1. 18
  1.  

  2. 2

    If a user inadvertently visited homebrew.sh, after various redirects an update for “Adobe Flash Player” would be aggressively recommended

    Heh. This must be a very effective way of convincing people to install your payload. I think I remember seeing this as early as the mid 2000s. And to think it’s still used!

    1. 2

      The notarization service isn’t about approving content - that’s an App Store thing. Notarization is the response to people not wanting a developer id and signing cert (there are sensible reasons this isn’t possible), while providing a central mechanism for revocation. Presumably it’s better than XProtect?

      1. 5

        According to Apple it is about approving content:

        Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components.

        https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

        1. 2

          Are you sure that’s how it works? AFAIK you need an Apple Developer ID to be able to “notarize” apps and the steps to perform are completely insane. I gave up on signing my little Go binary for macOS.

          1. 1

            I guess [edit]? It sounds like my understanding of notarization is wrong, in which case what distinguishes it from old signing?