"

It was caught by sheer luck and chance, at the last minute - the project explicitly didn't have a bunch of eyeballs looking at it and providing a crowd-sourced verification of what it does.

I am all for open source - everything I produce through my company to make client work easier is open, and I've contributed to dozens of third party packages.

But let's not pretend that it's a magical wand which fixes all issues related to software development - open source means anyone could audit the code. Not that anyone necessarily does.


> What if the disk you took out was subjected to an evil-maid attack ?

Well, have fun with my encrypted data. Then I get my laptop back, and it's either a) running the unmodified, signed and encrypted system I set before or b) obviously tampered with to a comical degree.

> What if the crypto implementation used on the disk you took out was poor ?

I feel like that is 100x more likely to be a concern when you can't control disc cryptography in any meaningful way. The same question applies to literally all encryption schemes ever made, and if feds blow a zero day to crack my laptop that's a victory through attrition in anyone's book.

> What if someone had infiltrated your OS already and been quietly exfiltrating your data over the years ?

What if aliens did it?

Openness is a response to a desire for accountability, not perfect security (because that's foolish to assume from anyone, Apple or otherwise). People promote Linux and BSD-like models not because they cherry-pick every exploit like Microsoft and Apple does but because deliberate backdoors must accept that they are being submit to a hostile environment. Small patches will be scrutinized line-by-line - large patches will be delayed until they are tested and verified by maintainers. Maybe my trust is misplaced in the maintainers, but no serious exploit developer is foolish enough to assume they'll never be found. They are publishing themselves to the world, irrevocably.


What if the disk could be removed, put inside a thunderbolt enclosure, and worked on another machine while waiting for the other? That's what I did with my Framework.

Framework has demonstrated in more than one way that Apple's soldered/glued-in hardware strategy is not necessary.


> Apple has full-disk encryption backed by the secure enclave so its not by-passable.

Any claims about security of apple hardware or software are meaningless. If you actually need a secure device, apple is not an option.


> Any claims about security of apple hardware or software are meaningless. If you actually need a secure device, apple is not an option.

I don't think this is precise, but the constraints seem a bit vague to me. What do you consider to be in the list of secure devices?


I'm not even here to troll, if you can give details on the list and why that'd be awesome


Seconded


It's also possible to say "nothing" and just leave it at that. A lot of people are desperate to defend Apple by looking at security from a relative perspective, but today's threats are so widespread that arguably Apple is both accomplice and adversary to many of them. Additionally, their security stance relies on publishing Whitepapers that have never been independently verified to my knowledge, and perpetuating a lack of software transparency on every platform they manage. Apple has also attempted to sue security researchers for enabling novel investigation of iOS and iPadOS, something Google is radically comfortable with on Android.

The fact that Apple refuses to let users bring their own keys, choose their disc encryption, and verify that they are secure makes their platforms no more "safe" than Bitlocker, in a relative sense.


I do not believe I understand your comment.

Early, you mention people defending Apple security in a relative sense.

Later, you mentioned Apple refusing user actions to verify security makes them no more safe in a relative sense.

Are you just talking about Apple employing security by obscurity?

I just want to understand your point better, or confirm my take is reasonable.

And for anyone reading, for the record I suppose, I do not consider much of anything secure right now. And yes, there are degrees. Fair enough.

I take steps in my own life to manage risk and keep that which needs to be really secure and or private off electronics or at the least off networks.


Using fully open hardware and software I guess ?


So why the hell do they ask for it then.


> So why the hell do they ask for it then.

I suppose so they can do a boot test post-repair or something like that. I have only used their repair process like twice in my life and both times I've just automatically said "no" and didn't bother asking the question. :)

With Apple FDE, you get nowhere without the password. The boot process doesn't pass go. Which catches people out when they reboot a headless Mac, the password comes before, not after boot even if the GUI experience makes you feel otherwise.


The counterpoint is wiping the device and restoring from local backups when it is returned.


You need to trust the erasure system, which is software. This also requires you to have write access to the disk whatever the issues are, otherwise your trust is left in the encryption and nobody having the key.

That's good enough for most consumers, but a lot more sensitive for enterprises IMHO. It usually gets a pass by having the contractual relation with the repair shop cover the risks, but I know some roles that don't get macbooks for that reason alone.


