[HN Gopher] Catalina is checking notarization of unsigned execut...
___________________________________________________________________
Catalina is checking notarization of unsigned executables
Author : robenkleene
Score : 271 points
Date : 2020-05-23 09:42 UTC (13 hours ago)
(HTM) web link (lapcatsoftware.com)
(TXT) w3m dump (lapcatsoftware.com)
| msie wrote:
| I was watching a Linus YouTube video on the upgradeability of
| Alienware Laptops. So envious! Now you can't upgrade anything on
| the newest MacBook Pros.
|
| https://www.youtube.com/watch?v=J-RXqNafscs
|
| And if something breaks on your MacBook Pro, most likely you will
| have to replace the entire motherboard or display.
|
| PS: I own lots of Macs but sad to see the direction Apple is
| heading in.
| usmannk wrote:
| There is so much confusion here. The OP and most others are
| missing one of the biggest points: Look at the packet trace.
| There is _no data_, not even a hash, being sent. It's a TLS
| negotiation and then the connection ends. I have to suspect it's
| a bug...
| 2OEH8eoCRo0 wrote:
| Is the handshake all that is needed to verify? Is the data
| you're expecting sent during the authentication phase of the
| handshake?
| fierarul wrote:
| _Any_ communication is data! There are tracking pixels that
| return 404! Why? Because once you 've hit their endpoint, it
| did the job.
|
| The TLS negotiation is enough to send quite enough info.
| cryptonector wrote:
| "no data", just a TLS handshake. Of course information can
| flow! You could put a hash of the executable in a ClientHello
| extension, and if the server says "i don't know it to be
| malware" it can finalize the TLS connection normally.
| takeda wrote:
| In prior article "slow by design", this was reported to Apple
| and the bug was closed that it works like that by design.
| usmannk wrote:
| I did see the previous article (another comment of mine
| should be easy to find on its HN post). Do you know how to
| find the issue that was referenced? There was an ID given but
| I have no clue what tracker that was on.
| [deleted]
| takeda wrote:
| Looks like these issues are only visible to originator, so
| we have to trust the author about it. Perhaps the author
| could post it on the OpenRadar.
| Gaelan wrote:
| It's probably Radar, which is Apple's internal issue
| tracker, which isn't public (you can see issues you
| submitted, but nothing else). Sometimes people cross-post
| issues they submit to http://openradar.appspot.com, so you
| might be able to find it there.
| saagarjha wrote:
| FB numbers come from Feedback Assistant, which are
| similarly non-public and feed into Radar through a
| convoluted process.
| takeda wrote:
| The issue is FB7674490 but it is not on the OpenRadar.
| Looks like OpenRadar is not Apple's services and issues
| appear there only if author (which has access to the
| issue in the Apple system) submits them there.
| saagarjha wrote:
| Open Radar is community maintained and fairly poorly at
| that these days :(
| KenoFischer wrote:
| That ID was likely for feedbackassistant.apple.com.
| However, those reports are not public, so you can't see
| them unless you're the one that reported them though.
| Knowing the ID is still useful for things like emailing
| Apple people and complaining about their declining software
| quality ;).
| lapcatsoftware wrote:
| I'm not sure what you're seeing, but that's not what I'm
| seeing. When I Wireshark both app notarization and script
| notarization, I see 2 packets of encrypted Application Data
| sent to Apple (567 and 101 bytes), and 1 packet of Application
| Data (varying length) returned from Apple, in each case. What
| do you see when you trace a regular app notarization check?
| usmannk wrote:
| This is odd, my proxy doesn't seem to show this. I will try
| to load my root cert into Wireshark and check.
|
| Edit: Checked and double checked: When I run a new shell
| script, syspolicyd just makes a connection with no
| application data
| lapcatsoftware wrote:
| I'd recommend trying this: Download a notarized Mac app,
| delete any stapled notarization ticket
| (.app/Contents/CodeResources), and then trace the launch.
| What do you see, and does the system let you open the app?
| Does it say it checked for malware?
| usmannk wrote:
| Ah I see, looks like we're not running quite the same
| experiment. I suspect that anything including an app
| bundle ID is going to see some more interesting traffic.
| lapcatsoftware wrote:
| Don't suspect, test. ;-)
|
| I'm running both experiments. I've tested and compared
| script notarization to app notarization.
|
| You're getting apparently unusual results with script
| notarization. So the natural next step would be to
| compare against app notarization.
| usmannk wrote:
| Agh, I think it was cert pinning. Looks like the
| connection is terminated if you're snooping. I see the
| same results as you now. Thanks!
| the_imp wrote:
| The Objective-C format strings in the URL would imply that the
| hash is sent as a path parameter.
| usmannk wrote:
| That's a string found in the disassembly of syspolicyd (I've
| found it as well). However, the actual URL you see in the TCP
| logs has no path whatsoever.
| londons_explore wrote:
| This must be a blacklist, since it doesn't block my own random
| scripts which it has never seen before.
|
| If it's a global blacklist on apple servers, it should instead be
| downloaded to the client, and be a local blacklist.
