Hacker News new | past | comments | ask | show | jobs | submit login

3) is not a valid protection on macOS once the application is copied away from the signed DMG (which is then discarded).

macOS code signing does not extend to Contents/Resources/ which, unfortunately, is where — without exception — every application on my system stores 'electron.asar'.

    /Applications/VMware Fusion.app/Contents/Library/VMware Fusion Applications Menu.app/Contents/Resources/electron.asar
    /Applications/balenaEtcher.app/Contents/Resources/electron.asar
    /Applications/itch.app/Contents/Resources/electron.asar
    /Applications/lghub.app/Contents/Resources/electron.asar
    /Applications/Boxy SVG.app/Contents/Resources/electron.asar
    /Applications/Slack.app/Contents/Resources/electron.asar
    /Applications/Discord.app/Contents/Resources/electron.asar



This response from elsewhere [1] seems relevant:

> Here's the thing with how gatekeeper works, that application had already passed gatekeeper and will never be _fully_ validated ever again.

> If you zipped your modified Slack.app up, uploaded it to google drive, and downloaded it again. Gatekeeper would 100% reject that application, the ASAR file is included as part of the application signature. You can prove this by checking the "CodeResources" file in the apps signature.

> You can't re-distribute the app without gatekeeper completely shutting you down.

[1]: https://news.ycombinator.com/item?id=20637738


Hooray! I am glad to be wrong. For others looking to test this,

    $ codesign -dv /Applications/xyz.app
    ...
    Sealed Resources version=2 rules=13 files=122
    ...
For version=2, all resources are signed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: