Most active commenters
  • usmannk(6)
  • takeda(3)
  • _qulr(3)

←back to thread

Catalina is checking notarization of unsigned executables

(lapcatsoftware.com)
361 points robenkleene | 23 comments | 23 May 20 09:42 UTC | HN request time: 1.325s | source | bottom
1. usmannk ◴[23 May 20 16:27 UTC] No.23284235[source]
There is so much confusion here. The OP and most others are missing one of the biggest points: Look at the packet trace. There is _no data_, not even a hash, being sent. It's a TLS negotiation and then the connection ends. I have to suspect it's a bug...
replies(6): >>23284309 #>>23284481 #>>23284891 #>>23285137 #>>23285544 #>>23287368 #
2. takeda ◴[23 May 20 16:35 UTC] No.23284309[source]
In prior article "slow by design", this was reported to Apple and the bug was closed that it works like that by design.
replies(1): >>23284345 #
3. usmannk ◴[23 May 20 16:40 UTC] No.23284345[source]
I did see the previous article (another comment of mine should be easy to find on its HN post). Do you know how to find the issue that was referenced? There was an ID given but I have no clue what tracker that was on.
replies(4): >>23284431 #>>23284458 #>>23285071 #>>23285171 #
4. Gaelan ◴[23 May 20 16:50 UTC] No.23284431{3}[source]
It's probably Radar, which is Apple's internal issue tracker, which isn't public (you can see issues you submitted, but nothing else). Sometimes people cross-post issues they submit to http://openradar.appspot.com, so you might be able to find it there.
replies(2): >>23285134 #>>23286132 #
5. KenoFischer ◴[23 May 20 16:53 UTC] No.23284458{3}[source]
That ID was likely for feedbackassistant.apple.com. However, those reports are not public, so you can't see them unless you're the one that reported them though. Knowing the ID is still useful for things like emailing Apple people and complaining about their declining software quality ;).
6. 2OEH8eoCRo0 ◴[23 May 20 16:56 UTC] No.23284481[source]
Is the handshake all that is needed to verify? Is the data you're expecting sent during the authentication phase of the handshake?
7. the_imp ◴[23 May 20 17:47 UTC] No.23284891[source]
The Objective-C format strings in the URL would imply that the hash is sent as a path parameter.
replies(1): >>23284908 #
8. usmannk ◴[23 May 20 17:49 UTC] No.23284908[source]
That's a string found in the disassembly of syspolicyd (I've found it as well). However, the actual URL you see in the TCP logs has no path whatsoever.
9. ◴[23 May 20 18:15 UTC] No.23285071{3}[source]
10. takeda ◴[23 May 20 18:21 UTC] No.23285134{4}[source]
The issue is FB7674490 but it is not on the OpenRadar. Looks like OpenRadar is not Apple's services and issues appear there only if author (which has access to the issue in the Apple system) submits them there.
replies(1): >>23286127 #
11. _qulr ◴[23 May 20 18:21 UTC] No.23285137[source]
I'm not sure what you're seeing, but that's not what I'm seeing. When I Wireshark both app notarization and script notarization, I see 2 packets of encrypted Application Data sent to Apple (567 and 101 bytes), and 1 packet of Application Data (varying length) returned from Apple, in each case. What do you see when you trace a regular app notarization check?
replies(1): >>23285209 #
12. takeda ◴[23 May 20 18:24 UTC] No.23285171{3}[source]
Looks like these issues are only visible to originator, so we have to trust the author about it. Perhaps the author could post it on the OpenRadar.
13. usmannk ◴[23 May 20 18:29 UTC] No.23285209[source]
This is odd, my proxy doesn't seem to show this. I will try to load my root cert into Wireshark and check.

Edit: Checked and double checked: When I run a new shell script, syspolicyd just makes a connection with no application data

replies(2): >>23285662 #>>23287587 #
14. fierarul ◴[23 May 20 19:12 UTC] No.23285544[source]
Any communication is data! There are tracking pixels that return 404! Why? Because once you've hit their endpoint, it did the job.

The TLS negotiation is enough to send quite enough info.

15. _qulr ◴[23 May 20 19:28 UTC] No.23285662{3}[source]
I'd recommend trying this: Download a notarized Mac app, delete any stapled notarization ticket (.app/Contents/CodeResources), and then trace the launch. What do you see, and does the system let you open the app? Does it say it checked for malware?
replies(1): >>23286014 #
16. usmannk ◴[23 May 20 20:18 UTC] No.23286014{4}[source]
Ah I see, looks like we're not running quite the same experiment. I suspect that anything including an app bundle ID is going to see some more interesting traffic.
replies(1): >>23286085 #
17. _qulr ◴[23 May 20 20:25 UTC] No.23286085{5}[source]
Don't suspect, test. ;-)

I'm running both experiments. I've tested and compared script notarization to app notarization.

You're getting apparently unusual results with script notarization. So the natural next step would be to compare against app notarization.

replies(1): >>23286350 #
18. saagarjha ◴[23 May 20 20:30 UTC] No.23286127{5}[source]
Open Radar is community maintained and fairly poorly at that these days :(
19. saagarjha ◴[23 May 20 20:30 UTC] No.23286132{4}[source]
FB numbers come from Feedback Assistant, which are similarly non-public and feed into Radar through a convoluted process.
20. usmannk ◴[23 May 20 20:55 UTC] No.23286350{6}[source]
Agh, I think it was cert pinning. Looks like the connection is terminated if you're snooping. I see the same results as you now. Thanks!
21. cryptonector ◴[23 May 20 22:59 UTC] No.23287368[source]
"no data", just a TLS handshake. Of course information can flow! You could put a hash of the executable in a ClientHello extension, and if the server says "i don't know it to be malware" it can finalize the TLS connection normally.
replies(1): >>23288635 #
22. ◴[23 May 20 23:30 UTC] No.23287587{3}[source]
23. userbinator ◴[24 May 20 02:37 UTC] No.23288635[source]
I have a feeling that there is already a system out there which does something like that.