[HN Gopher] Catalina is checking notarization of unsigned execut... ___________________________________________________________________ Catalina is checking notarization of unsigned executables Author : robenkleene Score : 271 points Date : 2020-05-23 09:42 UTC (13 hours ago) (HTM) web link (lapcatsoftware.com) (TXT) w3m dump (lapcatsoftware.com) | msie wrote: | I was watching a Linus YouTube video on the upgradeability of | Alienware Laptops. So envious! Now you can't upgrade anything on | the newest MacBook Pros. | | https://www.youtube.com/watch?v=J-RXqNafscs | | And if something breaks on your MacBook Pro, most likely you will | have to replace the entire motherboard or display. | | PS: I own lots of Macs but sad to see the direction Apple is | heading in. | usmannk wrote: | There is so much confusion here. The OP and most others are | missing one of the biggest points: Look at the packet trace. | There is _no data_, not even a hash, being sent. It's a TLS | negotiation and then the connection ends. I have to suspect it's | a bug... | 2OEH8eoCRo0 wrote: | Is the handshake all that is needed to verify? Is the data | you're expecting sent during the authentication phase of the | handshake? | fierarul wrote: | _Any_ communication is data! There are tracking pixels that | return 404! Why? Because once you 've hit their endpoint, it | did the job. | | The TLS negotiation is enough to send quite enough info. | cryptonector wrote: | "no data", just a TLS handshake. Of course information can | flow! You could put a hash of the executable in a ClientHello | extension, and if the server says "i don't know it to be | malware" it can finalize the TLS connection normally. | takeda wrote: | In prior article "slow by design", this was reported to Apple | and the bug was closed that it works like that by design. | usmannk wrote: | I did see the previous article (another comment of mine | should be easy to find on its HN post). Do you know how to | find the issue that was referenced? There was an ID given but | I have no clue what tracker that was on. | [deleted] | takeda wrote: | Looks like these issues are only visible to originator, so | we have to trust the author about it. Perhaps the author | could post it on the OpenRadar. | Gaelan wrote: | It's probably Radar, which is Apple's internal issue | tracker, which isn't public (you can see issues you | submitted, but nothing else). Sometimes people cross-post | issues they submit to http://openradar.appspot.com, so you | might be able to find it there. | saagarjha wrote: | FB numbers come from Feedback Assistant, which are | similarly non-public and feed into Radar through a | convoluted process. | takeda wrote: | The issue is FB7674490 but it is not on the OpenRadar. | Looks like OpenRadar is not Apple's services and issues | appear there only if author (which has access to the | issue in the Apple system) submits them there. | saagarjha wrote: | Open Radar is community maintained and fairly poorly at | that these days :( | KenoFischer wrote: | That ID was likely for feedbackassistant.apple.com. | However, those reports are not public, so you can't see | them unless you're the one that reported them though. | Knowing the ID is still useful for things like emailing | Apple people and complaining about their declining software | quality ;). | lapcatsoftware wrote: | I'm not sure what you're seeing, but that's not what I'm | seeing. When I Wireshark both app notarization and script | notarization, I see 2 packets of encrypted Application Data | sent to Apple (567 and 101 bytes), and 1 packet of Application | Data (varying length) returned from Apple, in each case. What | do you see when you trace a regular app notarization check? | usmannk wrote: | This is odd, my proxy doesn't seem to show this. I will try | to load my root cert into Wireshark and check. | | Edit: Checked and double checked: When I run a new shell | script, syspolicyd just makes a connection with no | application data | lapcatsoftware wrote: | I'd recommend trying this: Download a notarized Mac app, | delete any stapled notarization ticket | (.app/Contents/CodeResources), and then trace the launch. | What do you see, and does the system let you open the app? | Does it say it checked for malware? | usmannk wrote: | Ah I see, looks like we're not running quite the same | experiment. I suspect that anything including an app | bundle ID is going to see some more interesting traffic. | lapcatsoftware wrote: | Don't suspect, test. ;-) | | I'm running both experiments. I've tested and compared | script notarization to app notarization. | | You're getting apparently unusual results with script | notarization. So the natural next step would be to | compare against app notarization. | usmannk wrote: | Agh, I think it was cert pinning. Looks like the | connection is terminated if you're snooping. I see the | same results as you now. Thanks! | the_imp wrote: | The Objective-C format strings in the URL would imply that the | hash is sent as a path parameter. | usmannk wrote: | That's a string found in the disassembly of syspolicyd (I've | found it as well). However, the actual URL you see in the TCP | logs has no path whatsoever. | londons_explore wrote: | This must be a blacklist, since it doesn't block my own random | scripts which it has never seen before. | | If it's a global blacklist on apple servers, it should instead be | downloaded to the client, and be a local blacklist. | | Too big? Use a bloom filter. Now you only end up keeping less | than one byte per blacklisted item. Update the bloom filter with | an autoupdater. Any positive hit you can check against the server | just incase it's a false positive. | daneel_w wrote: | Bloom filters are probability-based and come with inaccuracy | problems. If you're going to double-check with Apple anyway | what does a bloom filter solve compared to the current response | caching after querying Apple? How will you protect the locally | cached blacklist from being tampered with? | w-j-w wrote: | Bloomington filters have probabilistic false positives, | making it perfect for blacklisting. A negative means that the | program can be run immediately, because it is guaranteed to | not be on the list. A positive needs to be double checked, | though. | JackC wrote: | The k-anonymity scheme used by the haveibeenpwned api seems | like a good fit here. | caf wrote: | Doesn't a blacklist also work only until the malware authors | figure out how to randomize 8 junk bytes every time they serve | an executable? | therein wrote: | Which they already do. | dimator wrote: | That's the crazy thing about this. There's already | obfuscation techniques against hash blacklists, so what is | this even for? There's no earthly way apple security | engineers didn't know that. So what is actually happening? | | My guess is that it's strictly for banning app store apps | that they pull from the app store, but would like also to | cripple retroactively on installed machines. But that doesn't | explain why it had to run against random shell scripts? This | is all still confusing. We don't have all the info. | kimi wrote: | I am not sure of what is the whole point of this notarization | thing. It would be great (ahem, let's say so) if there was a big | and closed list of executables, but every shell / ruby / perl / | python script can do many funny things, and you cannot notarize | them all. Often, as in bash, by design. So? | nojito wrote: | What's the exact data being sent? | | There is a lot of arguing going on here, but what is the data? | azinman2 wrote: | Seems to be a hash of the executable. | londons_explore wrote: | So you're telling me that every time I install a program in OSX, | it pings apple to let them know what program I'm installing, my | IP address, my location, and my OS version? | | Sounds very Orwellian for a privacy focussed company... | daneel_w wrote: | No, that's not what he's telling you. You're getting ahead of | yourself with your question. He's telling us that macOS will | consult with Apple regarding the "fingerprint" of an executable | when you run it. | londons_explore wrote: | But the fingerprint of photoshop is the same for everyone. If | apple knows what the fingerprint of photoshop is (which they | could easily find out), now they have a giant list of who | installed photoshop and when, and from which IP address, and | which IP location. | | That data would be a wet dream for some IP lawyer looking for | pirate copies of software... | microtherion wrote: | The Photoshop binary is signed (presumably; it's been years | since I last ran it), so this check would NOT be conducted. | | Edit: What I should have said is that the binary is signed, | notarized, and the notarization stapled to it, as described | here: https://developer.apple.com/documentation/xcode/notar | izing_m... | lloeki wrote: | The author of the article mentioned explicitly that he | signed a binary, and the check still occurred. | daneel_w wrote: | I understand the privacy concern. We don't know if they | store/log anything from the request, or even what it | contains in itself besides the "fingerprint". I'm | personally certain that Apple is not in cahoots with Big | Software to put a squeeze on users in exchange for small | money. It's not their business, and it's not something they | are required by law to make their business. | ctrlcctrlv wrote: | > I'm personally certain that Apple is not in cahoots | with Big Software to put a squeeze on users in exchange | for small money | | Well, this is the problem people have I think - that it | comes down good intentions on Apple's part, no matter how | trustworthy they are deemed to be. | Operyl wrote: | With this logic you might as well not try at all. You | have to trust Intel, your bios/UEFI, Apple/Microsoft, all | the various builds of software closed and open source | alike .. at some point you need to trust someone. | throwaway2048 wrote: | how is that a justification to heap on more "required" | trust into a system? | | Feels like somebody could flesh out this argument in | terms of accidental vs necessary complexity, but in terms | of how much you need to trust the other party. | | Few would accept the argument "This code is already very | complex, why do you have a problem with doubling the | complexity?" on its own merits, so why is it sensible in | terms of trust? | nitinreddy88 wrote: | This is valid question from someone. Why downvote? It's a | question and not a statement. | trashburger wrote: | Of course, if they say it's for your _privacy_ , it's fine, and | everything is all right. We have won the victory over | ourselves. We love Apple. | daneel_w wrote: | No, they say it's for your security, and we can surmise | that's the actual intention in Apple's case, but I definitely | understand the privacy concerns that come with this method. | crazygringo wrote: | I'm still trying to understand what the problem here is. | | Nobody seems to have an issue with checking this for apps -- it's | a good security feature to protect from malware, right? And