|
| Too big? Use a bloom filter. Now you only end up keeping less
| than one byte per blacklisted item. Update the bloom filter with
| an autoupdater. Any positive hit you can check against the server
| just incase it's a false positive.
| daneel_w wrote:
| Bloom filters are probability-based and come with inaccuracy
| problems. If you're going to double-check with Apple anyway
| what does a bloom filter solve compared to the current response
| caching after querying Apple? How will you protect the locally
| cached blacklist from being tampered with?
| w-j-w wrote:
| Bloomington filters have probabilistic false positives,
| making it perfect for blacklisting. A negative means that the
| program can be run immediately, because it is guaranteed to
| not be on the list. A positive needs to be double checked,
| though.
| JackC wrote:
| The k-anonymity scheme used by the haveibeenpwned api seems
| like a good fit here.
| caf wrote:
| Doesn't a blacklist also work only until the malware authors
| figure out how to randomize 8 junk bytes every time they serve
| an executable?
| therein wrote:
| Which they already do.
| dimator wrote:
| That's the crazy thing about this. There's already
| obfuscation techniques against hash blacklists, so what is
| this even for? There's no earthly way apple security
| engineers didn't know that. So what is actually happening?
|
| My guess is that it's strictly for banning app store apps
| that they pull from the app store, but would like also to
| cripple retroactively on installed machines. But that doesn't
| explain why it had to run against random shell scripts? This
| is all still confusing. We don't have all the info.
| kimi wrote:
| I am not sure of what is the whole point of this notarization
| thing. It would be great (ahem, let's say so) if there was a big
| and closed list of executables, but every shell / ruby / perl /
| python script can do many funny things, and you cannot notarize
| them all. Often, as in bash, by design. So?
| nojito wrote:
| What's the exact data being sent?
|
| There is a lot of arguing going on here, but what is the data?
| azinman2 wrote:
| Seems to be a hash of the executable.
| londons_explore wrote:
| So you're telling me that every time I install a program in OSX,
| it pings apple to let them know what program I'm installing, my
| IP address, my location, and my OS version?
|
| Sounds very Orwellian for a privacy focussed company...
| daneel_w wrote:
| No, that's not what he's telling you. You're getting ahead of
| yourself with your question. He's telling us that macOS will
| consult with Apple regarding the "fingerprint" of an executable
| when you run it.
| londons_explore wrote:
| But the fingerprint of photoshop is the same for everyone. If
| apple knows what the fingerprint of photoshop is (which they
| could easily find out), now they have a giant list of who
| installed photoshop and when, and from which IP address, and
| which IP location.
|
| That data would be a wet dream for some IP lawyer looking for
| pirate copies of software...
| microtherion wrote:
| The Photoshop binary is signed (presumably; it's been years
| since I last ran it), so this check would NOT be conducted.
|
| Edit: What I should have said is that the binary is signed,
| notarized, and the notarization stapled to it, as described
| here: https://developer.apple.com/documentation/xcode/notar
| izing_m...
| lloeki wrote:
| The author of the article mentioned explicitly that he
| signed a binary, and the check still occurred.
| daneel_w wrote:
| I understand the privacy concern. We don't know if they
| store/log anything from the request, or even what it
| contains in itself besides the "fingerprint". I'm
| personally certain that Apple is not in cahoots with Big
| Software to put a squeeze on users in exchange for small
| money. It's not their business, and it's not something they
| are required by law to make their business.
| ctrlcctrlv wrote:
| > I'm personally certain that Apple is not in cahoots
| with Big Software to put a squeeze on users in exchange
| for small money
|
| Well, this is the problem people have I think - that it
| comes down good intentions on Apple's part, no matter how
| trustworthy they are deemed to be.
| Operyl wrote:
| With this logic you might as well not try at all. You
| have to trust Intel, your bios/UEFI, Apple/Microsoft, all
| the various builds of software closed and open source
| alike .. at some point you need to trust someone.
| throwaway2048 wrote:
| how is that a justification to heap on more "required"
| trust into a system?
|
| Feels like somebody could flesh out this argument in
| terms of accidental vs necessary complexity, but in terms
| of how much you need to trust the other party.
|
| Few would accept the argument "This code is already very
| complex, why do you have a problem with doubling the
| complexity?" on its own merits, so why is it sensible in
| terms of trust?
| nitinreddy88 wrote:
| This is valid question from someone. Why downvote? It's a
| question and not a statement.
| trashburger wrote:
| Of course, if they say it's for your _privacy_ , it's fine, and
| everything is all right. We have won the victory over
| ourselves. We love Apple.
| daneel_w wrote:
| No, they say it's for your security, and we can surmise
| that's the actual intention in Apple's case, but I definitely
| understand the privacy concerns that come with this method.
| crazygringo wrote:
| I'm still trying to understand what the problem here is.
|
| Nobody seems to have an issue with checking this for apps -- it's
| a good security feature to protect from malware, right? And which
| everyone knows about? And it only happens the first time you run
| something, so it's not a performance issue in everday usage.