>And for me, the idea that they might replace my aging phone with a newer unit, is a big plus. As I think it would be for almost everyone.

except that isn't generally how factory repairs are handled.

I don't know about Apple specifically, but other groups (Samsung, Microsoft, Lenovo) will happily swap your unit with a factory refurbished or warranty-repaired unit as long as it was sufficiently qualified before hand -- so the 'replaced with a newer unit' concept might be fantasy.


What makes you think it would be a new one as opposed to a refurbished used one.


If the parts show no signs of wear and tear, what is the difference? Theseus' iPhone.


I've seen a few Rossman streams with officially "refurbished" macbooks that were absolutely foul inside. Boards that looked like they had been left on a preheater over lunch, rubber wedges to "cure" a cracked joint, all sorts of awful shit. The leaked stories from the sweatshop that did the work were 100% consistent with the awful quality.

Admittedly this was a few years ago. Has apple mended their ways or are they still on the "used car salesman" grindset?


Are these Apple refurbished, or bought from a third party like Best Buy or Amazon? I’ve bought plenty of Apple refurbished products (directly from Apple) over the years and they always look like new (including 100% battery health).

Third parties and resellers though I’m convinced just call their returns/open box units that appear to be in decent condition “refurbished.”


The problem is no-fault-found returns.

You have a phone with a real, but subtle fault. Something not caught by the normal set of tests. You return it for repair, get sent a new one, they replace the battery in your old one and put into stock as 'reconditioned'.

My phone is perfect, save for a worn out battery. I send it in for battery replacement, they send me yours. Now I've swapped my perfect phone for your faulty phone - and paid $70 to do so.


It makes me uncomfortable. No particular rational reason, I just don't like it.


Thanks. That is fair. Your truth, and I respect that.


> What makes you think it would be a new one

Did I say it would be a "new one"?


Yes, unless this was edited later on.

> 'might replace my aging phone with a newer unit, '

unless you just want to argue about the semantics and differences between 'aging', 'newer' , and 'new'.


You think the difference between "newer than ... aging phone" and "NEW" is "semantics"???

HN really has turned into reddit.


Reddit-style pedantry time!

Semantics is literally the meaning of things. So, yes the difference between those phrases is semantics.

But your use of 'semantics' meant something subtly different. Ain't language weird?


What makes you think it would be a new one as opposed to a refurbished used one.

Because Apple got sued for doing that once, and people including myself are in line to get checks from it.


It would depend on a countries consumer laws. I used to work for AASP's in Australia and they definitely used refurished phones for replacements and refurished parts for the Mac repairs. Not everyone who uses this site lives in America...


It's also the rule in the EU.


> And for me, the idea that they might replace my aging phone with a newer unit, is a big plus.

It's called a warranty and not at all exclusive to apple whatsoever?

> Those people should stick to Linux, so that they can have a terrible usability experience ALL the time, but feel more "in control," or something.

Maybe you should stick to reading and not commenting, if this is the best you can do.


> Mac OS calls home every time you execute an application

Consulting a certificate revocation list is a standard security feature, not a privacy issue.


Further, there is a CRL/OCSP cache — which means that if you're running a program frequently, Apple are not receiving a fine-grained log of your executions, just a coarse-grained log of the checks from the cache's TTL timeouts.

Also, a CRL/OCSP check isn't a gating check — i.e. it doesn't "fail safe" by disallowing execution if the check doesn't go through. (If it did, you wouldn't be able to run anything without an internet connection!) Instead, these checks can pass, fail, or error out; and erroring out is the same as passing. (Or rather, technically, erroring out falls back to the last cached verification state, even if it's expired; but if there is no previous verification state — e.g. if it's your first time running third-party app and you're doing so offline — then the fallback-to-the-fallback is allowing the app to run.)

Remember that CRLs/OCSP function as blacklists, not whitelists — they don't ask the question "is this certificate still valid?", but rather "has anyone specifically invalidated this certificate?" It is by default assumed that no, nobody has invalidated the certificate.


