Codesigning everything and combatting malicious code
gerben.wierda at rna.nl
Fri Jan 13 15:37:49 UTC 2023
> On 24 Mar 2022, at 19:24, Joshua Root <jmr at macports.org> wrote:
> On 2022-3-23 08:19 , Ryan Schmidt wrote:
>> On Mar 21, 2022, at 23:02, Joshua Root wrote:
>> Are we sure that ad-hoc codesigning is enough to pacify GateKeeper? Since all binaries must be codesigned on Apple Silicon, does that mean that GateKeeper never has anything to complain about on Apple Silicon systems?
> No. As I said before, an ad-hoc signature does nothing to improve security, and the designers of GateKeeper are aware of that. Having a signature from someone you've never heard of doesn't help in deciding whether to trust the signed item.
> I think what it does do is prevent repeated authorisation prompts for the same program, as long as GateKeeper can see that its signature has not changed since last time the user said to trust it, and is still valid.
> - Josh
It's been a while, but this summer, after I moved from Mojave to Monterey, I started to experience serious problems with my macOS server (based on MacPorts of postfix, dovecot, etc.). Without clear proof, but on intuition, I have deiced that the most likely reason is that Apple doesn't handle exceptions to signing very well (problems with alf, launchd, pf, but most seriously, the system doesn't handle many service requests (ports sockets) very well and gets stuck tregularly for 30minutes to an hour. When it is stuck, it reacts to ping, but no other connection can be opened. Then when it gets unstuck, apparently there has been some sort of garbage collection going on and there is again room. From 12.5.1 to 12.6.2 this has gotten worse: the system will not react to ping even, will not get unstuck by itself, it requires a hard reset (power). This is unacceptable for a server where I am not always around to do that (let alone the potential data corruption that follows).
For me, not having a system where I can reliably run my services as I have been doing during the NeXT days and then the Mac OS X Server days and then the macOS + MacPorts days is unacceptable. A system that is able to hang itself in such a way is not a serious production environment.
Forget security, macOS might become utterly unreliable because Apple writes buggy code that doesn't handle two different security models side by side very well.
So, I have been moving my stuff to Linux and I'm almost done. I will keep macOS + MacPorts as a second system so I will go to failover mode for some services.
More information about the macports-dev