[GeekyBear]

> They send a hash

My understanding is that they keep a local file with known malware signatures, just like the malware scanners on every other platform.

> macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly

https://support.apple.com/guide/security/protecting-against-...

[Joeri]

Xprotect is a blacklist that runs locally and is rarely used.

The phone home functionality is notarization, where apple does a network call to check that the signature on an executable actually came from apple’s notarization process. It is in essence a reputation system, where developers must be on good terms with apple to have the ability to notarize and get a smooth install experience.

[Twisell]

Are you sure about your point?

From what I had in mind, notarization is only done developer side before publishing. Client side it's just a check against Apple certificates to verify that the binary haven't been tampered since notarization, no phoning home should be involved. (Or maybe just to update Apple certificates).

[Joeri]

According to this article macOS does do a network request to check the notarization ticket:

https://eclecticlight.co/2023/03/09/how-does-ventura-check-a...

They also check the developer certificate in the OCSP stage.

Both of these are mechanisms where apple can effectively lock out developers from having a smooth install experience for their software at their discretion.

[nudgeee]

Isn’t this how certificate revocation flows work?