Hacker Neue

Preferences
invaliduser parent
The same thing exists on Windows, developers have to code sign their binaries. It's even worse in my experience because you have to use a token (usb key with cryptographic signing keys in it) and that's impractical if you want your ci/cd to run in a datacenter. At my company we had a mac mini with a windows VM and a code signing token plugged in just for the purpose of signing our macos and windows binaries.

Another solution that is not mentioned in the article is that users of both macos and windows should be able to easily integrate the certificate of a third-party editor, with a process integrated in their OS explaining the risks, but also making it a process that can be understood and trusted, so that editors can self-sign their own binaries at no cost without needing the approval of the OS editor. Such a tool should ideally be integrated in the OS, but ultimately it could also be provided by a trusted third-party.

Xiol
I struggled with a similar problem recently. You can use osslsigncode to sign Windows binaries from Linux. It is also possible, with some pissing about, to get everything to work hands off.

In the end we went with Digicert Keylocker to handle the signing, using their CLI tool which we can run on Linux. For our product we generate binaries on the fly when requested and then sign them, and it's all done automatically.

lapcat
> The same thing exists on Windows, developers have to code sign their binaries.

> Another solution that is not mentioned in the article is that users of both macos and windows

The article is actually about notarization on iOS, which is vastly different from notarization on macOS. On iOS, every app, whether in the App Store or outside the App Store, goes through manual Apple review. But apps distributed outside the App Store have fewer rules.

AzzyHN
If I try and run an unsigned program, the UAC window will be yellow, but I can run it with zero issue.

I cannot do the same thing on MacOS with the same ease, and that's the issue.

seec
Yes I don't understand what he means. On Windows you can basically tone down the security to the point you basically tell it to shut up and let you do anything you want, including shooting yourself in the foot (which is fine by me).

On macOS you have to resolved to various tricks to be able to run stuff you have decided you want to run, for whatever reason.

anang
Just FYI, you don’t have to use a USB stick, you can also use HSM like azure key vault and sign using azure signtool.
nickf
Azure Key Vault - even in the ‘premium’ HSM flavour can’t actually prove the HSM exists or is used, which doesn’t satisfy the requirements the CA has. In theory, it shouldn’t work - but some CAs choose to ignore the letter and the spirit of the rules. Even Azure’s $2400a month managed HSM isn’t acceptable, as they don’t run them in FIPS mode.
veeti (dead)
tumult
Nope. Notarization is not code signing. It’s an extra step, after code signing, where you upload your software to Apple’s servers and wait for their system to approve it. It’s more onerous than code signing alone and, with hindsight, doesn’t seem to have been offering any extra protection.
jeroenhd
It's not the same, but in practice it's also not so different. Microsoft keeps track of how many times a certain executable has been run and only after a certain threshold does the executable become openable without hunting for tiny buttons. The kicker: this also applies for signed binaries.

Microsoft will upload these executables to the cloud by default if you use their antivirus engine ("sample collection").

In a way, Microsoft is building the same "notarisarion database", but it's doing so after executables have been released rather than before it. Many vendors and developers will likely add their executables to that "database" by simply running it on a test system.

On the other hand, SmartScreen can be disabled pretty easily, whereas macOS doesn't offer a button to disable notarisarion.

makeitdouble
Microsoft's notorisation sounds fully automated and transparent, while Apple's is more political and hands on. Individual apps getting their notorisation slowed down to a glacier pace because the platform owner doesn't like them doesn't seem to happen in Microsoft land.
mort96
Wasn't there even a story some time ago about how some completely legit, legal, above-board app to virtualize old (pre OS X) versions of Mac OS got rejected by Apple's notarization process?
Earw0rm
The bigger difference is that Apple isn't just checking for malware, it's checking for conformance with various APIs, manifest requirements and so on. Not as strict as the iOS App Store, maybe, but it will refuse to notarize if it detects use of unsanctioned API calls.

You don't even need signing for Microsoft's system to do what it does - it can operate on unsigned code, it's all hash based.

makeitdouble
> it will refuse to notarize if it detects use of unsanctioned API calls.

