← Back to context

Comment by strogonoff

4 years ago

Phoning home in this case is done to check whether an app’s signed with a valid certificate. Not checking that opens user’s machine to attacks where malware successfully pretends to be an authentic trusted app, likely gaining access privileges (Keychain, etc.) granted to that app by the user previously.

Linux distros can arguably get away without these checks since their users are typically more aware of what they are launching, but importantly also because they are not as big a target due to smaller user bases.

Don't Linux distros accomplish these checks with GPG key signing, which don't need to phone home?

  • Does it ensure the executable you downloaded and granted access to is still the same and was not modified afterwards?

    Another reason is that if a cert (or a cert in the chain) is known to be compromised it can be revoked—would the mechanism used on Linux give some equivalent of that, or one has to be rely on bug trackers or apply updates to ensure trusted signatures are up-to-date?

  • The binary you get from your upstream repositories are signed but they aren't verified after that. On macOS if you download vagrant and grant it the ability to read your project directory I can't overwrite or modify your binary without it tripping the system and losing those privileges.