Hacker News new | ask | show | jobs
by comex 2129 days ago
That's not correct. To quote Apple:

> New in macOS 11 on Apple silicon Mac computers, and starting in the next macOS Big Sur 11 beta, the operating system will enforce that any executable must be signed with a valid signature before it’s allowed to run. There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker.

An "ad-hoc signature" is Apple jargon for a code signature without a certificate (so really just a set of hashes, no actual public-key signature); I called it self-signed since it's a more familiar term. By "there isn't a specific identity requirement" they mean it's not required to be Apple-signed.

Of course, macOS on Apple silicon will still require an Apple signature by default like it does on Intel, but you'll be able to disable that like you can on Intel.
1 comments
supermatt 2129 days ago
And, as a user, what is the mechanism for ad-hoc signing an unsigned binary on silicon? :)

You can’t distribute ad-hoc signed binaries. You can’t disable/bypass the gatekeeper on silicon.

If you have access to a transition kit you can see this for yourself.

link
comex 2129 days ago
> And, as a user, what is the mechanism for ad-hoc signing an unsigned binary on silicon? :)

`codesign -s - my_binary`, though that would rarely be necessary unless you patched it in a hex editor or something, since otherwise it would have been automatically ad-hoc signed when it was linked.

> You can’t distribute ad-hoc signed binaries.

They have the same distribution restrictions on Apple silicon as on Intel. You can, but it requires the person running the binary to either (a) run it in a terminal, (b) right-click Open, or (c) use spctl --master-disable to disable Gatekeeper entirely.

link
supermatt 2129 days ago
Good luck expecting a user to do that! As I already said, you cant distribute an ad-hoc app, so this is exactly what they would have to do - hence my smiley face!

You CANNOT bypass gatekeeper on silicon - that is the whole point - otherwise there is no difference to the current behaviour.

link
comex 2129 days ago
> You CANNOT bypass gatekeeper on silicon - that is the whole point, otherwise there would be no diffference!

Yes, you can. The only difference between Intel and Apple silicon in this regard is that binaries that literally have no code signature (as opposed to a self-signed one) will not run. It's a technical cleanup measure that removes a special case (executable with no associated signature blob), not a lockdown measure. It's not intended to make a difference from the user's point of view.

link
supermatt 2129 days ago
So its just the format of the executable that has changed? This certainly isn't what was discussed the other day - and seemingly confirmed by a user with a transition kit... :/

I see why you mentioned ELF, now.

Ill descend from my soapbox on that matter, then. Thank you for correcting me. :D

link