Hacker News new | ask | show | jobs
by fauigerzigerk 2677 days ago
I know. I've done that many times. But what the WireGuard guys are saying sounds like it's something very different:

"Because it uses these deep integration APIs, we're only allowed to distribute the application using the macOS App Store (whose rejections, appeals, and eventual acceptance made for quite the stressful saga over the last week and a half)"
1 comments
akvadrako 2677 days ago
That's quite interesting - it's the first I've seen of a real world app being limited in this way and it is worrisome. I suspect if you disabled System Integrity Protection is would work, but not sure.

On iOS they've always been APIs like this - they only work via Apple approval and not dev or enterprise signatures.

link
moduspwnens14 2677 days ago
I'm an iOS/Mac dev that's released a VPN app on both app stores.

The limiting factor is that the "Network Extension" framework is the way these apps work as VPNs, and currently Mac App Store distribution is the only supported method if you're using that framework (see #8) [1].

[1] https://forums.developer.apple.com/thread/67613

link
xenadu02 2677 days ago
Macs are still macs. You can turn off SIP, disable AMFI & entitlement checks, then grant your app whatever entitlements you want and they won’t be verified.

I really really don’t recommend doing that; you’re giving up a lot of security.

A much easier alternative is to have a dev account, then you can just enable the entitlements in your provisioning profile for your dev devices (or personal devices). Most entitlements don’t require any approval for a dev profile.

link
moduspwnens14 2677 days ago
Sure--I've no doubt there's some ugly workaround process to get around it, but I felt compelled to offer more information because it is usually the case that any Mac App Store app can be distributed outside the App Store relatively easily, except those that use the Network Extension framework.

I wanted to be sure the dev here is backed up that he's not making this up--this is Apple's restriction and not his.

> A much easier alternative is to have a dev account, then you can just enable the entitlements in your provisioning profile for your dev devices (or personal devices). Most entitlements don’t require any approval for a dev profile.

Yes, this is how we test on our own Macs before publishing to the app store. Although iirc those signatures have expiration timestamps, so you'll be re-signing and redistributing on some tedious interval (something like 30-90 days).

link