[NelsonMinar]

I'm a little surprised they aren't signing their MacOS releases. It's even documented on the download page, "We are not currently able to sign the HandBrake downloads". I wonder if it's a philosophical choice or a legal one? It seems like a failure of Apple's Gatekeeper though: either because such a popular app is not able to be signed, or because it's not signed and yet so many people run it anyway.

[AnthonyMouse]

> I'm a little surprised they aren't signing their MacOS releases.

Do any small developers actually do this? It seems entirely useless from a security prospective. You go through an expensive process so that at the end it can "verify" that the binary was signed by an individual the user has never met who may not even live in the same country and for all anyone knows is perfectly willing to sign ransomware, or who has stolen some arbitrary third party's signing key.

If you don't actually know and trust the party who makes the software then the signature is worse than useless because it makes people think signed=trustworthy when in reality it only means signed=signed. And if you do know and trust the authors you don't need a CA to verify anything more, at great expense, when you can already just download via HTTPS from the domain you trust.

Apple should eliminate practice entirely, and in the meantime no one should use it.

[aianus]

> If you don't actually know and trust the party who makes the software then the signature is worse than useless

Not true. The signature only needs to mean "we've verified the author's ID and he lives in a country that enforces the law". Then if he ships and signs malware, he can be sued and/or charged criminally.

[AnthonyMouse]

> The signature only needs to mean "we've verified the author's ID and he lives in a country that enforces the law". Then if he ships and signs malware, he can be sued and/or charged criminally.

This is what I mean by worse than useless. Promoting reliance on the signature to mean something.

To pick a country, quite a lot of entirely legitimate software comes out of Russia. So does a lot of malware. Does Russia enforce the law? Sure, against people who aren't politically connected. Some of the malware authors are, so you're screwed. You can't just write off a country like that. There is still a baby in that bathwater. And that's not the only country with organized crime or corruption.

As soon as you have many small developers signing things you can't even really exclude by country at all because there are too many soft targets for malware authors to steal keys from. Some college student gets a signing key to sign his calculator app and then gets hacked, and now there is malware signed by John Smith of New Jersey. By the time anyone figures it out the attackers, now equipped with the false sense of security created by the signature, have hacked many other people and captured even more signing keys.

It's like security theater where the criminals pick your pocket while you're distracted watching the show.

[NelsonMinar]

Yes, a lot of developers sign their releases, I'd say it's about 50/50 of the things I use. There are some advantages to signing, but I'm not sure it's enough to outweigh the hassle.

It's hard to talk about Gatekeeper without also talking about the Mac App Store, which as far as I can tell is a fiasco in all ways.

[throwaway4891a]

Apple's codesign ensures end-to-end chain-of-custody integrity with nonrepudiation, tied to a specific, named signer and likely also a credit-card.

GPG signing and releasing fingerprints of all released artifacts on an https://-served release notice would accomplish nearly the same thing, but requires more steps and causes a confusing `“HandBrake” can’t be opened because it is from an unidentified developer.` dialog.

It is a best-practice to both GPG sign all release artifacts and use vendor-specific code-signing / app stores, otherwise conversion will suffer with each additional hoop multiplied by the N of the entire user-base resulting in much more time-wasting.

End-to-end integrity also prevents entire classes of attacks such as hacked CDNs, hacked networks and so on.

[AnthonyMouse]

Universalizing GPG would be an improvement.

The "end-to-end chain-of-custody" is actually the problem, because it does two bad things.

First it encourages people to give it more faith than is due. Having an ironclad guarantee that something is approved by a specific untrustworthy person can do more harm than good when people see the guarantee and not the guarantor.

Second, when the process has barriers (e.g. for poor students or foreign nationals), you get a lot of legitimate software that isn't signed, which means you're harmfully desensitizing users to security warnings. Or locking out legitimate software.

Suppose you replace that with automatic GPG signatures, where the software has to be signed by the author but the author doesn't have to be signed by anybody else. You still have something useful -- you can verify that two pieces of software are from the same author. And that updates are from the same author as the original. And the author can publish their public key to their website, allowing security-conscious users to link the software to the trusted website.

Meanwhile signing becomes only a checkbox with no gatekeeper deciding who can and can't sign, no one is excluded, so everything can be signed there are no spurious security warnings for legitimate software.

[seanalltogether]

There is no expense to have a developer account with Apple to sign releases. You have to pay to distribute on iOS or Mac App store. At this point so much of it is automated by xcode that there are no real extra steps to do simple developer signed release.

[AnthonyMouse]

The expense isn't so much money you pay to Apple, it's the typically multiple hours and hundreds of dollars necessary to get an EV certificate from a CA.

[realityking]

Code signing on macOS does not rely on CA certificates but you have to be a member of the paid Apple Developer program (99$/year)

[throwaway4891a]

I'm not using 1.0.0+ until it's codesigned and/or dmg gpg verifiable with a known-good signature.

Do not install untrusted, unverifiable apps is security 101.

[nradov]

Just download the source code, audit it, and built it yourself.

[jonnytran]

Who has the time to audit the source code of all the code they'd like to run on their computer? If you find them, I'd pay them to audit it for me, build it, and sign it so that I don't have to.