which | everyone knows about? And it only happens the first time you run | something, so it's not a performance issue in everday usage. | | And the article even states that there seems to be a valid reason | for checking shell scripts, because they can be used to compile | malware. | | The original complaint was about slowness, but how often do you | run something for the first time? The only scenario in which I | can imagine this would become a practical peformance problem is | if, somehow, you have an app that spawns new shell scripts all | day long to execute, every few seconds, and a really flaky | internet connection. Or new shell scripts hundreds of times a | second, even with a good internet connection. | | Is that something anyone ever needs to do? Programs can run shell | commands directly, without a file, so it seems unlikely. Also, | another comment here suggests that even if a shell script is | modified, it isn't re-verified, so there would seem to be a | trivial workaround _anyways_. | | Or is the issue just that this is undocumented behavior? Or what | am I missing here? | thih9 wrote: | The article mentioned at the beginning is already discussed here: | https://news.ycombinator.com/item?id=23273247 | [deleted] | FriendlyNormie wrote: | Why? | LeoPanthera wrote: | I can't reproduce the exact test specified in the article: | $ echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x | /tmp/test.sh $ time /tmp/test.sh && time /tmp/test.sh | Hello real 0m0.016s user 0m0.002s sys | 0m0.010s Hello real 0m0.006s user | 0m0.002s sys 0m0.004s | | I don't believe the 0.01s difference is long enough, and could | easily explained by filesystem caching. The article says: | | > Some people try to explain away the delay, e.g., "I would put | the 300 vs 5 ms down to filesystem caching", but such hand waving | doesn't stand up to further scrutiny. | | ...but does not provide any "further scrutiny", so for me, | occam's razor applies. | alexeldeib wrote: | > You can verify that there's an online check by taking packet | traces | abathur wrote: | A few ideas: | | 1. confirm the checks are enabled: spctl | --status | | 2. Make sure your terminal/shell/etc aren't already exempted | System Preferences > Security & Privacy > Developer Tools. | | 3. If you already ran something that could generate a check in | the last minute, the connection is still open. Most of the | overhead people are recording is negotiation/handshake. If | you're fairly close to the server, it seems plausible your | observed time could be enough for the communication minus the | negotiation. You can open Console.app and search | `process:syspolicyd` in the device log to see the entries for | the negotiation; wait for it to terminate. | | 4. Try removing and re-creating a new file as in the test you | did before and check it a little more directly: | spctl --assess -v --ignore-cache --no-cache /tmp/test.sh | | If it's working, you should see a log entry with the text | "summary for task success" in it with a detailed breakdown of | the request (times taken per phase, bytes sent/received, etc). | userbinator wrote: | I don't have a system to check this on, but Apple seriously | named an option "asses"? | abathur wrote: | Ha, no. I'm the ass, here. Fixed :) | lapcatsoftware wrote: | There's no such "filesystem caching" phenomenon on macOS Mojave | and earlier, so that theory falls apart rather quickly. There's | also the consistent difference between timing results with | internet connection enabled vs disabled. | | I'm not sure why you couldn't reproduce the delay. There are | several possibilities I can imagine, but these could only be | proved or disproved by more testing. In any case, many people | have reproduced the delay, on close to "factory default" Mac | installs. | boardwaalk wrote: | It is real; browse the previous thread on this topic: | https://news.ycombinator.com/item?id=23273247 | | It pushed me to buy Little Snitch to block it, so I guess | somebody won out. | MintelIE wrote: | Why don't companies come out and tell people what they're doing | these days? Telemetry is getting to the point where people such | as doctors and lawyers might be violating the law by using a | modern computer. And people in the defense industry? Doesn't | Apple employ thousands of forns? Who's audited their datasystems | and ensured that this stuff stays private? | | Much easier and better to just stop using it all and move to a | system like Linux or BSD. 99% of people do everything in a | browser these days anyhow. | userbinator wrote: | I don't know about BSD, but even "mainstream" Linux (i.e. | Ubuntu and the like) has telemetry now. This sort of spyware is | everywhere. I think Windows 10 was the first to really | normalise such behaviour on the desktop, and all the others | just followed along. | | _where people such as doctors and lawyers might be violating | the law by using a modern computer_ | | That reminds me of a story I heard not long ago --- a company | wanted to have more defense against malware, so signed up for a | "security solution" from one of the big vendors and got it | installed on all the company's machines. After a developer who | was doing network tracing discovered that it was phoning home | on every executable being run, and further digging discovered | that it was periodically uploading file hashes _and sometimes | actual files_ --- not just the executables being run but other | random files --- to the security vendor 's servers, the | reaction was "oh hell no!" and they immediately terminated the | service and removed the product from all their machines. | saagarjha wrote: | Sorry, what's a forn? | katmannthree wrote: | Foreign national, probably. | barsonme wrote: | Yep. | zionic wrote: | The acronym used on files is often NOFORN == no foreign | nationals. | FpUser wrote: | > _" 99% of people do everything in a browser these days | anyhow."