macOS unable to open any non-Apple application

(twitter.com)

2603 points mattsolle | 2 comments | 12 Nov 20 21:00 UTC | HN request time: 0s | source

Show context

submeta ◴[12 Nov 20 21:15 UTC] No.25075156[source]▶

Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts

replies(26): >>25075338 #>>25075481 #>>25075547 #>>25075666 #>>25075887 #>>25076053 #>>25076387 #>>25076568 #>>25076811 #>>25077902 #>>25077923 #>>25077940 #>>25079234 #>>25079856 #>>25079879 #>>25080093 #>>25080357 #>>25080370 #>>25080849 #>>25081772 #>>25081989 #>>25083938 #>>25087820 #>>25090415 #>>25090991 #>>25095226 #

vsskanth ◴[12 Nov 20 21:30 UTC] No.25075338[source]▶

>>25075156 #

Can apple not use security certificates to verify publishers ? why does it need to go to their servers ?

replies(4): >>25075370 #>>25075733 #>>25076033 #>>25078236 #

loeg ◴[12 Nov 20 22:04 UTC] No.25075733[source]▶

>>25075338 #

The URL mentioned in sibling comments suggests this has to do with certificate revocation (OCSP): https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...

I agree that breaking system availability when an OCSP server isn't available is user-hostile and unnecessary.

replies(6): >>25075811 #>>25075817 #>>25076021 #>>25076039 #>>25076087 #>>25076418 #

valuearb ◴[12 Nov 20 22:10 UTC] No.25075817[source]▶

>>25075733 #

What’s the alternative tho?

replies(4): >>25075871 #>>25075879 #>>25076057 #>>25076167 #

1. loeg ◴[12 Nov 20 22:28 UTC] No.25076057[source]▶

>>25075817 #

A limited change would be to fail-open more of the time, e.g., if the OCSP server does not respond within a few milliseconds. (MacOS already fails-open in some internet scenarios.)

A better option is to asynchronously update a Certificate Revocation List ("CRL") and perform any check local to the machine. This avoids disclosing to Apple every single time you run a program, which program it is, and what network you're on. It could also emergency-revoke certificates just as quickly as the OCSP design by polling at the same frequency (every app startup).

replies(1): >>25076257 #

2. valuearb ◴[12 Nov 20 22:44 UTC] No.25076257[source]▶

>>25076057 (TP) #

This is exactly right, and given Apple’s privacy commitment should have been implemented already.

↑