> i.e. it doesn't "fail safe" by disallowing execution if the check doesn't go through. (If it did, you wouldn't be able to run anything without an internet connection!) Instead, these checks can pass, fail, or error out; and erroring out is the same as passing. (Or rather, technically, erroring out falls back to the last cached verification state, even if it's expired; but if there is no previous verification state — e.g. if it's your first time running third-party app and you're doing so offline — then the fallback-to-the-fallback is allowing the app to run.)

https://www.sentinelone.com/blog/what-happened-to-my-mac-app...

> Last week, just after we covered the release of Big Sur, many macOS users around the world experienced something unprecedented on the platform: a widespread outage of an obscure Apple service caused users worldwide to be unable to launch 3rd party applications.


Scroll down a little further on your link for confirmation of what the parent said:

> As was well-documented over the weekend, trustd employs a “fail-soft” call to Apple’s OCSP service: If the service is unavailable or the device itself is offline, trustd (to put it simply) goes ahead and “trusts” the app.

Even at the time people quickly figured out you could just disconnect from the internet as a workaround until the issue was fixed.


Why is it that non app store apps refuse to run until I explicitly allow it in settings then?


Presumably because you have Gatekeeper set to "Allow applications from: App Store" rather than "Allow applications from: App Store & Known Developers".

This is just Gatekeeper asking you which code-signing CA certs you want to mark as trusted in its kernel-internal trust store (which is, FYI, a separate thing from the OS trust store): do you want just the App Store CA to be trusted? Or do you also want the Apple Developer Program's "Self-Published App" Notarization CA to be trusted?

Choosing which code-signing CA-certs to trust will, obviously, determine which code-signed binaries pass certificate validation. Just like choosing which TLS CAs to trust, determines which websites pass certificate validation.

Code-signing certificate validation doesn't happen online, though. Just like TLS certificate validation doesn't happen online. It's just a check that the cert you have has a signing path back to some CA cert in the local trust store.


I have the latter Gatekeeper option, and I often have to click "Allow anyway". I don't see how being forced to click an extra button in a preference pane makes things more secure.


If you're getting the Gatekeeper dialog with the "Open anyway" button (the "Apple cannot verify that this app is free of malware" alert), then this is a specific case: you're on Catalina or later, and the app you're using has a valid code-signature but hasn't been notarized.

This warning only triggers for legacy releases of apps, published before notarization existed. Since Catalina, notarization has been part-and-parcel of the same flow that gets the self-published app bundle code-signed by Apple. AFAIK it is no longer possible to create a code-signed but non-notarized app bundle through XCode. (It's probably still possible by invoking `codesign` directly, and third-party build systems might still be doing that... but they really shouldn't be! They've had years to change at this point! Catalina was 2019!)

Thus, the "Open anyway" option in this dialog is likely transitional. This warning is, for now, intended to not overly frighten regular users, while also indicating to developers (esp. the developer of the app) that they should really get out a new, notarized release of their app, because maybe, one day, this non-notarized release of the app won't be considered acceptable by Gatekeeper any more.

I'm guessing that once a sufficient percentage of apps have been notarized, such that macOS instrumentation reports this dialog being rarely triggered, the "Open anyway" option will be removed, and the dialog will merge back into the non-code-signed-app version of the dialog that only has "Cancel" and "Move to Trash" options. Though maybe in this instance, the dialog would have the additional text "Please contact the app developer for a newer release of this app" (because, unlike with an invalid digital signature, macOS wouldn't assume the app is infected with malware per se, but rather just that it might do low-level things [like calling private OS frameworks] that Apple doesn't permit notarized apps to do.)


Both Windows and MacOS require that developers digitally sign their software, if you want users to be able to run that software without jumping through additional hoops on their computer.

You can't distribute software through the Apple or Microsoft app stores without the software being signed.

You can sign and distribute software yourself without having anything to do with the app stores of either platform, although getting a signing certificate that Windows will accept is more expensive for the little guys than getting a signing certificate that Macs will accept.

On Windows, allowing users to run your software without jumping through additional hoops requires you to purchase an Extended Validation Code Signing Certificate from a third party. Prices vary, but it's going to be at least several hundred dollars a year.

https://www.reddit.com/r/electronjs/comments/17sizjf/a_guide...

Apple includes a software signing certificate with a basic developer account, which runs $100 a year.

You can ignore that on either platform, but users will have to take additional actions before they can run your unsigned software.


I have literally never experienced that and I use homebrew apps a lot

Perhaps you turned some "make things ultra-secure" setting on at some point ?