_ | | This exaggeration is clearly absurd. | ajkjk wrote: | Why do you think so? | FpUser wrote: | The ball is actually not in my court. The original claim | 99% should be somehow substantiated. It is not. On a | practical note desktop software is being used by countless | professionals. There is nearly infinite amount of those | tools in countless areas. Amount of small businesses is | insane as well and you can hardly find one without some old | PC/Laptop running some of their desktop software. None of | that would exist if there was no market. 99% claim does not | really fit into the picture. | MintelIE wrote: | Are you certain about this? I think I was being conservative. | | It's easy for us tech nerds in our little gadget bubbles to | suppose that everybody is like us. But most people are simple | browser users, and Office 365 and Google Docs have all but | killed off office software on the desktop for many users. | abjKT26nO8 wrote: | On the contrary, it's easy in our tech bubble to assume | that everybody else uses a computer just for mail, netflix | and spreadsheets, when in reality most people have niche | needs. It's just that there are many niches. E.g. I know | people from scientific circles who use CAS software I've | never even heard of, my sister is an architect and needs to | use CAD software. YouTube video authors often use advanced | video editing software. Musicians use audio editing | software. Publishers use Adobe InDesign. Then there are | gamers. This "not geek => mainly spreadsheet user" | stereotype is really strange. | | And basically everybody, whom I know personally, complains | about the UX of anything web-based, so don't even think | about putting CAD, CAS or InDesign into the browser. | jeremyjh wrote: | > Office 365 and Google Docs have all but killed off office | software on the desktop for many users. | | That hasn't been my experience at all. While those tools | are definitely used - especially for collaboration - most | people on my company's Office 365 subscription are | downloading and using the full products for their daily | work. This is true in both very large companies and the | (non-tech) startup I work at now. | dathinab wrote: | Honestly my experience with collaboration with Office 365 | last year was pretty beer bad. At least for sight | technical cases people they are many better solutions. | kgraves wrote: | > But most people are simple browser users, and Office 365 | and Google Docs have all but killed off office software on | the desktop for many users. | | In reality, I see most people use desktop software instead | of the browser (without using the internet in some cases) | to do their work. (Think CAD, Adobe, DAW software, Excel, | video production software) even on mobile/tablets Office | can be used where no internet connection is available. | | I seriously doubt that users would spend all their time in | a browser window other than for consumption purposes like | social media and video sites. The idea of 99% of people | doing everything in the browser seems questionable to me | and some data about this would be helpful here. | | Apart from the computer science department, I also doubt | that people would find it easier to go to Linux, BSD or the | other galaxy of distros. | perl4ever wrote: | I work in an office that mostly uses Office, but doesn't | use the web version for everything. Microsoft never fully | implements everything when they make a substitute, so | you're always faced with a case-by-case choice as to which | one. And the software people use includes things that | aren't part of the basic apps, like Project, PowerPoint, | Visio, I don't know what else. | ancarda wrote: | If only moving to Linux were an option for everyone. | | The other day I tried for the 100th time to move to Linux. I | installed a recent build of a maintained, popular distribution | (no it doesn't matter which one - I have tried them all), on | hardware that is famous for it's Linux support. | | Everything worked for a day and a half, then the sound just | fucking died. No input or output. | | I get millions of people use Linux daily, and are happy with it | -- I'm genuinely grateful that's a thing. I would love to also | use Linux, but I really don't have the time to diagnose why it | broke yet again. | | Any suggestions for people stuck on macOS? I guess I could | block all Apple domains in my DNS resolver? Other than app | updates, I can't think of anything that would stop working. | That still sounds less painful than trying to deal with Linux's | atrocious UX. | nightowl_games wrote: | Yeah I have a reload_alsa.sh script which reboots my audio. | Basically the only problem I have. It's a shame, I know, but | I still love my linux box. | kgraves wrote: | > Everything worked for a day and a half, then the sound just | fucking died. No input or output. | | my condolences. | gorgoiler wrote: | Vagrant. | | https://www.vagrantup.com/downloads.html | | Spin up a Linux box in macOS and ssh into it directly. It is | a true joy if you are comfortable working with text files | (programming, admin, focused writing, etc.) | | It will default to using