|
| And the article even states that there seems to be a valid reason
| for checking shell scripts, because they can be used to compile
| malware.
|
| The original complaint was about slowness, but how often do you
| run something for the first time? The only scenario in which I
| can imagine this would become a practical peformance problem is
| if, somehow, you have an app that spawns new shell scripts all
| day long to execute, every few seconds, and a really flaky
| internet connection. Or new shell scripts hundreds of times a
| second, even with a good internet connection.
|
| Is that something anyone ever needs to do? Programs can run shell
| commands directly, without a file, so it seems unlikely. Also,
| another comment here suggests that even if a shell script is
| modified, it isn't re-verified, so there would seem to be a
| trivial workaround _anyways_.
|
| Or is the issue just that this is undocumented behavior? Or what
| am I missing here?
| thih9 wrote:
| The article mentioned at the beginning is already discussed here:
| https://news.ycombinator.com/item?id=23273247
| [deleted]
| FriendlyNormie wrote:
| Why?
| LeoPanthera wrote:
| I can't reproduce the exact test specified in the article:
| $ echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x
| /tmp/test.sh $ time /tmp/test.sh && time /tmp/test.sh
| Hello real 0m0.016s user 0m0.002s sys
| 0m0.010s Hello real 0m0.006s user
| 0m0.002s sys 0m0.004s
|
| I don't believe the 0.01s difference is long enough, and could
| easily explained by filesystem caching. The article says:
|
| > Some people try to explain away the delay, e.g., "I would put
| the 300 vs 5 ms down to filesystem caching", but such hand waving
| doesn't stand up to further scrutiny.
|
| ...but does not provide any "further scrutiny", so for me,
| occam's razor applies.
| alexeldeib wrote:
| > You can verify that there's an online check by taking packet
| traces
| abathur wrote:
| A few ideas:
|
| 1. confirm the checks are enabled: spctl
| --status
|
| 2. Make sure your terminal/shell/etc aren't already exempted
| System Preferences > Security & Privacy > Developer Tools.
|
| 3. If you already ran something that could generate a check in
| the last minute, the connection is still open. Most of the
| overhead people are recording is negotiation/handshake. If
| you're fairly close to the server, it seems plausible your
| observed time could be enough for the communication minus the
| negotiation. You can open Console.app and search
| `process:syspolicyd` in the device log to see the entries for
| the negotiation; wait for it to terminate.
|
| 4. Try removing and re-creating a new file as in the test you
| did before and check it a little more directly:
| spctl --assess -v --ignore-cache --no-cache /tmp/test.sh
|
| If it's working, you should see a log entry with the text
| "summary for task success" in it with a detailed breakdown of
| the request (times taken per phase, bytes sent/received, etc).
| userbinator wrote:
| I don't have a system to check this on, but Apple seriously
| named an option "asses"?
| abathur wrote:
| Ha, no. I'm the ass, here. Fixed :)
| lapcatsoftware wrote:
| There's no such "filesystem caching" phenomenon on macOS Mojave
| and earlier, so that theory falls apart rather quickly. There's
| also the consistent difference between timing results with
| internet connection enabled vs disabled.
|
| I'm not sure why you couldn't reproduce the delay. There are
| several possibilities I can imagine, but these could only be
| proved or disproved by more testing. In any case, many people
| have reproduced the delay, on close to "factory default" Mac
| installs.
| boardwaalk wrote:
| It is real; browse the previous thread on this topic:
| https://news.ycombinator.com/item?id=23273247
|
| It pushed me to buy Little Snitch to block it, so I guess
| somebody won out.
| MintelIE wrote:
| Why don't companies come out and tell people what they're doing
| these days? Telemetry is getting to the point where people such
| as doctors and lawyers might be violating the law by using a
| modern computer. And people in the defense industry? Doesn't
| Apple employ thousands of forns? Who's audited their datasystems
| and ensured that this stuff stays private?
|
| Much easier and better to just stop using it all and move to a
| system like Linux or BSD. 99% of people do everything in a
| browser these days anyhow.
| userbinator wrote:
| I don't know about BSD, but even "mainstream" Linux (i.e.
| Ubuntu and the like) has telemetry now. This sort of spyware is
| everywhere. I think Windows 10 was the first to really
| normalise such behaviour on the desktop, and all the others
| just followed along.
|
| _where people such as doctors and lawyers might be violating
| the law by using a modern computer_
|
| That reminds me of a story I heard not long ago --- a company
| wanted to have more defense against malware, so signed up for a
| "security solution" from one of the big vendors and got it
| installed on all the company's machines. After a developer who
| was doing network tracing discovered that it was phoning home
| on every executable being run, and further digging discovered
| that it was periodically uploading file hashes _and sometimes
| actual files_ --- not just the executables being run but other
| random files --- to the security vendor 's servers, the
| reaction was "oh hell no!" and they immediately terminated the
| service and removed the product from all their machines.
| saagarjha wrote:
| Sorry, what's a forn?
| katmannthree wrote:
| Foreign national, probably.
