Email or username:

Password:

Forgot your password?
past oral no mad's posts Post Back to profile
Top-level
Zimmie

@ieure @chris @porglezomp I think it’s a pretty reasonable default to keep most users safe. It’s also super easy to disable the check:

bikeshed.party/objects/e9f4384

7 August at 20:49 | Wall-to-wall | Open on infosec.exchange
9 comments
Rich Felker

@bob_zim @ieure @chris @porglezomp Disallowing exec and telling you why is a reasonable default.

Lying that it's damaged to trick you into not trying to find a workaround to execute it is vile and user hostile.

7 August at 21:04 | Open on hachyderm.io
past oral no mad
Brendan B.

@dalias @bob_zim @ieure @chris @porglezomp pretty much any browser will throw up a warning if you make an HTTPS connection to a website with a self signed cert too.

7 August at 21:47 | Open on mastodon.social
past oral no mad
Brendan B.
past oral no mad replied to Brendan

@distinct @dalias @bob_zim @chris @porglezomp It's not the same, though: the browser explicitly tells you exactly what the problem is, and offers options for you to choose what to do (proceed or not).

macOS does not do this.

7 August at 21:52 | Open on retro.social
Chris Alemany🇺🇦🇨🇦🇪🇸 replied to past oral no mad

@ieure @distinct @dalias @bob_zim @porglezomp
Sorry, you lost me. There is a pretty clear explanation why this is happening. I am not going to get hung up on the word “Damaged” vs. Something else. It’s not a secret, including the workaround, all someone who really doesn’t want to sign their application has to do is inform their users of the workaround. As others have said, application signing is a pretty reasonable default behaviour to protect the millions of general users.

7 August at 22:02 | Open on mstdn.chrisalemany.ca
Rich Felker

@distinct @bob_zim @ieure @chris @porglezomp The browser doesn't lie and say the DNS lookup failed or the host is unreachable. It says the certificate is untrusted and asks you how to proceed.

7 August at 22:04 | Open on hachyderm.io
Zimmie

@dalias @ieure @chris @porglezomp I’m not sure I’d call the message a lie. An app bundle isn’t just a loose binary (this message doesn’t come up for loose binaries), and a signature has been an expected item in the bundle for over a decade. A bundle which is missing expected resources *is* damaged, just as much as if the bundle were missing the Info.plist or some framework it uses.

It should definitely provide a way to find out exactly what about the app bundle is weird. NSError even provides several fields like localizedFailureReason which could easily be used for this.

@dalias @ieure @chris @porglezomp I’m not sure I’d call the message a lie. An app bundle isn’t just a loose binary (this message doesn’t come up for loose binaries), and a signature has been an expected item in the bundle for over a decade. A bundle which is missing expected resources *is* damaged, just as much as if the bundle were missing the Info.plist or some framework it uses.

7 August at 22:29 | Open on infosec.exchange
Go Up