←back to thread

macOS unable to open any non-Apple application

(twitter.com)
2603 points mattsolle | 6 comments | 12 Nov 20 21:00 UTC | HN request time: 0.602s | source | bottom
Show context
submeta ◴[12 Nov 20 21:15 UTC] No.25075156[source]
Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts
replies(26): >>25075338 #>>25075481 #>>25075547 #>>25075666 #>>25075887 #>>25076053 #>>25076387 #>>25076568 #>>25076811 #>>25077902 #>>25077923 #>>25077940 #>>25079234 #>>25079856 #>>25079879 #>>25080093 #>>25080357 #>>25080370 #>>25080849 #>>25081772 #>>25081989 #>>25083938 #>>25087820 #>>25090415 #>>25090991 #>>25095226 #
1. antihero ◴[13 Nov 20 10:14 UTC] No.25080849[source]
The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.

So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?

Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.

replies(2): >>25081147 #>>25081176 #
2. habosa ◴[13 Nov 20 11:15 UTC] No.25081147[source]
Here's an idea: log all opened binaries somewhere and then every hour or so check them against the list.

Never block me from opening something, but warn me about bad stuff on a regular basis.

replies(2): >>25081969 #>>25129369 #
3. jojobas ◴[13 Nov 20 11:20 UTC] No.25081176[source]
Here's a wild idea: don't block executables from running.

Or if you do, only do it for a set of known bad ones, as antivirus products do.

Do not put a cloud service (or anything for that matter) between the users and their ability to run what they want.

replies(1): >>25129345 #
4. WhiteWestie ◴[13 Nov 20 13:38 UTC] No.25081969[source]
They could also keep the current solution and just use a CRL as a backup to OCSP to check the revoked certificates and update it every other hour...
5. antihero ◴[17 Nov 20 20:28 UTC] No.25129345[source]
Sure but how does that work? If a cert-revoked app is allowed to run, the damage is already done.

I think perhaps a better tradeoff would be if a revocation list could be synced hourly or so and the app could be checked sync locally and then asyncronously on open. And of course, always give the power user an option to ignore things.

6. antihero ◴[17 Nov 20 20:29 UTC] No.25129369[source]
Yes but with your solution if an app is malicious, and did malicious things, it now has a whole hour to fuck your shit up before being disabled.