| barsonme wrote:
| Yep.
| zionic wrote:
| The acronym used on files is often NOFORN == no foreign
| nationals.
| FpUser wrote:
| > _" 99% of people do everything in a browser these days
| anyhow."_
|
| This exaggeration is clearly absurd.
| ajkjk wrote:
| Why do you think so?
| FpUser wrote:
| The ball is actually not in my court. The original claim
| 99% should be somehow substantiated. It is not. On a
| practical note desktop software is being used by countless
| professionals. There is nearly infinite amount of those
| tools in countless areas. Amount of small businesses is
| insane as well and you can hardly find one without some old
| PC/Laptop running some of their desktop software. None of
| that would exist if there was no market. 99% claim does not
| really fit into the picture.
| MintelIE wrote:
| Are you certain about this? I think I was being conservative.
|
| It's easy for us tech nerds in our little gadget bubbles to
| suppose that everybody is like us. But most people are simple
| browser users, and Office 365 and Google Docs have all but
| killed off office software on the desktop for many users.
| abjKT26nO8 wrote:
| On the contrary, it's easy in our tech bubble to assume
| that everybody else uses a computer just for mail, netflix
| and spreadsheets, when in reality most people have niche
| needs. It's just that there are many niches. E.g. I know
| people from scientific circles who use CAS software I've
| never even heard of, my sister is an architect and needs to
| use CAD software. YouTube video authors often use advanced
| video editing software. Musicians use audio editing
| software. Publishers use Adobe InDesign. Then there are
| gamers. This "not geek => mainly spreadsheet user"
| stereotype is really strange.
|
| And basically everybody, whom I know personally, complains
| about the UX of anything web-based, so don't even think
| about putting CAD, CAS or InDesign into the browser.
| jeremyjh wrote:
| > Office 365 and Google Docs have all but killed off office
| software on the desktop for many users.
|
| That hasn't been my experience at all. While those tools
| are definitely used - especially for collaboration - most
| people on my company's Office 365 subscription are
| downloading and using the full products for their daily
| work. This is true in both very large companies and the
| (non-tech) startup I work at now.
| dathinab wrote:
| Honestly my experience with collaboration with Office 365
| last year was pretty beer bad. At least for sight
| technical cases people they are many better solutions.
| kgraves wrote:
| > But most people are simple browser users, and Office 365
| and Google Docs have all but killed off office software on
| the desktop for many users.
|
| In reality, I see most people use desktop software instead
| of the browser (without using the internet in some cases)
| to do their work. (Think CAD, Adobe, DAW software, Excel,
| video production software) even on mobile/tablets Office
| can be used where no internet connection is available.
|
| I seriously doubt that users would spend all their time in
| a browser window other than for consumption purposes like
| social media and video sites. The idea of 99% of people
| doing everything in the browser seems questionable to me
| and some data about this would be helpful here.
|
| Apart from the computer science department, I also doubt
| that people would find it easier to go to Linux, BSD or the
| other galaxy of distros.
| perl4ever wrote:
| I work in an office that mostly uses Office, but doesn't
| use the web version for everything. Microsoft never fully
| implements everything when they make a substitute, so
| you're always faced with a case-by-case choice as to which
| one. And the software people use includes things that
| aren't part of the basic apps, like Project, PowerPoint,
| Visio, I don't know what else.
| ancarda wrote:
| If only moving to Linux were an option for everyone.
|
| The other day I tried for the 100th time to move to Linux. I
| installed a recent build of a maintained, popular distribution
| (no it doesn't matter which one - I have tried them all), on
| hardware that is famous for it's Linux support.
|
| Everything worked for a day and a half, then the sound just
| fucking died. No input or output.
|
| I get millions of people use Linux daily, and are happy with it
| -- I'm genuinely grateful that's a thing. I would love to also
| use Linux, but I really don't have the time to diagnose why it
| broke yet again.
|
| Any suggestions for people stuck on macOS? I guess I could
| block all Apple domains in my DNS resolver? Other than app
| updates, I can't think of anything that would stop working.
| That still sounds less painful than trying to deal with Linux's
| atrocious UX.
| nightowl_games wrote:
| Yeah I have a reload_alsa.sh script which reboots my audio.
| Basically the only problem I have. It's a shame, I know, but
| I still love my linux box.
| kgraves wrote:
| > Everything worked for a day and a half, then the sound just
| fucking died. No input or output.
|
| my condolences.
| gorgoiler wrote:
| Vagrant.
|
| https://www.vagrantup.com/downloads.html
|
| Spin up a Linux box in macOS and ssh into it directly. It is
| a true joy if you are comfortable working with text files
| (programming, admin, focused writing, etc.)
|
| It will default to using VirtualBox as the underlying
| virtualization. That works a treat and hides all the GUI
| madness of VirtualBox.
|
| However, if you open up VirtualBox then you can interact with
| the host you just created with "vagrant up" just fine,
| including using a graphical environment.
| ancarda wrote:
| I've never used that before, but it sounds a bit like
| Docker? As in, it's got a VM in the background and I can
| interact with it?
