On 24 Apr 2020, at 9:57, Rob Petrovec wrote:
Also weird, why would it phone home for a shell script which has
neither been stapled nor even code-signed?
I think you answered the question just then… a "shell script which
has neither been stapled nor even code-signed”. Google XProtect &
Gatekeeper.
GateKeeper is basically Safari adding a quarantine flag (via extended
attributes) to files downloaded form the internet, and then having
Finder check this flag, throwing up a dialog if the flag is set, and
recently, also checking if the code signature is from a verified
developer (possibly refusing to launch at all, if not).
XProtect is basically a blacklist that applications are checked against.
If an application matches, it’s considered malware. The blacklist is a
local file on your system but updated by Apple.
These things operate very differently than having low-level system calls
potentially contact Apple’s servers every time a process is launched
on your system (or, as it appears to be the case on my system, when
processes are accessing certain locations in the file system).
_______________________________________________
Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to arch...@mail-archive.com
