|
|
|
|
|
|
by floatingatoll
2512 days ago
|
|
|
3) is not a valid protection on macOS once the application is copied away from the signed DMG (which is then discarded). macOS code signing does not extend to Contents/Resources/ which, unfortunately, is where — without exception — every application on my system stores 'electron.asar'. /Applications/VMware Fusion.app/Contents/Library/VMware Fusion Applications Menu.app/Contents/Resources/electron.asar
/Applications/balenaEtcher.app/Contents/Resources/electron.asar
/Applications/itch.app/Contents/Resources/electron.asar
/Applications/lghub.app/Contents/Resources/electron.asar
/Applications/Boxy SVG.app/Contents/Resources/electron.asar
/Applications/Slack.app/Contents/Resources/electron.asar
/Applications/Discord.app/Contents/Resources/electron.asar
|
|
|
> Here's the thing with how gatekeeper works, that application had already passed gatekeeper and will never be _fully_ validated ever again.
> If you zipped your modified Slack.app up, uploaded it to google drive, and downloaded it again. Gatekeeper would 100% reject that application, the ASAR file is included as part of the application signature. You can prove this by checking the "CodeResources" file in the apps signature.
> You can't re-distribute the app without gatekeeper completely shutting you down.
[1]: https://news.ycombinator.com/item?id=20637738