| gorgoiler wrote:
| Technology aside, I would describe as being a bit more
| like an AWS instance, except it is running on your local
| machine.
| nojito wrote:
| "Telmetry" has been co-opted by the tin foil hat wearing
| privacy keyboard warriors.
|
| It's akin to the people spending tens of thousands of dollars
| on disaster prep.
|
| The only people who lose are the end-users of software. Who are
| forced to use crappy software.
| salawat wrote:
| You mean, like all the software that has been written since
| companies got into the habit of embedding telemetry in
| everything? That crappy software?
|
| Telemetry has a specific use-case. Taking measurements in a
| place you can't go. What industry employs it for nowadays is
| much closer to spyware in the sense you can get so much more
| of it done without it producing a noticeable effect for the
| user in terms of how much work their computer is actually
| doing. So what if you spin through a couple rounds of
| telemetry gathering while the user's process is blocked, am I
| right? Not like they're using it. /s
| NikolaeVarius wrote:
| It would be nice if my laptops bluetooth and audio would work >
| 99% of the time. Right now its a crapshoot
| huslage wrote:
| This is a specious problem _at best_. We have a very secure
| operating system doing things that others don't even try to do
| (notary) and we are complaining because our shell scripts take
| _n_ seconds to run? Really people? If you are running signed and
| notarized (stapled) binaries, the system never even reports them
| to Apple in the first place.
|
| This is the height of insanity to think that Apple or anyone else
| would want this data or use it for some nefarious
| purposes...anonymous hashes of junk data are essentially useless
| outside of this purpose. It's fine to claim not to trust anyone
| for anything, but most of us aren't willing or able to build our
| own hardware, write our own operating system, and write our own
| applications. We have asked our vendors for devices and code that
| are more trustworthy, and when they give them to us we COMPLAIN
| about it incessantly. This makes no sense to me.
| saagarjha wrote:
| > We have a very secure operating system doing things that
| others don't even try to do
|
| Perhaps because such a system is extremely centralized?
|
| > we are complaining because our shell scripts take n seconds
| to run?
|
| Yes? If I buy a computer and it spends time doing stupid stuff,
| then I think I am fairly justified in being angry.
|
| > If you are running signed and notarized (stapled) binaries,
| the system never even reports them to Apple in the first place.
|
| Great, let's notarize and staple tickets to every little piece
| of software you write...
|
| > This is the height of insanity to think that Apple or anyone
| else would want this data or use it for some nefarious
| purposes...anonymous hashes of junk data are essentially
| useless outside of this purpose.
|
| Executable hashes tell you if someone is running a specific
| piece of code.
|
| > It's fine to claim not to trust anyone for anything, but most
| of us aren't willing or able to build our own hardware, write
| our own operating system, and write our own applications.
|
| That's why I buy them from other people and would desire them
| to be good.
|
| > We have asked our vendors for devices and code that are more
| trustworthy, and when they give them to us we COMPLAIN about it
| incessantly.
|
| How exactly does this make the device more trustworthy?
| frou_dh wrote:
| Scripts becoming noticeably slow to start every time they're
| edited is a notable regression for programmers. Simple as that.
| abathur wrote:
| late edit (2): added 3 notes including performance impact
| observation
|
| I'm concerned about this behavior (both from privacy and
| performance perspectives), but I'm also not (quite) convinced
| this is working as described/implied here.
|
| Before I get started: If you poke at this, open Console.app
| first. You can see recent logged "assessment" checks logged in
| "Mac Analytics Data" with the search "process:syspolicyd". You
| can use the same search to watch log messages (including all of
| the TLS negotiation etc.) for the checks in the device log.
|
| The part that seems weird is that, if it is transmitting a hash
| (which seems possible/logical) the caching behavior doesn't
| appear to care or respect it?
|
| The article suggests the following test: echo
| $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x /tmp/test.sh
| time /tmp/test.sh && time /tmp/test.sh
|
| I tried this test and got real runtimes of 0m0.289s and 0m0.006s.
| Then, I changed the file: echo
| $'#!/bin/sh\necho Hellok' > /tmp/test.sh && chmod a+x
| /tmp/test.sh
|
| When I re-ran the script, both runs are under 10ms. The content
| changed, but it didn't bother re-checking. I wrote the original
| script to a new file path: echo
| $'#!/bin/sh\necho Hello' > /tmp/test2.sh && chmod a+x
| /tmp/test2.sh
|
| This ran with runtimes similar to the original (0m0.232s and
| 0m0.006s). Same content, new path, new check. Here too, if it
| cares about the hash, it either isn't bothering to use it for
| caching decisions or the hash includes the path.
|
| Then I tried rming the file, writing it again, and running it.
| Once again, it checks on the first request. I think this suggests
| it may be caching the result by inode? The author said they saw
| new checks after saving changes in TextEdit--I don't know much
| about TextEdit, but I'd guess it is doing atomic write/rename
| here.