Or really any reason. They're not supposed to exert editorial control but that's how it has been happening in practice.

robenkleene
> detects use of unsanctioned API calls

Is there a concrete example of this? We know this isn't blanket policy, because of a recent story (https://www.hackerneue.com/item?id=45376977) that contradicts it. I can't find a reference to any macOS app failing notarization due to API calls.

3 More Comments →
hkpack
I have the opposite experience - on macOS you can guarantee what users will see when you distribute your notarized app, while on Windows you cannot for undefined time.

How often do you notarize your apps? Why does the speed matter at all? In my cases it takes 2 seconds for the notarization to complete.

makeitdouble
The article is about iOS, and getting your notorization in 2 seconds or weeks is IMHO a big difference.

There's obviously simple cases where the iOS notorization also flies in 2 secs, but there seems to be enough tougher cases:

https://www.reddit.com/r/iOSProgramming/comments/1l9m7jd/how...

3 More Comments →
layer8
The important part is that once you have a code signing certificate, you can sign your executable independently, offline, without involvement from Microsoft, which isn’t possible with Apple’s notarization.
tonyedgecombe
>It’s more onerous than code signing alone and ...

I don't know, I sometimes contemplated sticking sharpened pencils in my eyes for light relief whilst trying to renew my code signing certificates.

Earw0rm
It's more akin to an enforced malware scanner, at least in principle, kind of mandatory VirusTotal with a stapled certificate.

In practice though they use it to turn the screws on various API compliance topics, and I'm not sure how effective it is realistically in terms of preventing malware exploits.

robenkleene
> In practice though they use it to turn the screws on various API compliance topics

Do you have an example of this on macOS?

robenkleene
> doesn’t seem to have been offering any extra protection.

How would this be measured?

Since no one has pointed it out here, it seems obvious to me that the purpose of the notarization system is mainly to have the code signatures of software so that Apple can remotely disable any malware from running. (Kind of unsavory to some, but probably important in today's world, e.g., with Apple's reach with non-technical users especially?)

Not sure how anyone external to Apple would measure the effectiveness of the system (i.e., without knowing what has been disabled and why).

There's a lot of unsubstantiated rumors in this comment thread, e.g., that notarization on macOS has been deliberately used to block software that isn't malware on macOS. I haven't seen a concrete example of that though?

tumult
Disabling malware via hash or signature doesn't require the Notarization step at all. Server can tell clients to not run anything with hash xxyyzz and delete it. I mean, just think about it. If disabling stuff required the Notarization step beforehand, no anti-malware would have existed before Notarization. Nonsense.
robenkleene
I think notarization is just a more automated way to do this approach, e.g., otherwise Apple has to hunt down all the permutations of the binary themselves. It seems like it just simplifies the process? (It makes it a white list not a black list, so it's certainly more aggressive.)
scosman
Highly suggest trying Azure Trusted Signing on a CI system with windows boxes (I use Github). Windows signing was an expensive nightmare before, but is now relatively painless and down to $10/mo (which isn't cheap but is cheaper than the alternatives).
drysart
Azure Trusted Signing is a crapshoot. If you can get running, it's easy and fast and great. But if you run into any problems at all during the setup process (and you very well might since their onboarding process is held together with duct tape and twine), you're basically left for dead and unless you're on an enterprise support plan, you're not going to get any help from them at all.
amaccuish
Last time I checked it's still US/Canada only. Luckily I only needed code-signing for an internal app, so we just used our own PKI and pushed the certs over MDM.
jtokoph
It’s also limited to companies that have a proven life span of at least 3 years IIRC (you have to provide a duns number). They may have reopened for individuals, but that means your personal name attached to every binary.
catlifeonmars
You can virtualize an HSM FWIW.

This item has no comments currently.

Keyboard Shortcuts

Story Lists

j
Next story
k
Previous story
Shift+j
Last story
Shift+k
First story
o Enter
Go to story URL
c
Go to comments
u
Go to author

Navigation

Shift+t
Go to top stories
Shift+n
Go to new stories
Shift+b
Go to best stories
Shift+a
Go to Ask HN
Shift+s
Go to Show HN

Miscellaneous

?
Show this modal