Wednesday, October 8, 2014

Gatekeeper’s CDHash Whitelist

Daniel Jalkut has solved the “accepted cdhash” mystery with Mac OS X 10.9.5’s Gatekeeper:

My suspicion is that in the run-up to the major changes Apple has made to Gatekeeper, they painstakingly accumulated a list of 36215 “trusted” hashes and deposited them on everybody’s Mac so that the effect of 10.9.5’s stricter code signing checks would be mitigated.

[…]

This whitelist offers a significant amount of explanation as to why some apps are allowed to launch without issue on 10.9.5 and 10.10.

Edward Marczak:

10.9.4 ran an agent that uploaded these to Apple. That’s where they get the mass hash list from.

Daniel Jalkut:

Everybody has to start signing with the modern code-signing infrastructure. In the interim, there’s a good chance your app has been whitelisted to operate as usual during the transition, but that courtesy will probably not extend to your next release.

Really poor communication from Apple here, but probably the right technical solution.

Comments RSS · Twitter

Leave a Comment