←back to thread

Catalina is checking notarization of unsigned executables

(lapcatsoftware.com)
361 points robenkleene | 9 comments | 23 May 20 09:42 UTC | HN request time: 1.229s | source | bottom
Show context
londons_explore ◴[23 May 20 14:03 UTC] No.23283004[source]
So you're telling me that every time I install a program in OSX, it pings apple to let them know what program I'm installing, my IP address, my location, and my OS version?

Sounds very Orwellian for a privacy focussed company...

replies(3): >>23283075 #>>23283270 #>>23283783 #
daneel_w ◴[23 May 20 14:36 UTC] No.23283270[source]
No, that's not what he's telling you. You're getting ahead of yourself with your question. He's telling us that macOS will consult with Apple regarding the "fingerprint" of an executable when you run it.
replies(1): >>23283313 #
1. londons_explore ◴[23 May 20 14:41 UTC] No.23283313[source]
But the fingerprint of photoshop is the same for everyone. If apple knows what the fingerprint of photoshop is (which they could easily find out), now they have a giant list of who installed photoshop and when, and from which IP address, and which IP location.

That data would be a wet dream for some IP lawyer looking for pirate copies of software...

replies(3): >>23283510 #>>23283999 #>>23288033 #
2. daneel_w ◴[23 May 20 15:05 UTC] No.23283510[source]
I understand the privacy concern. We don't know if they store/log anything from the request, or even what it contains in itself besides the "fingerprint". I'm personally certain that Apple is not in cahoots with Big Software to put a squeeze on users in exchange for small money. It's not their business, and it's not something they are required by law to make their business.
replies(1): >>23283585 #
3. ctrlcctrlv ◴[23 May 20 15:14 UTC] No.23283585[source]
> I'm personally certain that Apple is not in cahoots with Big Software to put a squeeze on users in exchange for small money

Well, this is the problem people have I think - that it comes down good intentions on Apple's part, no matter how trustworthy they are deemed to be.

replies(1): >>23284105 #
4. microtherion ◴[23 May 20 16:01 UTC] No.23283999[source]
The Photoshop binary is signed (presumably; it's been years since I last ran it), so this check would NOT be conducted.

Edit: What I should have said is that the binary is signed, notarized, and the notarization stapled to it, as described here: https://developer.apple.com/documentation/xcode/notarizing_m...

replies(1): >>23284621 #
5. Operyl ◴[23 May 20 16:13 UTC] No.23284105{3}[source]
With this logic you might as well not try at all. You have to trust Intel, your bios/UEFI, Apple/Microsoft, all the various builds of software closed and open source alike .. at some point you need to trust someone.
replies(1): >>23284147 #
6. throwaway2048 ◴[23 May 20 16:17 UTC] No.23284147{4}[source]
how is that a justification to heap on more "required" trust into a system?

Feels like somebody could flesh out this argument in terms of accidental vs necessary complexity, but in terms of how much you need to trust the other party.

Few would accept the argument "This code is already very complex, why do you have a problem with doubling the complexity?" on its own merits, so why is it sensible in terms of trust?

7. lloeki ◴[23 May 20 17:13 UTC] No.23284621[source]
The author of the article mentioned explicitly that he signed a binary, and the check still occurred.
replies(1): >>23288230 #
8. rmrfrmrf ◴[24 May 20 00:39 UTC] No.23288033[source]
My personal wet dream is that I can download any shady Photoshop torrent and Apple will block the ones that have trojans baked in. Given that Apple won't even open up their infrastructure to US law enforcement, I can't see them teaming up with IP lawyers anytime soon.
9. tcoff91 ◴[24 May 20 01:20 UTC] No.23288230{3}[source]
Did he staple the notarization though? They are 2 separate steps.