I suspect they're referring to changes to Gatekeeper in recent macOS versions: https://arstechnica.com/gadgets/2024/08/macos-15-sequoia-mak...

It used to be that you could run any third-party application you downloaded. And then for a while you'd have to right-click and select Open the first time you ran an application you'd downloaded, and then click through a confirmation prompt. And macOS 15, you have to attempt to open the application, be told it is unsafe, and then manually approve it via system settings.


Looks like a clear trend then.


That's just your extremely limited experience (2 stores): homebrew runs a special command clearing up a bit so you don't get that notification, which does exist if yout download apps directly


This reply is very informative and should be much more visible given the extent of general ignorance about the "zomg it phones home" feature.


There was a since fixed bug in a prior MacOS release that did fail to launch an app on the local machine if the CRL data was unreachable.


Huh? It hashes the binary and phones home doesn’t it? Go compile anything with gcc and watch that it takes one extra second for the first run of that executable. It’s not verifying any certificates


When I first run locally-built software I tend to notice XProtect scanning each binary when it is launched. I know that XProtect matches the executable against a pre-downloaded list of malware signatures rather than sending data to the internet, but I haven't monitored network traffic to be sure it is purely local. You can see the malware signatures it uses at /private/var/protected/xprotect/XProtect.bundle/Contents/Resources/XProtect.yara if you're curious.


> phones home

Nope.

It has a built in malware scanner, but that just requires a downloaded list of known malware signatures.


With the sheer number of devs who use Macs, there is a 0% chance they’re going to outright prevent running arbitrary executables. Warn / make difficult, sure, but prevent? No.


The strategy is to funnel most users onto an ipad-like platform at most where they have basic productivity apps like word or excel but no ability to run general purpose programs.

Meanwhile you have a minimal set of developers with the ability to run arbitrary programs, and you can go from there with surveillance on MacOS like having every executable tagged with the developer's ID.

The greater the distance between the developer and the user, the more you can charge people to use programs instead of just copying them. But you can go much further under the guise of "quality control".


> The strategy is to funnel most users onto an ipad-like platform at most where they have basic productivity apps like word or excel but no ability to run general purpose programs.

And you know this how?

This reads like every macOS fan’s worst nightmare, but there’s zero actual evidence that Apple is going in this direction.

Please share sources if you disagree.


> The strategy is to funnel most users onto an ipad-like platform

They make the best selling laptop in the world, and other most-popular-in-class laptops. If their strategy is to have people not use laptops, they are going about it funny.


If so, they are executing it badly.

As for every executable being tagged, that is not required. People can build binaries with open tools and other people can run them.

A hash gets created for Apple to play same or different with binaries found to be nefarious somehow. Seems like a reasonable proposition.


> not share that data with other parties but they definitely do not respect your privacy

not sharing my data with other parties, or using it to sell me stuff or show me ads, is what I would define as respecting my privacy; Apple checks those boxes where few other tech companies do


Their repair policy, from what I can see, is a thinly veiled attempt to get you to either pay for Apple Care or to upgrade. I got a quote to repair a colleague's MacBook Pro, less than 2 years old, which has apparent 'water damage' and which they want AUD $2,500 to repair! Of course that makes no sense, so we're buying a new one ...


> to get you to either pay for Apple Care

The problem with many self-repair people is they effectively value their time at zero.

I value my time realistically, i.e. above zero and above minimum wage. It is therefore a no brainer for me to buy AppleCare every ... single ..time. It means I can just drop it off and let someone else deal with messing around.

I also know how much hassle it is. Like many techies, I spent part of my early career repairing people's PCs. Even in big PC tower cases with easy accessibility to all parts its still a fucking horrific waste of time. Hence these days I'm very happy to let some junior at Apple do it for the cost of an AppleCare contract.


> The problem with many self-repair people is they effectively value their time at zero.

Back in 2010 Apple quoted me €700 for a topcase replacement because of shattered display glass. Instead I paid €50 for a third party replacement pane and did 15 minutes of work with a heat gun.

What's more, they fold most of the cost of the repair into the price of parts. So you can either get a replacement screen for €499 and install it yourself, or have it officially repaired for €559. This effectively subsidizes official repairs and makes DIY repairs more expensive.

