←back to thread

macOS unable to open any non-Apple application

(twitter.com)
2603 points mattsolle | 3 comments | 12 Nov 20 21:00 UTC | HN request time: 0.774s | source
Show context
submeta ◴[12 Nov 20 21:15 UTC] No.25075156[source]
Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts
replies(26): >>25075338 #>>25075481 #>>25075547 #>>25075666 #>>25075887 #>>25076053 #>>25076387 #>>25076568 #>>25076811 #>>25077902 #>>25077923 #>>25077940 #>>25079234 #>>25079856 #>>25079879 #>>25080093 #>>25080357 #>>25080370 #>>25080849 #>>25081772 #>>25081989 #>>25083938 #>>25087820 #>>25090415 #>>25090991 #>>25095226 #
vsskanth ◴[12 Nov 20 21:30 UTC] No.25075338[source]
Can apple not use security certificates to verify publishers ? why does it need to go to their servers ?
replies(4): >>25075370 #>>25075733 #>>25076033 #>>25078236 #
loeg ◴[12 Nov 20 22:04 UTC] No.25075733[source]
The URL mentioned in sibling comments suggests this has to do with certificate revocation (OCSP): https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

replies(6): >>25075811 #>>25075817 #>>25076021 #>>25076039 #>>25076087 #>>25076418 #
freeone3000 ◴[12 Nov 20 22:09 UTC] No.25075811[source]
The alternative is OCSP being allowed if internet isn't available, which is a security risk for reasonable defense-in-depth strategies.
replies(2): >>25075905 #>>25075987 #
gruez ◴[12 Nov 20 22:15 UTC] No.25075905[source]
Most OSCP implementations fail-open, not fail-closed. I get the benefits of having it fail-closed, but it should be opt in, because having an always-online requirement for using a mac is ridiculous.
replies(2): >>25075954 #>>25076455 #
1. closeparen ◴[12 Nov 20 22:19 UTC] No.25075954[source]
If your Mac is unambiguously offline it fails open. What it's handling poorly is the fail-slow case.
replies(1): >>25076198 #
2. bentcorner ◴[12 Nov 20 22:40 UTC] No.25076198[source]
Ugh. IMO the network should not be on the critical path to running an executable.
replies(1): >>25077905 #
3. Spivak ◴[13 Nov 20 01:49 UTC] No.25077905[source]
Most browser vendors agree because they all stopped checking CRLs (like they technically should) when verifying certs.

I don’t think the design is wrong, I just think it’s tuned a little too cautious. If you’re going to verify certs then checking the CRL is something you really should do before approval. And you can’t sync the database entirely because it’s too big.

There really aren’t any good solutions to this unless you can solve the cache invalidation problem.