VirtualBox as the underlying | virtualization. That works a treat and hides all the GUI | madness of VirtualBox. | | However, if you open up VirtualBox then you can interact with | the host you just created with "vagrant up" just fine, | including using a graphical environment. | ancarda wrote: | I've never used that before, but it sounds a bit like | Docker? As in, it's got a VM in the background and I can | interact with it? | gorgoiler wrote: | Technology aside, I would describe as being a bit more | like an AWS instance, except it is running on your local | machine. | nojito wrote: | "Telmetry" has been co-opted by the tin foil hat wearing | privacy keyboard warriors. | | It's akin to the people spending tens of thousands of dollars | on disaster prep. | | The only people who lose are the end-users of software. Who are | forced to use crappy software. | salawat wrote: | You mean, like all the software that has been written since | companies got into the habit of embedding telemetry in | everything? That crappy software? | | Telemetry has a specific use-case. Taking measurements in a | place you can't go. What industry employs it for nowadays is | much closer to spyware in the sense you can get so much more | of it done without it producing a noticeable effect for the | user in terms of how much work their computer is actually | doing. So what if you spin through a couple rounds of | telemetry gathering while the user's process is blocked, am I | right? Not like they're using it. /s | NikolaeVarius wrote: | It would be nice if my laptops bluetooth and audio would work > | 99% of the time. Right now its a crapshoot | huslage wrote: | This is a specious problem _at best_. We have a very secure | operating system doing things that others don't even try to do | (notary) and we are complaining because our shell scripts take | _n_ seconds to run? Really people? If you are running signed and | notarized (stapled) binaries, the system never even reports them | to Apple in the first place. | | This is the height of insanity to think that Apple or anyone else | would want this data or use it for some nefarious | purposes...anonymous hashes of junk data are essentially useless | outside of this purpose. It's fine to claim not to trust anyone | for anything, but most of us aren't willing or able to build our | own hardware, write our own operating system, and write our own | applications. We have asked our vendors for devices and code that | are more trustworthy, and when they give them to us we COMPLAIN | about it incessantly. This makes no sense to me. | saagarjha wrote: | > We have a very secure operating system doing things that | others don't even try to do | | Perhaps because such a system is extremely centralized? | | > we are complaining because our shell scripts take n seconds | to run? | | Yes? If I buy a computer and it spends time doing stupid stuff, | then I think I am fairly justified in being angry. | | > If you are running signed and notarized (stapled) binaries, | the system never even reports them to Apple in the first place. | | Great, let's notarize and staple tickets to every little piece | of software you write... | | > This is the height of insanity to think that Apple or anyone | else would want this data or use it for some nefarious | purposes...anonymous hashes of junk data are essentially | useless outside of this purpose. | | Executable hashes tell you if someone is running a specific | piece of code. | | > It's fine to claim not to trust anyone for anything, but most | of us aren't willing or able to build our own hardware, write | our own operating system, and write our own applications. | | That's why I buy them from other people and would desire them | to be good. | | > We have asked our vendors for devices and code that are more | trustworthy, and when they give them to us we COMPLAIN about it | incessantly. | | How exactly does this make the device more trustworthy? | frou_dh wrote: | Scripts becoming noticeably slow to start every time they're | edited is a notable regression for programmers. Simple as that. | abathur wrote: | late edit (2): added 3 notes including performance impact | observation | | I'm concerned about this behavior (both from privacy and | performance perspectives), but I'm also not (quite) convinced | this is working as described/implied here. | | Before I get started: If you poke at this, open Console.app | first. You can see recent logged "assessment" checks logged in | "Mac Analytics Data" with the search "process:syspolicyd". You | can use the same search to watch log messages (including all of | the TLS negotiation etc.) for the checks in the device log. | | The part that seems weird is that, if it is transmitting a hash | (which seems possible/logical) the caching behavior doesn't | appear to care or respect it? | | The article suggests the following test: echo | $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x /tmp/test.sh | time /tmp/test.sh && time /tmp/test.sh | | I tried this test and got real runtimes of 0m0.289s and 0m0.006s. | Then, I changed the file: echo | $'#!/bin/sh\necho Hellok' > /tmp/test.sh && chmod a+x | /tmp/test.sh | | When I re-ran the script, both runs are under 10ms. The content | changed, but it didn't bother re-checking. I wrote the original | script to a new file path: echo | $'#!