Apple does extreme gouging with repairs, its hogwash to claim anything else.


That is not why I didn’t buy Apple Care.

My hope is that the machine will work for a long while, like most of them do. In my case it’s a ~$1200 machine so I prefer to self-insure. I’m taking the chance that if it goes bad, I’ll pay to fix or replace it.

This makes sense, for me, when I do it on everything that I buy.


A big problem with Apple Care is here in Thailand anyway you need to give them your computer for a few weeks. You have to wait a week for them to look at it. They won't even allow you to use it and then bring it back in a week.


How often do you actually need a repair from Apple? I used to buy AppleCare but stopped in the last few years and have yet to need any repairs done except a battery replacement on a 14 Pro that I was giving to family.


There are three kinds of people

1. people who arguably fall under the definition of careless, or have small children, need repair plans

2. people who are fastidious and nothing ever breaks, don't need repair plans

3. people who are fastidious, have small children, need repair plans

I was a #2 and I'm slowly transitioning into a #3 for specific purchases.


Even with small children, I haven’t really found a need for AppleCare. They don’t touch my devices, and their devices are older iPads that aren’t worth that much to begin with, sheathed with big chonky cases that have survived a few trips down stairs unscathed.


Insurance is always a gamble. Up to you to do your own math on the risks..


Why not pay for apple care? In the US it covers water damage


Because it feels like extortion. There was almost certainly no water damage caused by external factors: the user didn't spill anything on it and has literally no idea where the so-called water damage could have come from. I have heard anecdotally that this is their go-to for denying claims and it is difficult to argue against.


Humidity in the air can eventually trigger whatever they use to report wet damage.


Yes, that's what I've heard, which seems crazy.


It’s a hygroscopic sticker made by 3m.


Agree. I recently went to an Apple store in Tokyo to buy an accessory. The Apple employee pulled up their store iPhone to take my payment (apple pay) and then asked me to fill out a form with my email address and there was a message about how my info would be shared with some company. I thought about going back and pretending to buy something else so I could film it. I questioned the store person, "It's apple supposed to be "Privacy first"". If it was privacy first they wouldn't have asked for the info in the first place and they certainly wouldn't be sharing it with a 3rd party.


At the very least Apple are better than Microsoft, Windows and the vendors that sell Windows laptops when it comes to respecting user experience and privacy.


I switched to iPhone after they added the tracker blocking to the OS.

Everything is a tradeoff.

I’d love to live in the F droid alt tech land, but everything really comes down to utility. Messaging my friends is more important than using the right IM protocol.

Much as I wish I could convince everyone I know and have yet to meet to message me on Signal or whatever, that simply isn’t possible. Try explaining that I am not on Whatsapp or insta to a girl I’ve just met…

Also it is nice to spend basically no time maintaining the device, and have everything work together coherently. Time is ever more valuable past a certain point.


But why do we have to choose between convenient and open? Why are these companies allowed to continue having these protected "gardens"? I don't believe a free and truly open ecosystem for mobile devices would actually be less convenient than iOS or Android. If anything it would be vastly better.


Has it occurred to you that the stronger control of the ecosystem is a feature that supports the convenience and integration that's possible?

This is just the "Why not Linux desktop" argument from the past two decades. Sure, in theory it can be configured to do a lot of different things. But you're probably gonna have to work out the details yourself because the downside of theoretically supporting everything is that it's impossible to just have it work out of the box with every single scenario.


They have big numbers. Big numbers tell that 95% of people would need to be in closed protected gardens rather than getting slaughtered by open source wolves.


That's a low bar for girls IMO (not being able to grasp that someone might not want to use Whatsapp or Instagram).


> Apple is well on its way to ensure you can only run things they allow via app store, they would probably already be there if it wasn't for the pesky EU.

People have been saying this ever since Apple added the App Store to the Mac in 2010. It’s been 14 years. I wonder how much time has to go by for people to believe it’s not on Apple’s todo list.


If there was a time Apple was going to do it, it would have been when they switched to Apple Silicon. And they didn't.


Even if I have analytics disabled?

Genuinely asking: are there any specifics on this? I understand that blocking at the firewall level is an option, but I recall someone here mentioning an issue where certain local machine rules don’t work effectively. I believe this is the issue [1]. Has it been “fixed”?

