|
|
|
|
|
|
by fatratchet
2051 days ago
|
|
|
>This is what everyone misunderstands. The Developer ID code signing program is not analogous to web certs. The usage of these certs is entirely different. If a web cert gets revoked a browser won't accept it when making a connection to a domain/server anymore even if they previously did (unless you make it). If an app signing cert gets revoked the OS won't run a binary signed with it anymore even if it previously did (unless you make it). Sounds similar enough to me, minus expiry handling. Revocation is indeed extremely destructive and should only used by Apple on their own accord against malware but I don't see why a dev themselves shouldn't be able to revoke their own cert without having to go back and forth with the Apple security/support team to have to try to convince them that the issue is severe enough. The main and basically almost only reason where I see developer side revocation be used is if their keys or account have been (possibly) compromised and therefore there's a chance of it being used for malware. Time can be of big importance in a situation like that too. As a user I absolutely want Apple to revoke certs when requested by the dev themselves without triple verifying if they are really totally actually absolutely sure. I consider the upsides of that to outway the downsides. While a binary from a dev that has been installed for a long time will be less likely to be malware but not enough to be exempt from that. Users that dislike OSCP can disable it fully on their side if they want or locally sign anything specific they do trust. Devs didn't ask for it but having developer IDs and application singing seems like a pretty sensible thing to me in an end user OS used by the average consumer. |
|
|
The difference is that you can just get a new web cert, install it on the server, and you're good to go for https. On the other hand, getting a new Developer ID cert doesn't help at all to make the app start running again. You can sign new versions of the app with the new cert, but the installed versions of the app signed with the revoked cert are still dead as a doornail, which is no good at all for your existing user base.
> The main and basically almost only reason where I see developer side revocation be used is if their keys or account have been (possibly) compromised and therefore there's a chance of it being used for malware.
It's not clear that this ever happens. I discussed the case of Panic in the blog post. Their private key was possibly compromised, but Apple did not revoke their cert! The old cert is still valid, and so are the old versions of their apps. Apple apparently has a more limited way of disabling apps, based on the secure timestamp of the code signature.