|
| Other random details I noticed:
|
| 1. it holds the connection open for a minute, presumably to
| minimize connection overhead for executions that'll generate many
| checks. My first checks were all in the 280-300ms range, but I
| tried one additional check within the minute and it only took
| 72ms. Making multiple requests in less than a minute may make it
| harder to notice
|
| 2. The device log has a "summary for task success" entry with
| pretty precise timing details on all parts of the request.
|
| 3. On my system, each of these attempts produces a
| "os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such
| file or directory" error in the log from the libsqlite3 subsystem
| after the response comes back.
|
| 4. The "Mac Analytics Data" log entry for each request has a good
| summary that looks like: assessment denied for
| test.sh com.apple.message.domain:
| com.apple.security.assessment.outcome2
| com.apple.message.signature2: bundle:UNBUNDLED
| com.apple.message.signature3: test.sh
| com.apple.message.signature5: UNKNOWN
| com.apple.message.signature4: 1
| com.apple.message.signature: denied:no usable signature
| SenderMachUUID: ...snip...
|
| 5. When I add Terminal to the Developer Tools exemption on the
| privacy tab it does appear to kill the check. I'm not sure if
| there's genuine protection this check provides at some level, but
| I'll be considering adding either Terminal or at least some
| specific build tools to the exemptions I add on a new system.
|
| 6. After adding the Developer Tools exemption, if you have the
| app open, it'll ask if it can quit it for you. I took the hint
| and restarted Terminal. It'll do the same thing when you remove
| it from the list. But I didn't see the checks actually return
| until I rebooted. Also, my system froze during reboot. Hopefully
| a coincidence. :)
|
| 7. To put a better number on how this performance impact can
| compound for the kinds of builds I do all of the time, I ran
| `nix-build ci.nix` in the local directory for one of my projects
| before and after enabling the Developer Tools exemption for
| ~/.nix-profile/bin/nix. The run took 1m22s before, 45.5s after.
|
| 8. Looks like this is the same check as is run by `spctl --asses
| -v <path>` (at least, per the Console.app logs). That may make it
| easier to play with.
| lapcatsoftware wrote:
| > I think this suggests it may be caching the result by inode?
|
| You may very well be right. I used TextEdit simply because it
| was easiest for me to guarantee a new notarization check every
| time, but I don't know the exact criteria that macOS uses to
| identify an executable as "the same". There's probably some
| combination of path and/or inode in addition to the hash.
| mthoms wrote:
| Does anyone know if adding the Apple domain in question to piHole
| (or your hosts file pointing to 0.0.0.0) will suppress these
| checks?
| TheRealPomax wrote:
| If you're on MacOS, you want Little Snitch installed at all
| times, even if you have a pihole: a process that is denied
| network access is far stronger than juping DNS requests.
| MintelIE wrote:
| It appears as if OS X will revert to using an IP address if a
| domain lookup fails according to the thread we had on this
| issue yesterday.
| verytrivial wrote:
| #include "This is fine meme.h"
| mokus wrote:
| I guess the list of things keeping me off catalina (and, by
| extension, new Mac hardware) just got one item longer.
|
| I recently bought a new System76 laptop as a stopgap, but it
| might end up becoming permanent. Kind of a sad end for 25+ years
| of Mac use.
| vmception wrote:
| One thing that always turned me off of Windows was that I would
| be in the control panel or command line within 5 minutes of
| using any system to fix a preference, and how with OSX it was
| refreshing not to have to do the equivalent in System
| Preferences or terminal.
|
| This is no longer true. It is a very similar and annoying
| experience for me.
|
| I use OSX, Windows and various versions of Linux.
|
| The browser is the real platform at this point and is the
| shared experience between all three.
| digitaltrees wrote:
| What are the other problems with Catalina for you? I ask
| because every time there is an OS X update someone posts this
| exact sentiment but then over a few months the issues get
| resolved. Please don't interpret this as an attack; I am
| genuinely curious and want to see if Apple ends up fixing
| things.
|
| I my self have a maxed out 16 MacBook Pro and a for the first
| few weeks after the upgrade it was literally in usable because
| routine user input would result in the entire system locking
| up. I suspect it was actually this issue but, thankfully, the
| issue is now resolved.
| mthoms wrote:
| I'm in a similar boat. The first few weeks with my 16" MBP
| was pretty bad. Everything seems resolved now, _except_ the
| issue with the discreet GPU kicking in when an external
| monitor is plugged in. This, in turn causes the fans to spin
| up (which is annoying when trying to code).
|
| My 2017 13" MBP (without discreet GPU) was barely usable when
| powering my 4K monitor but at least it was quiet. It makes me
| think that the more modern integrated Intel GPU in the 16"
| should be enough to power my monitor without fan noise.
| Sadly, Apple has decided I can't have that option.
| msie wrote:
| I installed Catalina on my iMac several days ago and
| ImageCapture still has bugs! Although I can now select
| multiple photos to import from my iPhone 11, ImageCapture
| will not delete the photos after import. Previous to that,
| ImageCapture on Catalina would not import more than 10 photos
| without reporting an error. At least they fixed that bug.