/bin/sh\necho Hello' > /tmp/test2.sh && chmod a+x | /tmp/test2.sh | | This ran with runtimes similar to the original (0m0.232s and | 0m0.006s). Same content, new path, new check. Here too, if it | cares about the hash, it either isn't bothering to use it for | caching decisions or the hash includes the path. | | Then I tried rming the file, writing it again, and running it. | Once again, it checks on the first request. I think this suggests | it may be caching the result by inode? The author said they saw | new checks after saving changes in TextEdit--I don't know much | about TextEdit, but I'd guess it is doing atomic write/rename | here. | | Other random details I noticed: | | 1. it holds the connection open for a minute, presumably to | minimize connection overhead for executions that'll generate many | checks. My first checks were all in the 280-300ms range, but I | tried one additional check within the minute and it only took | 72ms. Making multiple requests in less than a minute may make it | harder to notice | | 2. The device log has a "summary for task success" entry with | pretty precise timing details on all parts of the request. | | 3. On my system, each of these attempts produces a | "os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such | file or directory" error in the log from the libsqlite3 subsystem | after the response comes back. | | 4. The "Mac Analytics Data" log entry for each request has a good | summary that looks like: assessment denied for | test.sh com.apple.message.domain: | com.apple.security.assessment.outcome2 | com.apple.message.signature2: bundle:UNBUNDLED | com.apple.message.signature3: test.sh | com.apple.message.signature5: UNKNOWN | com.apple.message.signature4: 1 | com.apple.message.signature: denied:no usable signature | SenderMachUUID: ...snip... | | 5. When I add Terminal to the Developer Tools exemption on the | privacy tab it does appear to kill the check. I'm not sure if | there's genuine protection this check provides at some level, but | I'll be considering adding either Terminal or at least some | specific build tools to the exemptions I add on a new system. | | 6. After adding the Developer Tools exemption, if you have the | app open, it'll ask if it can quit it for you. I took the hint | and restarted Terminal. It'll do the same thing when you remove | it from the list. But I didn't see the checks actually return | until I rebooted. Also, my system froze during reboot. Hopefully | a coincidence. :) | | 7. To put a better number on how this performance impact can | compound for the kinds of builds I do all of the time, I ran | `nix-build ci.nix` in the local directory for one of my projects | before and after enabling the Developer Tools exemption for | ~/.nix-profile/bin/nix. The run took 1m22s before, 45.5s after. | | 8. Looks like this is the same check as is run by `spctl --asses | -v <path>` (at least, per the Console.app logs). That may make it | easier to play with. | lapcatsoftware wrote: | > I think this suggests it may be caching the result by inode? | | You may very well be right. I used TextEdit simply because it | was easiest for me to guarantee a new notarization check every | time, but I don't know the exact criteria that macOS uses to | identify an executable as "the same". There's probably some | combination of path and/or inode in addition to the hash. | mthoms wrote: | Does anyone know if adding the Apple domain in question to piHole | (or your hosts file pointing to 0.0.0.0) will suppress these | checks? | TheRealPomax wrote: | If you're on MacOS, you want Little Snitch installed at all | times, even if you have a pihole: a process that is denied | network access is far stronger than juping DNS requests. | MintelIE wrote: | It appears as if OS X will revert to using an IP address if a | domain lookup fails according to the thread we had on this | issue yesterday. | verytrivial wrote: | #include "This is fine meme.h" | mokus wrote: | I guess the list of things keeping me off catalina (and, by | extension, new Mac hardware) just got one item longer. | | I recently bought a new System76 laptop as a stopgap, but it | might end up becoming permanent. Kind of a sad end for 25+ years | of Mac use. | vmception wrote: | One thing that always turned me off of Windows was that I would | be in the control panel or command line within 5 minutes of | using any system to fix a preference, and how with OSX it was | refreshing not to have to do the equivalent in System | Preferences or terminal. | | This is no longer true. It is a very similar and annoying | experience for me. | | I use OSX, Windows and various versions of Linux. | | The browser is the real platform at this point and is the | shared experience between all three. | digitaltrees wrote: | What are the other problems with Catalina for you? I ask | because every time there is an OS X update someone posts this | exact sentiment but then over a few months the issues get | resolved. Please don't interpret this as an attack; I am | genuinely curious and want to see if Apple ends up fixing | things. | | I my self have a maxed out 16 MacBook Pro and a for the first | few weeks after the upgrade it was literally in usable because | routine user input would result in the entire system locking | up. I suspect it was actually this issue but, thankfully, the | issue is now resolved. | mthoms wrote: | I'm in a similar boat. The first few weeks with my 16" MBP | was pretty bad. Everything seems resolved now, _except_ the | issue with the discreet GPU kicking in when an external | monitor is plugged in. This, in turn causes the fans to spin | up (which is annoying when trying to code). | | My 2017 13" MBP (without discreet GPU) was barely usable when | powering my 4K monitor but at least it was quiet. It makes me | think that the more modern integrated Intel GPU in the 16" | should be enough to power my monitor without fan noise. | Sadly, Apple has decided I can't have that option. | msie wrote: | I installed Catalina on my iMac several days ago and | ImageCapture still has bugs! Although I can now select | multiple photos to import from my iPhone 11, ImageCapture | will not delete the photos after import. Previous to that, | ImageCapture on Catalina would not import more than 10 photos | without reporting an error. At least they fixed that bug. | knolan wrote: | I'm curious, is there a reason to use image capture when | you can just AirDrop the images? Does Image Capture give | you the HEIC format file or something? | lisper wrote: | Not a Catalina issue per se, but the big problem with Apple | nowadays is: | | 1. Upgrades are not optional. The system will relentlessly | nag me until I upgrade even if I don't want to upgrade. | | 2. Upgrades are crap shoots. An Apple upgrade nowadays is as | likely to break things as it is to fix things. | | 3. Upgrades are difficult and sometimes impossible to revert. | If an upgrade breaks something, I'm just screwed. | | So I'm still running Mavericks. It works. It's reliable. It | does everything I need it to do. And I can count on that | still being the case tomorrow. If I upgrade, all bets are | off. | LeoPanthera wrote: | Although I sympathize, this is one issue, not three. And | hardly anything unique to Apple. | lisper wrote: | It seems pretty unique to Apple in my experience. I have | an ancient Android tablet. I don't even know how old the | OS is on it. It never nags me to upgrade. My Linux boxes | never nag me to upgrade. When I do upgrade, things mostly | keep working, and if they don't it's pretty easy to roll | things back. | LeoPanthera wrote: | Android never getting updates is not a feature! | lisper wrote: | I much prefer no updates over broken updates, especially | when they are forced on me. Stable bugs are better than a | never ending stream of new ones. | amelius wrote: | Don't worry, Apple will change this. Big companies always make | sure that customers just barely find their products acceptable. | This was just a test to see if they could get away with it. | wincent wrote: | I was gnashing my teeth over exactly this last night -- 26 | years on a Mac for me: | | https://wincent.com/blog/grieving-for-apple | mohdmasd wrote: | There's also the issue of losing all your data if you enabled | Secure-Boot (which is default) and the T2 chip failed. | | https://www.youtube.com/watch?v=6dwqxsDHkKQ | x3n0ph3n3 wrote: | How does the keyboard and trackpad for that System76 laptop | feel? I've been looking at those quite a bit and am seriously | considering one to replace my 2014 MacBook Air. | jmvoodoo wrote: | I've heard bad things about system76 laptop build quality | (desktop I think is top notch). Has this improved at all? | lern_too_spel wrote: | With issues like this and the 4000 series Ryzen mobile | processors, top specced MacBook Pros are very noticably slower | than $1k alternatives. | fierarul wrote: | I see the above comment heavily downvoted but I'm | specifically looking at 4000 series Ryzen laptops as my 1st | move away from MacBook Pros. Such incredible CPUs really make | the decision a bit more acceptable. The laptop I'm eyeing is | near $1000. | shade wrote: | Out of curiosity - what are you looking at? I'm also | starting to think about replacing my 2016 MBP and quite | honestly, the current MacBook Air/MacBook Pro line doesn't | really appeal to me. | | Lenovo has a couple of AMD-based ThinkPads that are looking | pretty appealing, although they come in around $1500 with | the configuration I'd want. | ChrisLTD wrote: | What are you eyeing? | rayiner wrote: | My 16" is a huge disappointment. After swearing off Intel PCs | after a disaster ours X1 Carbon, I switched back to a 2013 15" | until this month. Figured after six months bugs would be ironed | out. Wrong. I'm seeing two major glitches that have macrumors | threads dozens of pages long: 1) with an external display | connected, dGPU utilization shoots up to 20W at idle. (The rest | of machine draws well under 10W at idle.) That wouldn't be a | big deal if the CPU and GPU didn't share a tight 70W power | budget. 2) when connected to an external monitor or dock--I've | tried two different TB3 docks--the machine kernel panics | regularly, usually waking up from sleep. | | I'm torn. I don't want to return the machine because everything | else is crap. At least the 16" works well as a laptop so long | as you don't plug anything into the ports. But Apple's Q&A has | seriously gone down the toilet ever since Steve Jobs died. | Clearly him throwing staplers at people was the glue holding | Apple together. | Marsymars wrote: | I've had neverending problems with sleep mode on the Macs | I've owned (2012 Mac Mini, now 2016 MacBook usually docked) - | never really worked out the issue other than entirely | disabling sleep when connected to power. | thestephen wrote: | Since 10.15.4, my 16" started having kernel panics while | waking up from sleep. Disabling Power Nap seems to mitigate | this. | | While this is an awful stopgap solution, at least I can get | back to work. | nightowl_games wrote: | My partner is a graphic designer who loathed her 13" macbook | that her work got her. She finally got an upgrade to a 16", | i9, 64 gigs of ram. | | It runs adobe software like total shit. | | I think it's