30 votes

Apple is currently having widespread server issues due to the macOS Big Sur update, which is also preventing users on Catalina from being able to open apps

10 comments

  1. [9]
    Deimos
    Link
    This is likely to bring far more attention to the fact that Apple is sending a request to their servers whenever you launch any unsigned program on a Mac, even a shell script. I see a ton of...

    This is likely to bring far more attention to the fact that Apple is sending a request to their servers whenever you launch any unsigned program on a Mac, even a shell script.

    I see a ton of people on social media, chat (Slack, etc.) and other places that thought something was wrong with their Mac today because Apple's server issues effectively made their computer useless.

    29 votes
    1. [8]
      BlindCarpenter
      Link Parent
      that is interesting, I've had trouble launching 3rd party apps with the wifi off and this explains it. Is there a way to disable it?

      that is interesting, I've had trouble launching 3rd party apps with the wifi off and this explains it. Is there a way to disable it?

      6 votes
      1. [3]
        Deimos
        (edited )
        Link Parent
        If you're having issues with the wifi already totally off, I'm not sure. My impression was that completely turning internet off would skip the check, and this was mostly an issue if the connection...

        If you're having issues with the wifi already totally off, I'm not sure. My impression was that completely turning internet off would skip the check, and this was mostly an issue if the connection was unreliable/slow (with something like airplane wifi, or if, you know, Apple's server is failing).

        Some things you could try anyway:

        As the linked article mentions, one possibility is to disable it by using Little Snitch and preventing connections from syspolicyd or to the relevant domain. You can also edit your /etc/hosts file to block the domain, as this HN comment describes (quoting the relevant part here and fixing its typo, use something other than emacs if you prefer):

        sudo emacs /etc/hosts # add `0.0.0.0 ocsp.apple.com` 
        sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # refresh hosts
        

        Or if you use a Pi-hole or some other type of DNS blocker that you can update easily, you can block ocsp.apple.com and that should disable it too.

        6 votes
        1. Shahriar
          Link Parent
          It's important to have this domain unblocked after Apple addresses the issue. OCSP is used to validate certificates and their thumbprints in case they've been revoked before the certificate...

          Or if you use a Pi-hole or some other type of DNS blocker that you can update easily, you can block ocsp.apple.com and that should disable it too.

          It's important to have this domain unblocked after Apple addresses the issue. OCSP is used to validate certificates and their thumbprints in case they've been revoked before the certificate reaches the expiration date. It can be revoked for any reasons, such as the private key of the certificate being compromised.

          7 votes
        2. BlindCarpenter
          Link Parent
          Have you ever used the lockdown app? I am wondering if I can type the domain in there and block it. I wouldn't know how to verify it though

          Have you ever used the lockdown app? I am wondering if I can type the domain in there and block it. I wouldn't know how to verify it though

      2. [4]
        teaearlgraycold
        Link Parent
        I can’t imagine that’s how it works. Enough people work offline often enough that this would be a major issue.

        I can’t imagine that’s how it works. Enough people work offline often enough that this would be a major issue.

        3 votes
        1. [3]
          tindall
          Link Parent
          I'm going to test this right now. UPDATE: Yes, on Mac OS Catalina on my work MBP, I was unable to open a newly downloaded gedit 2.3.6 (unsigned) while offline - the dock icon just bounced...

          I'm going to test this right now.

          UPDATE: Yes, on Mac OS Catalina on my work MBP, I was unable to open a newly downloaded gedit 2.3.6 (unsigned) while offline - the dock icon just bounced indefinitely. Once I went online and relaunched it, I got the familiar "spooky scary unsigned software" warning. At least on Catalina, this appears to be how it works.

          11 votes
          1. [2]
            teaearlgraycold
            Link Parent
            Thanks for testing that! Does that also apply to shell scripts as Deimos mentioned? I think it makes sense that a downloaded file might need to be checked before it's ran. But what if you...

            Thanks for testing that! Does that also apply to shell scripts as Deimos mentioned?

            I think it makes sense that a downloaded file might need to be checked before it's ran. But what if you build/write something locally without internet? If it's different I'm curious how Apple tracks which files are downloaded and which are not.

            3 votes
            1. tindall
              Link Parent
              From my experience, compiled executable are treated the same as downloaded ones. Because of this I have to have Gatekeeper entirely off during some parts of my working day. I'd keep it off but I...

              From my experience, compiled executable are treated the same as downloaded ones. Because of this I have to have Gatekeeper entirely off during some parts of my working day. I'd keep it off but I work in healthcare so that's not an option.

              4 votes
  2. tindall
    (edited )
    Link
    It's really hard to avoid being snarky at everyone who was just yesterday going off on me for daring to suggest that Apple's hyper-centralized "our way or the highway" approach might have some...

    It's really hard to avoid being snarky at everyone who was just yesterday going off on me for daring to suggest that Apple's hyper-centralized "our way or the highway" approach might have some negative consequences. But I will resist, and say only this: this is literally trivial to prevent if you want to. They clearly care more about that data collection and their control than about their users.

    Edit: see my other comment in this thread for some more disturbing info on this. I'm truly head-in-hands over the sheer shit-tier quality of engineering on display here.

    18 votes
    1. Removed by admin: 4 comments by 2 users
      Link Parent