Hacker News new | ask | show | jobs
by deviantintegral 1043 days ago
It looks like Apple has revoked the developer certificate. Anyone know if there's a public log somewhere showing when it was revoked?

The app was blocked from loading, but I still saw the two dylibs running. I wondered if it was because the certificate was revoked after they had already started. However, logging out and back in still showed them running. Perhaps they're persisting through log outs?

As well, I got a prompt from the macOS firewall to allow the mentioned AutoUpdate binary to listen for connections. That makes me think all of this was deployed in the last few days.

Edit: A reboot gave me the `“NightOwl” will damage your computer. You should move it to the Trash.` dialog. Allowing that did not fully clean things up (leaving a non-functional `/Users/*/Library/LaunchAgents/NightOwlUpdater.plist` in place and the usual preference files). For me, Hazel cleans those up.

I think for non-technical users who may not be familiar with the terminal would be to direct them to reboot.
1 comments
lapcat 1043 days ago
> It looks like Apple has revoked the developer certificate. Anyone know if there's a public log somewhere showing when it was revoked?

No, Developer ID doesn't use a Certificate Revocation List:

https://lapcatsoftware.com/articles/revocation.html

link
deviantintegral 1043 days ago
Given https://eclecticlight.co/2023/08/08/apple-has-just-released-... it does look like it was revoked in response to the original article, and not the other way around.
link
lapcat 1043 days ago
> Given https://eclecticlight.co/2023/08/08/apple-has-just-released-...

XProtect is separate from Developer ID certifcate revocation. In many cases, malware is not even code signed, so certificate revocation would do nothing.

> it does look like it was revoked in response to the original article, and not the other way around.

I'm not sure what you mean?

link
deviantintegral 1043 days ago
I was trying to figure out how long I had possibly been running the infected code. I was certainly in a state today where binaries were running with revoked signatures. What I couldn’t tell is if this state was only for a few minutes or hours, or if it was days or weeks.

If Apple only revoked the dev certificate (and possibly XProtect) today, that would make sense. But if it was revoked a ways back, then it would be concerning that it would require a reboot (with no prompting) for a regular user to fully kill the running background processes.

Actually, thinking about this further, if Apple had revoked the certificates before today, others would probably have noticed it and investigated given the “Move to trash” dialog and the strong assertion of “this is malware” in it.

link