[1] https://appleinsider.com/articles/21/01/14/apple-drops-exclu...


They're probably referring to the certificate verification that happens when you open any notarized application. Unless something changed recently, the system phones home to ensure its certificate wasn't revoked.


It doesn't do that on every app launch; there's a cache. It does it on the first launch of a binary from a new team.

(So multiple binaries with the same team don't check either.)

And I'd expect all logging is disabled on the CDN.


It does kind of suck if the binary is frequently updated, big and you have a slow internet connection. So some program which normally takes seconds to open can take 20 or more seconds to open after an update. Or if you don't use that program frequently, you always get a very slow start of a program.


I have no reason to expect that it is.


> Even if I have analytics disabled?

Yeah because what’s being sent is not analytics but related to notarizarion, verifying the app’s integrity (aka is it signed by a certificate known to Apple?)

This came to light a few years ago when the server went down and launching apps became impossible to slow…

https://www.macrumors.com/2020/11/12/mac-apps-not-opening/


> where everyone just keeps parroting what Apple says as an absolute truth.

You are free to verify.


> Apple is well on its way to ensure you can only run things they allow via app store

I don't think Apple's behavior actually reflects this if you look closely (although I can certainly see how someone could form that opinion):

As a counter example, Apple assisted with their own engineers to help port Blender to Metal (https://code.blender.org/2023/01/introducing-the-blender-met...):

> Around one year ago, after joining the Blender Development Fund and seeding hardware to Blender developers, Apple empowered a few of its developers to directly contribute to the Blender source code.

I'm assuming similar support goes to other key pieces of software, e.g., from Adobe, Maxon, etc... but they don't talk about it for obvious reasons.

The point being Apple considers these key applications to their ecosystem, and (in my estimation at least) these are applications that will probably never be included in the App Store. (The counterargument would be the Office Suite, which is in the App Store, but the key Office application, Excel, is a totally different beast than the flagship Windows version, that kind of split isn't possible with the Adobe suite for example.)

Now what I actually think is happening is the following:

1. Apple believes the architecture around security and process management that they developed for iOS is fundamentally superior to the architecture of the Mac. This is debatable, but personally I think it's true as well for every reason, except for what I'll go into in #2 below. E.g., a device like the Vision Pro would be impossible with macOS architecture (too much absolute total complete utter trash is allowed to run unfettered on a Mac for a size-constrained device like that to ever be practical, e.g., all that trash consumes too much battery).

2. The open computing model has been instrumental in driving computing forward. E.g., going back to the Adobe example, After Effects plugins are just dynamically linked right into the After Effects executable. Third party plugins for other categories often work similarly, e.g., check out this absolutely wild video on how you install X-Particles on Cinema 4D (https://insydium.ltd/support-home/manuals/x-particles-video-...).

I'm not sure if anyone on the planet even knows why, deep down, #2 is important, I've never seen anyone write about it. But all the boundary pushing computing fields I'm interested in, which is mainly around media creation (i.e., historically Apple's bread-and-butter), seems to depend on it (notably they are all also local first, i.e., can't really be handled by a cloud service that opens up other architecture options).

So the way I view it is that Apple would love to move macOS to the fundamentally superior architecture model from iOS, but it's just impossible to do so without hindering too many use cases that depend on that open architecture. Apple is willing to go as close to that line as they can (in making the uses cases more difficult, e.g., the X-Particles video above), but not actually willing to cross it.


> Apple is well on its way to ensure you can only run things they allow via app store, they would probably already be there if it wasn't for the pesky EU

What has the EU done to stop Apple doing this? Are Apple currently rolling it out to everywhere but the EU?


You’re way off base. Paranoid.


>Apple is well on its way to ensure you can only run things they allow via app store

that ship has well and truly sailed, this conspiracy might once have held water but Apple's machines are far too commercially ubiquitous for them to have any designs on ringfencing all the software used by all the industries that have taken a liking to the hardware.


> Apple is well on its way to ensure you can only run things they allow via app store,

What are you talking about? I don’t run a single app from the app store and have never felt a need to.


The EU is center-right-wing, and laughs all the way to the bank whenever someone like you falls for their "we externally pretend to be the good guys" trope. Leyen is pretty much the worst leadership ever, but they still manage to convince the politically naiv that everything is fine, because of GDPR, AI laws and huge penalties for big tech. Its sad how simple it is to confuse people.


I mean, the security features are pretty well documented. The FBI can't crack a modern iPhone even with Apple's help. A lot of the lockdowns are in service of that.

I'm curious: what hardware and software stack do you use?


Cellebrite Premium 7.69.5 iOS Support Matrix from July 2024.

https://discuss.grapheneos.org/d/14344-cellebrite-premium-ju...


Doesn't AFU here mean the phone had to be already unlocked? Which is most of the entries?


AFU means the phone was unlocked and then relocked.


Right, so not the use case involving the police up thread.


Police do often want to get into phones in that state. This is why Cellebrite sells that product.


FBI and Apple „can't”, but 3rd party do and they do it cheaper every day.


They do not.

Edit: I have not posted a source for this claim, because what sort of source would be acceptable for a claim of the form "X has not occurred"?

If you are going to claim Apple's security model has been compromised, you need not only evidence of such a compromise but also an explanation for why such an "obvious" and "cheap" vulnerability has not been disclosed by any number of white or grey-hat hackers.


Yes they do.


If you're going to claim that random hacking groups routinely do something the FBI and NSA claim to be unable to do... citation needed.


Ok [1]

"Since then, technologies like Grayshift’s GrayKey—a device capable of breaking into modern iPhones—have become staples in forensic investigations across federal, state, and local levels."

"In other cases where the FBI demanded access to data stored in a locked phone, like the San Bernardino and Pensacola shootings, the FBI unlocked devices without Apple’s help, often by purchasing hacking tools from foreign entities like Cellebrite."

1 - https://www.firstpost.com/tech/the-fbi-was-able-to-hack-into...


An issue with taking their claim at face value is they have no incentive to say they can:

- they can keep asking for backdoors to "stop terrorists"

- they're not on the hook if for whatever reason they can't access a particular phone in a very mediatized case

- most targets (the not so sophisticated ones at least) keep using a device the agencies have proper access to

Regardless of their actual technical means, I don't expect we ever get a "we sure can!" kind of public boasting any time soon.


Jesus, just post a source.


the burden on proof is not on him to prove a negative


Is there evidence of this. I’d be interested to know more.


> Apple is well on its way to ensure you can only run things they allow via app store

I'm very happy to only run stuff approved on Apple's app store... ESPECIALLY following their introduction of privacy labels for all apps so you know what shit the developer will try to collect from you without wasting your time downloading it.

Also have you seen the amount of dodgy shit on the more open app stores ?


It's a reasonable choice to do so and you can do it now. The problem starts when Apple forbid it for people who want to install on their computer what they want.


> Apple is well on its way to ensure you can only run things they allow via app store

I am totally ok with this. I have personally seen apple reject an app update and delist the app because a tiny library used within it had a recent security concerns. Forced the company to fix it.


No one is stopping you from using only the app store if you value its protection, so you need a more relevant justification to ok forcing everyone else to do so


If I had 1.4B active users I would want to mitigate the ability of almost all of them to accidentally fuck up their devices instead of worrying about irritating a few tech folk because they can’t load broken apps on it.


Your stat is an order of magnitude type of fantasy, the apps aren't broken, and the inability to install also affects everyone, not a few folks, so again you're left with nothing but your personal desire for controlling other people


> Your personal desire for controlling other people.

Well that’s just childish, pouty, and not a very well thought out train of thought on the subject.

The control isn’t over people, it’s about finding a solution to creating and preserving market share via device reliability on the platform. There are 1.4B iPhone users (and that’s a real number, not a fantasy), and not every one of those people is savvy enough to vet their applications before installation. If installation of any app was wide open you would have a large portion of those 1.4B accidentally installing crap. They may have 100 apps on their phone but if 1 is a piece of shit and broken (and yes conservatively at least 1% of apps out there probably have a bug bad enough to wreck some havoc) and it renders the reliability of the phone to shit that’s bad. If the market perceives that the reliability of the device is shit, Apple loses either in increasing or preserving market share for the device. Apple needs those devices need to work reliably and it feels that one way to do that is vetting the apps that will be running on it. The hardware is great, the OS does its job making the hardware platform operational, but the one place where there is the opportunity to introduce instability is in the apps. So you do your best to control that area of instability opportunity on your platform.

