←back to thread

Catalina is checking notarization of unsigned executables

(lapcatsoftware.com)
361 points robenkleene | 2 comments | 23 May 20 09:42 UTC | HN request time: 0.001s | source
Show context
londons_explore ◴[23 May 20 14:00 UTC] No.23282990[source]
This must be a blacklist, since it doesn't block my own random scripts which it has never seen before.

If it's a global blacklist on apple servers, it should instead be downloaded to the client, and be a local blacklist.

Too big? Use a bloom filter. Now you only end up keeping less than one byte per blacklisted item. Update the bloom filter with an autoupdater. Any positive hit you can check against the server just incase it's a false positive.

replies(3): >>23283287 #>>23283550 #>>23283950 #
1. daneel_w ◴[23 May 20 14:38 UTC] No.23283287[source]
Bloom filters are probability-based and come with inaccuracy problems. If you're going to double-check with Apple anyway what does a bloom filter solve compared to the current response caching after querying Apple? How will you protect the locally cached blacklist from being tampered with?
replies(1): >>23283412 #
2. w-j-w ◴[23 May 20 14:52 UTC] No.23283412[source]
Bloomington filters have probabilistic false positives, making it perfect for blacklisting. A negative means that the program can be run immediately, because it is guaranteed to not be on the list. A positive needs to be double checked, though.