←back to thread

macOS unable to open any non-Apple application

(twitter.com)
2603 points mattsolle | 2 comments | 12 Nov 20 21:00 UTC | HN request time: 0.001s | source
Show context
submeta ◴[12 Nov 20 21:15 UTC] No.25075156[source]
Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts
replies(26): >>25075338 #>>25075481 #>>25075547 #>>25075666 #>>25075887 #>>25076053 #>>25076387 #>>25076568 #>>25076811 #>>25077902 #>>25077923 #>>25077940 #>>25079234 #>>25079856 #>>25079879 #>>25080093 #>>25080357 #>>25080370 #>>25080849 #>>25081772 #>>25081989 #>>25083938 #>>25087820 #>>25090415 #>>25090991 #>>25095226 #
passwordreset ◴[14 Nov 20 20:10 UTC] No.25095226[source]
ocsp.apple.com also has an IPv6 address. Firefox connects to it even with 0.0.0.0 in the hosts file and a flushed cache (you need to also clear firefox's internal cache if you're testing with it), so I'd assume that trustd could connect to the ocsp site as well. I don't think this will work without ensuring there is no IPv6 traffic on your network, or otherwise dumping both IPv4 and v6 packets to ocsp.apple.com.

Disable IPv6: sudo networksetup -setv6off Wi-Fi (where Wi-Fi is the name of the network service)

replies(1): >>25106853 #
1. hxtk ◴[16 Nov 20 01:16 UTC] No.25106853[source]
Can you not just add an IPv6 entry for it in your hosts file, e.g., ::1? That would work in Linux and seems like a much less nuclear option than disabling ipv6 all together, but admittedly I've never worked with ipv6 networking on Macs.

Last time I played with a Mac they also had the BSD `ipfw` command for kernel packet filtering [1]. Could try something there if it still exists.

[1]: https://www.unix.com/man-page/FreeBSD/8/ipfw/

replies(1): >>25126483 #
2. passwordreset ◴[17 Nov 20 17:24 UTC] No.25126483[source]
Just to confirm: Yes, that works fine. It's probably the better solution here.