something to do with Catalina + accessing files | in Google Drive File Stream + Adobe. | | It runs illustrator horribly. | | It's basically the saddest thing I've ever seen. | | I think I'll get her a 17" XPS for christmas this year. | reaperducer wrote: | _when connected to an external monitor or dock--I've tried | two different TB3 docks--the machine kernel panics regularly, | usually waking up from sleep._ | | I had a similar problem, and it turned out that the dock | needed a driver. I don't think I've installed a driver for an | external device since I switched to Macs years ago, so it | never occurred to me that something like a dock would need a | driver. | | But it turns out that once I installed the vendor's driver, | the problems all went away. I'm not sure who's fault that is. | rimliu wrote: | I upgraded my 2015 MBP 13" to Catalina and happily continue to | Mac stint since 2006. | 72deluxe wrote: | What does df -h in the terminal say? | | It'll show the total of each partition (the normal, and the | new read-only system partition) on their own line, thereby | giving a false total. e.g. 1x 100GB disk, 50GB normal, 50GB | system partition will show as capacity 100GB for both | partitions which would mean a 200GB disk. | | Small things like this just make me completely lose faith in | Catalina. | | EDIT: Other "fun" things I noticed within half an hour: | | a. Text search in PDF no longer works | | b. I can't create anything under / | | c. I have to use synthetic.conf to map paths from / to my | real partition, but the parser of synthetic.conf is very | particular to tabs/spaces unlike any other /etc/ file format | | d. Xcode wants to ask for my password to debug every single | time I reboot and debug a C++ app. This is incredibly | incredibly incredibly incredibly annoying. | | Safari is faster in general use. But that's so far the only | good point. | | I'll keep it on a SSD for App Store submissions and keep my | machine on an older decent version thanks | Marsymars wrote: | > a. Text search in PDF no longer works | | Oh is this macOS? I'd just assumed all the PDFs I've tried | to search for the past while have been poorly formatted | with the text as images, but that makes more sense. | | > I'll keep it on a SSD for App Store submissions and keep | my machine on an older decent version thanks | | FYI it's pretty easy to integrate binary upload to App | Store Connect on the CLI of your CI system. | saagarjha wrote: | > Text search in PDF no longer works | | In Safari or in general? I have only noticed the former. | | > I have to use synthetic.conf to map paths from / to my | real partition, but the parser of synthetic.conf is very | particular to tabs/spaces unlike any other /etc/ file | format | | You may already know this, but man synthetic.conf will | explain that you must use tabs. | | > Xcode wants to ask for my password to debug every single | time I reboot and debug a C++ app. This is incredibly | incredibly incredibly incredibly annoying. | | I can only offer you my condolences as I cruise by with SIP | off. | cschep wrote: | Checkout `DevToolsSecurity` on the command line. Could help | with d. :) | HugoDaniel wrote: | Im running my dev environment in a OpenBSD vm. This makes me | wanna use it for more stuff besides dev. | rvnx wrote: | It's great tool for mass-surveillance. Since Apple has a database | of all the apps the user has run on their device (but no worries, | Google has the same). | | For your security ;) | tenebrisalietum wrote: | So why mass-surveil Apple computer users this way? | | My understanding is the only thing exclusive to Apple systems | is developing Apple apps. But anything related on a platform | like iOS is already going to be public knowledge. | | Also the latest Mac hardware seems to go through great pains to | make sure the primary storage device is both encrypted, | unrecoverable if keys are unknown (T2 security chip), and non- | removable (SSD soldered to board). So why would they make this | back door for surveillance? | dannyw wrote: | None of those measures you described counteract mass | surveillance. | jmull wrote: | > great tool for mass-surveillance | | It's not really that great for mass-surveillance. It "phone's | home" only on first run. And it doesn't look like it sends data | about your identity, device or location. They can have your IP | address but another mechanism would be needed to relate that to | you. (I doubt they are logging the IP address anyway. The only | purpose would be to surveil you, but if they wanted to do that | they would surely use a more capable mechanism . That makes | keeping the IP addresses a burden and risk.) | yyyk wrote: | >It "phone's home" only on first run. | | Do we know that? The cache may well have an expiration date. | Does the cache stay after an OS upgrade? I suspect further | research will discover it's not just 'first time'. | | >They can have your IP address but another mechanism would be | needed to relate that to you.... if they wanted to do that | they would surely use a more capable mechanism. | | The app profile would already tell a great deal. Once enough | of these 'non-capable' surveillance mechanisms add up, you | end up with a very capable surveillance mechanism. | TheRealPomax wrote: | Little Snitch is a god-send for users of MacOS, be they voluntary | users or forced into using it because their employer won't allow | them to use anything else. ___________________________________________________________________ (page generated 2020-05-23 23:00 UTC)