←back to thread

macOS unable to open any non-Apple application

(twitter.com)
2603 points mattsolle | 1 comments | 12 Nov 20 21:00 UTC | HN request time: 0.213s | source
Show context
submeta ◴[12 Nov 20 21:15 UTC] No.25075156[source]
Unbelievable. When I read the tweet (tried to post here as well), I suddenly realized why my Mac was unresponsive an hour ago.

Here is another tweet that describes the problem in more detail:

https://mobile.twitter.com/llanga/status/1326989724704268289

> I am currently unable to work because macOS sends hashes of every opened executable to some server of theirs and when `trustd` and `syspolicyd` are unable to do so, the entire operating system grinds to a halt.

EDIT:

As others pointed out, I put this to my `/etc/hosts` file and refreshed it like so:

    sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts
replies(26): >>25075338 #>>25075481 #>>25075547 #>>25075666 #>>25075887 #>>25076053 #>>25076387 #>>25076568 #>>25076811 #>>25077902 #>>25077923 #>>25077940 #>>25079234 #>>25079856 #>>25079879 #>>25080093 #>>25080357 #>>25080370 #>>25080849 #>>25081772 #>>25081989 #>>25083938 #>>25087820 #>>25090415 #>>25090991 #>>25095226 #
antihero ◴[13 Nov 20 10:14 UTC] No.25080849[source]
The server is called OSCP which suggests to me that if we look at Apple in the most positive light - they sign and certify binaries as safe. If an app gets later reported as malicious, they need to revoke the certificate that has been used to sign said binary.

So when you open an app, how else are they going to check whether the certificate is still valid or whether it has been revoked?

Can anyone confirm whether this lookup applies to unsigned as well as signed binaries? As far as I know if I build a brand new binary with cargo, and run it, it doesn't do any checks.

replies(2): >>25081147 #>>25081176 #
jojobas ◴[13 Nov 20 11:20 UTC] No.25081176[source]
Here's a wild idea: don't block executables from running.

Or if you do, only do it for a set of known bad ones, as antivirus products do.

Do not put a cloud service (or anything for that matter) between the users and their ability to run what they want.

replies(1): >>25129345 #
1. antihero ◴[17 Nov 20 20:28 UTC] No.25129345[source]
Sure but how does that work? If a cert-revoked app is allowed to run, the damage is already done.

I think perhaps a better tradeoff would be if a revocation list could be synced hourly or so and the app could be checked sync locally and then asyncronously on open. And of course, always give the power user an option to ignore things.