| knolan wrote:
| I'm curious, is there a reason to use image capture when
| you can just AirDrop the images? Does Image Capture give
| you the HEIC format file or something?
| lisper wrote:
| Not a Catalina issue per se, but the big problem with Apple
| nowadays is:
|
| 1. Upgrades are not optional. The system will relentlessly
| nag me until I upgrade even if I don't want to upgrade.
|
| 2. Upgrades are crap shoots. An Apple upgrade nowadays is as
| likely to break things as it is to fix things.
|
| 3. Upgrades are difficult and sometimes impossible to revert.
| If an upgrade breaks something, I'm just screwed.
|
| So I'm still running Mavericks. It works. It's reliable. It
| does everything I need it to do. And I can count on that
| still being the case tomorrow. If I upgrade, all bets are
| off.
| LeoPanthera wrote:
| Although I sympathize, this is one issue, not three. And
| hardly anything unique to Apple.
| lisper wrote:
| It seems pretty unique to Apple in my experience. I have
| an ancient Android tablet. I don't even know how old the
| OS is on it. It never nags me to upgrade. My Linux boxes
| never nag me to upgrade. When I do upgrade, things mostly
| keep working, and if they don't it's pretty easy to roll
| things back.
| LeoPanthera wrote:
| Android never getting updates is not a feature!
| lisper wrote:
| I much prefer no updates over broken updates, especially
| when they are forced on me. Stable bugs are better than a
| never ending stream of new ones.
| amelius wrote:
| Don't worry, Apple will change this. Big companies always make
| sure that customers just barely find their products acceptable.
| This was just a test to see if they could get away with it.
| wincent wrote:
| I was gnashing my teeth over exactly this last night -- 26
| years on a Mac for me:
|
| https://wincent.com/blog/grieving-for-apple
| mohdmasd wrote:
| There's also the issue of losing all your data if you enabled
| Secure-Boot (which is default) and the T2 chip failed.
|
| https://www.youtube.com/watch?v=6dwqxsDHkKQ
| x3n0ph3n3 wrote:
| How does the keyboard and trackpad for that System76 laptop
| feel? I've been looking at those quite a bit and am seriously
| considering one to replace my 2014 MacBook Air.
| jmvoodoo wrote:
| I've heard bad things about system76 laptop build quality
| (desktop I think is top notch). Has this improved at all?
| lern_too_spel wrote:
| With issues like this and the 4000 series Ryzen mobile
| processors, top specced MacBook Pros are very noticably slower
| than $1k alternatives.
| fierarul wrote:
| I see the above comment heavily downvoted but I'm
| specifically looking at 4000 series Ryzen laptops as my 1st
| move away from MacBook Pros. Such incredible CPUs really make
| the decision a bit more acceptable. The laptop I'm eyeing is
| near $1000.
| shade wrote:
| Out of curiosity - what are you looking at? I'm also
| starting to think about replacing my 2016 MBP and quite
| honestly, the current MacBook Air/MacBook Pro line doesn't
| really appeal to me.
|
| Lenovo has a couple of AMD-based ThinkPads that are looking
| pretty appealing, although they come in around $1500 with
| the configuration I'd want.
| ChrisLTD wrote:
| What are you eyeing?
| rayiner wrote:
| My 16" is a huge disappointment. After swearing off Intel PCs
| after a disaster ours X1 Carbon, I switched back to a 2013 15"
| until this month. Figured after six months bugs would be ironed
| out. Wrong. I'm seeing two major glitches that have macrumors
| threads dozens of pages long: 1) with an external display
| connected, dGPU utilization shoots up to 20W at idle. (The rest
| of machine draws well under 10W at idle.) That wouldn't be a
| big deal if the CPU and GPU didn't share a tight 70W power
| budget. 2) when connected to an external monitor or dock--I've
| tried two different TB3 docks--the machine kernel panics
| regularly, usually waking up from sleep.
|
| I'm torn. I don't want to return the machine because everything
| else is crap. At least the 16" works well as a laptop so long
| as you don't plug anything into the ports. But Apple's Q&A has
| seriously gone down the toilet ever since Steve Jobs died.
| Clearly him throwing staplers at people was the glue holding
| Apple together.
| Marsymars wrote:
| I've had neverending problems with sleep mode on the Macs
| I've owned (2012 Mac Mini, now 2016 MacBook usually docked) -
| never really worked out the issue other than entirely
| disabling sleep when connected to power.
| thestephen wrote:
| Since 10.15.4, my 16" started having kernel panics while
| waking up from sleep. Disabling Power Nap seems to mitigate
| this.
|
| While this is an awful stopgap solution, at least I can get
| back to work.
| nightowl_games wrote:
| My partner is a graphic designer who loathed her 13" macbook
| that her work got her. She finally got an upgrade to a 16",
| i9, 64 gigs of ram.
|
| It runs adobe software like total shit.
|
| I think it's something to do with Catalina + accessing files
| in Google Drive File Stream + Adobe.
