Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Apple doesn't check binary hashes but developer certificates these binaries are signed with. Which there are a lot less of (ie. firefox and thunderbird share the same certificate).


From what I understood, Gatekeeper still sends an application specific hash/ticket when an application is opened, not just a dev certificate (e.g. https://lapcatsoftware.com/articles/catalina-executables.htm...). Did that change in Big Sur?


The notarization check is on first launch of an app, but it doesn't occur on subsequent launches, unlike the certificate revocation check.


But the first lookup would have to stay, with all the implications that the proposed alternative (download a list of all certs/tickets) was meant to overcome.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: