WingNews logo WingNews
top | item 45855056

(no title)

invaliduser | 3 months ago

The same thing exists on Windows, developers have to code sign their binaries. It's even worse in my experience because you have to use a token (usb key with cryptographic signing keys in it) and that's impractical if you want your ci/cd to run in a datacenter. At my company we had a mac mini with a windows VM and a code signing token plugged in just for the purpose of signing our macos and windows binaries.

Another solution that is not mentioned in the article is that users of both macos and windows should be able to easily integrate the certificate of a third-party editor, with a process integrated in their OS explaining the risks, but also making it a process that can be understood and trusted, so that editors can self-sign their own binaries at no cost without needing the approval of the OS editor. Such a tool should ideally be integrated in the OS, but ultimately it could also be provided by a trusted third-party.

discuss

order

Xiol|3 months ago

I struggled with a similar problem recently. You can use osslsigncode to sign Windows binaries from Linux. It is also possible, with some pissing about, to get everything to work hands off.

In the end we went with Digicert Keylocker to handle the signing, using their CLI tool which we can run on Linux. For our product we generate binaries on the fly when requested and then sign them, and it's all done automatically.

lapcat|3 months ago

> The same thing exists on Windows, developers have to code sign their binaries.

> Another solution that is not mentioned in the article is that users of both macos and windows

The article is actually about notarization on iOS, which is vastly different from notarization on macOS. On iOS, every app, whether in the App Store or outside the App Store, goes through manual Apple review. But apps distributed outside the App Store have fewer rules.

AzzyHN|3 months ago

If I try and run an unsigned program, the UAC window will be yellow, but I can run it with zero issue.

I cannot do the same thing on MacOS with the same ease, and that's the issue.

seec|3 months ago

Yes I don't understand what he means. On Windows you can basically tone down the security to the point you basically tell it to shut up and let you do anything you want, including shooting yourself in the foot (which is fine by me).

On macOS you have to resolved to various tricks to be able to run stuff you have decided you want to run, for whatever reason.

anang|3 months ago

Just FYI, you don’t have to use a USB stick, you can also use HSM like azure key vault and sign using azure signtool.

nickf|3 months ago

Azure Key Vault - even in the ‘premium’ HSM flavour can’t actually prove the HSM exists or is used, which doesn’t satisfy the requirements the CA has. In theory, it shouldn’t work - but some CAs choose to ignore the letter and the spirit of the rules. Even Azure’s $2400a month managed HSM isn’t acceptable, as they don’t run them in FIPS mode.

tumult|3 months ago

Nope. Notarization is not code signing. It’s an extra step, after code signing, where you upload your software to Apple’s servers and wait for their system to approve it. It’s more onerous than code signing alone and, with hindsight, doesn’t seem to have been offering any extra protection.

jeroenhd|3 months ago

It's not the same, but in practice it's also not so different. Microsoft keeps track of how many times a certain executable has been run and only after a certain threshold does the executable become openable without hunting for tiny buttons. The kicker: this also applies for signed binaries.

Microsoft will upload these executables to the cloud by default if you use their antivirus engine ("sample collection").

In a way, Microsoft is building the same "notarisarion database", but it's doing so after executables have been released rather than before it. Many vendors and developers will likely add their executables to that "database" by simply running it on a test system.

On the other hand, SmartScreen can be disabled pretty easily, whereas macOS doesn't offer a button to disable notarisarion.

tonyedgecombe|3 months ago

>It’s more onerous than code signing alone and ...

I don't know, I sometimes contemplated sticking sharpened pencils in my eyes for light relief whilst trying to renew my code signing certificates.

Earw0rm|3 months ago

It's more akin to an enforced malware scanner, at least in principle, kind of mandatory VirusTotal with a stapled certificate.

In practice though they use it to turn the screws on various API compliance topics, and I'm not sure how effective it is realistically in terms of preventing malware exploits.

robenkleene|3 months ago

> doesn’t seem to have been offering any extra protection.

How would this be measured?

Since no one has pointed it out here, it seems obvious to me that the purpose of the notarization system is mainly to have the code signatures of software so that Apple can remotely disable any malware from running. (Kind of unsavory to some, but probably important in today's world, e.g., with Apple's reach with non-technical users especially?)

Not sure how anyone external to Apple would measure the effectiveness of the system (i.e., without knowing what has been disabled and why).

There's a lot of unsubstantiated rumors in this comment thread, e.g., that notarization on macOS has been deliberately used to block software that isn't malware on macOS. I haven't seen a concrete example of that though?

scosman|3 months ago

Highly suggest trying Azure Trusted Signing on a CI system with windows boxes (I use Github). Windows signing was an expensive nightmare before, but is now relatively painless and down to $10/mo (which isn't cheap but is cheaper than the alternatives).

drysart|3 months ago

Azure Trusted Signing is a crapshoot. If you can get running, it's easy and fast and great. But if you run into any problems at all during the setup process (and you very well might since their onboarding process is held together with duct tape and twine), you're basically left for dead and unless you're on an enterprise support plan, you're not going to get any help from them at all.

amaccuish|3 months ago

Last time I checked it's still US/Canada only. Luckily I only needed code-signing for an internal app, so we just used our own PKI and pushed the certs over MDM.