macOS unable to open any non-Apple application

(twitter.com)

2603 points mattsolle | 3 comments | 12 Nov 20 21:00 UTC | HN request time: 0.425s | source

Show context

submeta ◴[12 Nov 20 21:15 UTC] No.25075156[source]▶

Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts

replies(26): >>25075338 #>>25075481 #>>25075547 #>>25075666 #>>25075887 #>>25076053 #>>25076387 #>>25076568 #>>25076811 #>>25077902 #>>25077923 #>>25077940 #>>25079234 #>>25079856 #>>25079879 #>>25080093 #>>25080357 #>>25080370 #>>25080849 #>>25081772 #>>25081989 #>>25083938 #>>25087820 #>>25090415 #>>25090991 #>>25095226 #

antihero ◴[13 Nov 20 10:14 UTC] No.25080849[source]▶

>>25075156 #

The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.

So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?

Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.

replies(2): >>25081147 #>>25081176 #

1. habosa ◴[13 Nov 20 11:15 UTC] No.25081147[source]▶

>>25080849 #

Here's an idea: log all opened binaries somewhere and then every hour or so check them against the list.

Never block me from opening something, but warn me about bad stuff on a regular basis.

replies(2): >>25081969 #>>25129369 #

2. WhiteWestie ◴[13 Nov 20 13:38 UTC] No.25081969[source]▶

>>25081147 (TP) #

They could also keep the current solution and just use a CRL as a backup to OCSP to check the revoked certificates and update it every other hour...

3. antihero ◴[17 Nov 20 20:29 UTC] No.25129369[source]▶

>>25081147 (TP) #

Yes but with your solution if an app is malicious, and did malicious things, it now has a whole hour to fuck your shit up before being disabled.

↑