|
| It runs illustrator horribly.
|
| It's basically the saddest thing I've ever seen.
|
| I think I'll get her a 17" XPS for christmas this year.
| reaperducer wrote:
| _when connected to an external monitor or dock--I've tried
| two different TB3 docks--the machine kernel panics regularly,
| usually waking up from sleep._
|
| I had a similar problem, and it turned out that the dock
| needed a driver. I don't think I've installed a driver for an
| external device since I switched to Macs years ago, so it
| never occurred to me that something like a dock would need a
| driver.
|
| But it turns out that once I installed the vendor's driver,
| the problems all went away. I'm not sure who's fault that is.
| rimliu wrote:
| I upgraded my 2015 MBP 13" to Catalina and happily continue to
| Mac stint since 2006.
| 72deluxe wrote:
| What does df -h in the terminal say?
|
| It'll show the total of each partition (the normal, and the
| new read-only system partition) on their own line, thereby
| giving a false total. e.g. 1x 100GB disk, 50GB normal, 50GB
| system partition will show as capacity 100GB for both
| partitions which would mean a 200GB disk.
|
| Small things like this just make me completely lose faith in
| Catalina.
|
| EDIT: Other "fun" things I noticed within half an hour:
|
| a. Text search in PDF no longer works
|
| b. I can't create anything under /
|
| c. I have to use synthetic.conf to map paths from / to my
| real partition, but the parser of synthetic.conf is very
| particular to tabs/spaces unlike any other /etc/ file format
|
| d. Xcode wants to ask for my password to debug every single
| time I reboot and debug a C++ app. This is incredibly
| incredibly incredibly incredibly annoying.
|
| Safari is faster in general use. But that's so far the only
| good point.
|
| I'll keep it on a SSD for App Store submissions and keep my
| machine on an older decent version thanks
| Marsymars wrote:
| > a. Text search in PDF no longer works
|
| Oh is this macOS? I'd just assumed all the PDFs I've tried
| to search for the past while have been poorly formatted
| with the text as images, but that makes more sense.
|
| > I'll keep it on a SSD for App Store submissions and keep
| my machine on an older decent version thanks
|
| FYI it's pretty easy to integrate binary upload to App
| Store Connect on the CLI of your CI system.
| saagarjha wrote:
| > Text search in PDF no longer works
|
| In Safari or in general? I have only noticed the former.
|
| > I have to use synthetic.conf to map paths from / to my
| real partition, but the parser of synthetic.conf is very
| particular to tabs/spaces unlike any other /etc/ file
| format
|
| You may already know this, but man synthetic.conf will
| explain that you must use tabs.
|
| > Xcode wants to ask for my password to debug every single
| time I reboot and debug a C++ app. This is incredibly
| incredibly incredibly incredibly annoying.
|
| I can only offer you my condolences as I cruise by with SIP
| off.
| cschep wrote:
| Checkout `DevToolsSecurity` on the command line. Could help
| with d. :)
| HugoDaniel wrote:
| Im running my dev environment in a OpenBSD vm. This makes me
| wanna use it for more stuff besides dev.
| rvnx wrote:
| It's great tool for mass-surveillance. Since Apple has a database
| of all the apps the user has run on their device (but no worries,
| Google has the same).
|
| For your security ;)
| tenebrisalietum wrote:
| So why mass-surveil Apple computer users this way?
|
| My understanding is the only thing exclusive to Apple systems
| is developing Apple apps. But anything related on a platform
| like iOS is already going to be public knowledge.
|
| Also the latest Mac hardware seems to go through great pains to
| make sure the primary storage device is both encrypted,
| unrecoverable if keys are unknown (T2 security chip), and non-
| removable (SSD soldered to board). So why would they make this
| back door for surveillance?
| dannyw wrote:
| None of those measures you described counteract mass
| surveillance.
| jmull wrote:
| > great tool for mass-surveillance
|
| It's not really that great for mass-surveillance. It "phone's
| home" only on first run. And it doesn't look like it sends data
| about your identity, device or location. They can have your IP
| address but another mechanism would be needed to relate that to
| you. (I doubt they are logging the IP address anyway. The only
| purpose would be to surveil you, but if they wanted to do that
| they would surely use a more capable mechanism . That makes
| keeping the IP addresses a burden and risk.)
| yyyk wrote:
| >It "phone's home" only on first run.
|
| Do we know that? The cache may well have an expiration date.
| Does the cache stay after an OS upgrade? I suspect further
| research will discover it's not just 'first time'.
|
| >They can have your IP address but another mechanism would be
| needed to relate that to you.... if they wanted to do that
| they would surely use a more capable mechanism.
|
| The app profile would already tell a great deal. Once enough
| of these 'non-capable' surveillance mechanisms add up, you
| end up with a very capable surveillance mechanism.
| TheRealPomax wrote:
| Little Snitch is a god-send for users of MacOS, be they voluntary
| users or forced into using it because their employer won't allow
| them to use anything else.
___________________________________________________________________
(page generated 2020-05-23 23:00 UTC)