Apple hashing applications and logging data remotely before starting applications on MacOS

That sounds utterly pointless when taken together.

Hypothetical: You are using an app that works well for your task and you are comfortable with it and can do your work very quickly. Apple decides thus app has run afoul of whatever rules and removes the app. So you just go get the unsigned version and run that instead.

What problem does any of this solve other than looking shady.

If anything it would make me want to avoid official apple approved apps and get my own as there is no telling when they will just vanish potentially with your integrated workflow and work if it is tied to an app specific file format they no longer allow you to use.

You can definitely break a lot of things with Little Snitch if you want to. By default it allows the normal Apple traffic, but you can change that if you want to. Not sure if they’re using pf under the hood or bundling their own solution though.

Yeah, it warns you, but I doubt it reports anything back about it. Or if does, I can’t think of what the justification would be.

It’s any application that is signed with an apple developer certificate which is anything from the App store, but also a lot of 3rd party apps. Even I have a developer certificate. Had to get one to sign onboarding scripts to run automatically during OS installation as well as mdm profiles. Additionally, if you are distributing your application outside of the App store, the installer needs to be signed as well as the actual application. So I guess in all of those instances, macOS is sending the cert to a server for verification. Although obviously, you can run apps when you’re not connected to the internet, so some sort of local verification takes place as well.

So if I just switch all my apps to be installed from Homebrew then I’m good right?

1 Like

Some of the casks are signed since they’re just binaries, but for the normal packages or anything it’s building from source, I don’t think there’s any way to have those signed. Some projects refuse to sign their apps (Alacritty) which is cool, but also annoying because I can’t run them on my work computer which is forbidden from running anything that isn’t signed (unless IT whitelists it) :frowning:

Not necessarily, it would be good practice to enable OCSP Stapling on the webserver to actually remove the need to contact the CA regarding certificate validity.


Unsigned apps are a terrible idea. We really do need Apple to tell us what is good and bad. If it’s unsigned, it’s basically a guaranteed virus. It’s all about the greater good. What the individual wants is irrelevant.

1 Like

Is there an OS that doesn’t use signed apps these days? I think Linux did it first.

maybe BSD doesn’t?

if you were to use unsigned apps you shouldn’t be using apple anyways

I just assume these days I am being spied all the time. I look at it like this. I watch lock picking lawyer on YouTube. I have seen how easy it is for someone with his experience to pick many locks. If someone really wants to get into my stuff and they have the skill, what can I do. Not much. I read the entire article about Apple, but I don’t even know what a hash is. Jargon like OCSP doesn’t mean much to me and the commands Jacopo Janone used to track if there was a problem were impressive to me but likely obvious to someone who knows what to look for.