[kalleboo]

So what happened with the codesigning? That's pretty much the only viable line of defense for the average user (nobody is going to be verifying SHA signatures, or the site is going to be compromised along with the download)

Was the malware version also signed with an official Apple Developer ID? The same ID? Is a change of ID verified with the auto-updater?

If there was a malicious Developer ID, has it been revoked by Apple?

[andreasley]

According to this article [1], the compromised app was indeed signed – but with a different Developer ID than usual.

Anyone with a credit card can sign up for Apple's developer program and start signing apps.

[1] http://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-...

[koolba]

> According to this article [1], the compromised app was indeed signed – but with a different Developer ID than usual.

That's the terrible part about all of this. Having signed applications without any verification of the signer is pointless.

A simplistic, yet more secure approach, would be to have domain validated keys that could be used to sign applications. Browsers could then verify that the application downloaded from example.com was signed with a key for example.com. I think OSX already stores "This was downloaded from the scary internets!" in a separate resource fork so this info could go there as well. Maybe even cut out the middle mad and put them in DNS SRV records so you don't even need a central CA. If DNS gets compromised the client's have bigger problems already.

Unfortunately like all things like this, it'd be forever before it's widespread enough to be useful.

[dantiberian]

It's not completely pointless, as it allows Apple to (silently and quickly) release updates which distrust that Developer ID, however a stronger protection would be to pin apps to a particular Developer ID.

[tajen]

So Apple/the bank/a warrant can return his name?

[foepys]

The credit card was most likely stolen. You can buy them in bulk from some websites.

[Cyph0n]

US cards used to go for around $2.50 a pop several years back. Way cheaper in bulk. Not sure about now though.

[tajen]

Interesting question. According to https://developer.apple.com/support/certificates/:

>> If your membership expires, users can still download, install, and run your Developer ID–signed applications. However, once your Developer ID certificate expires, you must be an Apple Developer Program member to get new Developer ID certificates to sign updates and new applications.

What I understand is that codesigning costs $99 a year, which open-source projects may want to skip, but this harms their credibility if their downloads are compromised.

[SyneRyder]

I really thought Apple had added a free option (maybe even specifically for open source projects?), but I can't find it anywhere. Can anyone else find that info, or am I misremembering?

[Mtinie]

I believe you are misremembering the details. There is a free account option, but code signing isn't available.

https://developer.apple.com/support/compare-memberships/

What's not clear to me, however, is if the educational option allows for free developer-level memberships.

[SyneRyder]

Thank you! I'd confused it with recent changes to the iOS program allowing people to self-sign so they can test on their own iOS devices.

It looks like Educational memberships are Sign-In With Apple ID only, which doesn't provide a Developer ID (which is required for code signing, as far as I can tell).

[appleiigs]

I wonder if the checksum was changed on the website too.