Comment by AnotherGoodName
8 days ago
>You cannot directly download or install High Sierra (the latest supported OS) for reasons I don't remember.
This one’s a doozy because i hit it last month.
The updates are over https. The default certificates are 10year expiry.
I had an elderly relative (who disabled updates because they were scared of the computer changing) really upset everything was broken. Gmail app gave obscure can’t connect messages, almost all websites failed to load. When i went there of course the os wouldn’t update as well. We use https for everything now.
The keychain system is so hidden from users it was hard to even get to for myself. Took a usb key of a set of certificate updates. Harder than you think because when you look in keychain you’re not sure of which certificate is used for which and it’s a pain to find what you need. In the end a transfer from a healthy mac worked enough to get a manually downloaded os update running and from there it was fine.
What a doozy though! If you know of people with old macs that stopped working at the start of this year this is why
How modern computing quietly depends on this constantly-maintained layer of trust infrastructure
Well, to be more specific, "modern internet/web". Most of the applications that ran on a Windows XP computers still run on a Windows XP computer without hiccups, unless they do a lot of network connectivity for the functionality.
And no one can even give a concrete answer why root certificates need expiration dates. It's just because reasons.
IMO the whole PKI thing is a terrible idea to begin with. It would make much more sense to tie the trust in TLS to DNS somehow, since the certificates themselves depend on domains anyway. Then you would only have a single root of trust, and that would be your DNS provider (or the root servers). And nothing will expire ever again.
Root certificates need expiration dates for the same reason that LetsEncrypt certs need an expiration date: risk of cert compromise and forgery increases over time.
Over a long enough timeline, there will be vulns discovered in so much of the software that guards the CA certs in RAM
5 replies →
The instant we bound encrypted connections with identity we failed. And decades later we're still living with the mistake.
I'm completely serious when we need to abandon the ID verification part of certificates. That's an entirely separate problem from encryption protocol. An encryption protocol needs absolutely no expiration date, it's useful until it's broken, and no one can predict that. Identity should be verified in a separate path.
Certificates need expiration dates to be able to garbage collect certificate revocation lists.
1 reply →
Right, because DNS entries never expire.
4 replies →
> The keychain system is so hidden from users it was hard to even get to for myself.
These days, keychain access is under /System/Library/Core Services/Applications/Keychain Access.app. That's not intuitive, but, once you know it's there, it's not hard to navigate to it. Was it different under older versions?
Apple moved it there in macOS Sequoia, from Utilities, because they were worried it would be confused with the Passwords app. Apple reminds you that you're actually looking for the Passwords app at every turn:
https://support.apple.com/guide/keychain-access/what-is-keyc...
command-space... type "keychain access"
command+shift+g
Then
s<tab>/l<tab>/cores<tab>/a<tab>
Simple!
However, while Spotlight works well when you know what you are looking for, it can still be useful to navigate the filesystem, and it's too bad that Apple hides tools in relatively obscure locations rather than somewhere like /Applications/Utilities.
> The updates are over https. The default certificates are 10year expiry.
I wish I knew this last week while trying to restore a 2010 21" iMac.
Apart from this, I encountered another annoyance mid-way; the official download urls for Sierra and High Sierra were nowhere to be found. I somewhat remember being able to download the official dmg/disk image from some official repository, probably some App store public url?
can look for macos downloader scripts in github. I noticed the readme here shares some URLs though I'm not sure if they still work https://github.com/Comp-Labs/Download-macOS
https://github.com/chris1111/Download_Install_macOS could also be another option.
I know I used one of the macos downloaders from github before, I just forget which one though.
Thanks!
If you have High Sierra on USB, it installs just fine. You need a High Sierra machine to make the USB stick, but once you have one, its simple to reinstall.