←back to thread

Catalina is checking notarization of unsigned executables

(lapcatsoftware.com)
361 points robenkleene | 6 comments | 23 May 20 09:42 UTC | HN request time: 0.001s | source | bottom
Show context
usmannk ◴[23 May 20 16:27 UTC] No.23284235[source]
There is so much confusion here. The OP and most others are missing one of the biggest points: Look at the packet trace. There is _no data_, not even a hash, being sent. It's a TLS negotiation and then the connection ends. I have to suspect it's a bug...
replies(6): >>23284309 #>>23284481 #>>23284891 #>>23285137 #>>23285544 #>>23287368 #
_qulr ◴[23 May 20 18:21 UTC] No.23285137[source]
I'm not sure what you're seeing, but that's not what I'm seeing. When I Wireshark both app notarization and script notarization, I see 2 packets of encrypted Application Data sent to Apple (567 and 101 bytes), and 1 packet of Application Data (varying length) returned from Apple, in each case. What do you see when you trace a regular app notarization check?
replies(1): >>23285209 #
1. usmannk ◴[23 May 20 18:29 UTC] No.23285209[source]
This is odd, my proxy doesn't seem to show this. I will try to load my root cert into Wireshark and check.

Edit: Checked and double checked: When I run a new shell script, syspolicyd just makes a connection with no application data

replies(2): >>23285662 #>>23287587 #
2. _qulr ◴[23 May 20 19:28 UTC] No.23285662[source]
I'd recommend trying this: Download a notarized Mac app, delete any stapled notarization ticket (.app/Contents/CodeResources), and then trace the launch. What do you see, and does the system let you open the app? Does it say it checked for malware?
replies(1): >>23286014 #
3. usmannk ◴[23 May 20 20:18 UTC] No.23286014[source]
Ah I see, looks like we're not running quite the same experiment. I suspect that anything including an app bundle ID is going to see some more interesting traffic.
replies(1): >>23286085 #
4. _qulr ◴[23 May 20 20:25 UTC] No.23286085{3}[source]
Don't suspect, test. ;-)

I'm running both experiments. I've tested and compared script notarization to app notarization.

You're getting apparently unusual results with script notarization. So the natural next step would be to compare against app notarization.

replies(1): >>23286350 #
5. usmannk ◴[23 May 20 20:55 UTC] No.23286350{4}[source]
Agh, I think it was cert pinning. Looks like the connection is terminated if you're snooping. I see the same results as you now. Thanks!
6. ◴[23 May 20 23:30 UTC] No.23287587[source]