Here is the beautiful thing for you…there plenty of other phones out there that will allow you to install whatever the hell you want. Apple only has 16% of the worldwide smartphone market share.

https://backlinko.com/iphone-users#iphone-key-stats


Man, talking about crashing trains of thought: you fail to grasp the fact that the conversation is about MacOS, not iOS, that there is no contradiction between "blah platform" and control over people, and even that the fact that other phones exist doesn't negate the deficiencies of this specific phone

> conservatively at least 1% of apps

That's another made up number of yours, with a similarly made up qualifier

> the market perceives that the reliability of the device is shit

Since the vast majority of devices aren't so locked down, isn't "the market" yelling at yout that you're wrong?


I was talking about iOS so yes, I missed that the conversation was about Mac. Shame on me. In a sense the use case for a Mac is less ubiquitous than a smartphone, so the need for vetting may not be as great because users of the device don’t perceive the apps running on it as the device itself.

However, I stand firm in my argument about why the iPhone is locked down and why it’s a good thing. Even if you spread into other smartphone manufacturers like Samsung, you still find similar attempts to control the lay users ability to install unvetted apps on the devices. It may even be more important for them to do that too since they don’t fully control the OS on their devices.

> That's another made up number of yours, with a similarly made up qualifier

Obvious it was made up and obviously it was set as an intentionally low bar for software quality because who would argue (especially on HN) that 100% of available software out there is bug free, but if you want to believe that all available software is 100% safe to use, I encourage you to download and install everything you come across no matter whether the device is a smartphone, a Mac, or any other device you use and rely upon. I am sure you will be fine.


> you still find similar attempts to control

Sure, though it doesn't mean what you want it to mean since you just ignore the $$$ elephant in the room that explains the desire for more control. For the same reason, you "stand firm" in ignorance as to "why the iPhone is locked down"

> Obvious it was made up

Glad you realise that.

> intentionally low bar

Intentionally appearing like one

> if you want to believe ... software is 100% safe to use

Again with your fantasies. I believe the justification should be grounded in reality, both in terms of the % estimate as well as in terms of the severity (so no, "bug free" is irrelevant, you need severe billions-afecting bugs that can only be eliminated by hard-forcing the app store, which you can't have since the reality doesn't align with you).

And as to your standing firm in your argument "why it’s a good thing", well, you don't really have an argument, just a desire for one with made up stats and corporate motivations


Alrighty, so I guess what we have learned that apparently some number at 100% or perhaps less of all software is apparently released bug free. However, we don’t know for sure “the perhaps less”, despite all of the numerous historical examples of shit software being released that has wrecked havoc that we or others have experienced. And since we don’t know that precise number we are not allowed to state any estimate no matter how modest that is below that 100% of software perfection. Therefore, a device manufacturer would never need or should do anything that attempts to protect the consumer and their market share by protecting the device’s perceived reliability by preventing buggy software from being installed, because buggy software doesn’t exist.

Thanks for the education in the importance of precision and the rejection of experience in determining reality. I’ll ignore my decades of having to clean up all the messes that apparently non-existent buggy shit software managed to do to novice and lay users who willy-nilly installed it…or maybe didn’t install it, since it was imaginary.

By the way…before you respond again you might read up a bit on situational irony. You seemed to have missed it on my prior comment…and this one is dripping with it.


Your drips don't land because you can't make up a valid argument, ignore what I said and resort back to your fantasy land again fighting your imaginary 100%s and do-nothings


Yeah that’s it. I am in awe of your reality.


What about all those libs and executables you likely install via brew, npm, cargo etc? Those are all applications


Sure – Apple are trying to stop people who don't know what they're doing from getting hurt. Hence the strong scrutiny on what is allowed on the App Store (whether it's reasonable to charge 30% of revenue is an entirely different question).

People who are installing things using a terminal are probably (a) slightly computer savvy and (b) therefore aware that this might not be a totally safe operation.


And, despite being an avid homebrew user, I've never had a problem there.


All of us having this discussion are outliers.

The things we talk about here which annoy us are for the much larger set of people who need them!

Put another way, it is all about the set of us who cannot really participate in this discussion.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: