More extortionate Apple Codesign dickery

Fun fact!

With the default security settings on MacOS 10.8, Apple refuses to launch apps that are signed with a signature that is validly signed by Apple's CA if that key is for the iOS store instead of the OSX store.

% codesign -dvv
Format=bundle with Mach-O universal (i386 x86_64)
CodeDirectory v=20100 size=7246 flags=0x0(none) hashes=356+3 location=embedded
Signature size=4334
Authority=iPhone Developer: Jamie Zawinski (Y5M82TL69N)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA

Signed Time=Aug 22, 2012 1:15:13 PM
Info.plist entries=23
Sealed Resources rules=4 files=3
Internal requirements count=1 size=184

That right there is a valid, paid-for and un-expired cert, issued by Apple's one-and-only CA. A cert is a cert and a CA is a CA, so the only justification for this behavior is that they want to extort an additional hundred bucks a year out of you if you develop apps for both iOS and OSX.


Previously, previously, previously.

Tags: , , , ,

75 Responses:

  1. Paul Toohey says:

    If you rightclick on the application icon, and then choose open, it will open after asking if you want to open a non-signed application.

    • jwz says:

      I can read manuals too. I also know how to change my preferences. That's not even remotely the point.

  2. Colin says:

    I was under the impression that signing up for a cert for non App Store distribution/signing was free.

    • Colin says:

      Not sure where I had read this but further research tells me I'm wrong.

      • James says:

        I could swear I read the same thing several times. But I don't remember where, and I certainly can't find any reference right now. Apple certainly isn't advertising anything.

    • A common mistake. It's free to people who are already members of the non-free Mac Developer Program. What jwz is pointing out and I hadn't realized is there's a Mac Developer Program and an iOS Developer Program and each costs $99/year. I concur that it's utter bullshit that they do that. But good news everybody! the Safari Developer Program (for making Safari browser extensions) is free.

      • jwz says:

        You have a funny definition of free, there. "The service is free after you've paid $99 for that service."

      • James says:

        No. There were articles about Gatekeeper pre release. Somebody would object - 'what about people slinging free software?'. Somebody else would mention a relatively obscure program by which a developer could request a signing key without being in the Mac dev program. But I read dozens out of the billions of articles about Mtn. Lion pre-release, so finding the reference would be a total pain.

  3. cryptomail says:

    Ok, excuse my ignorance...then why oh why do you vote with your dollars, for them? I know the answer partially, but want to confirm: You want shit to just work, and you're willing to pay. Here, you're just pointing out they're dicks. I find this a valid reason to stay, but I guess my real question what point does it get too dicky?

    • brianvan says:

      When they changed the security settings on the new OS that was JUST RELEASED, perhaps?

      Yeah, it's his fault for buying Apple products and expecting Apple to not put locks on things that have never had locks on them. Your car manufacturer is going to put a boot on your car right now and leave with the key... then why oh why do you drive?

    • I think the reason to stay with Apple is because dealing with PCs is a much bigger pain in the ass than dealing with Apple being a bag of dicks. At least so far.

  4. JJ says:

    Yes Jaimie. Extort. That's show they roll. Innovative extortionists.

  5. jwz says:

    Computer: "You have new mail!"
    Me: "Yay, mail!"
    Computer: "It's a blog comment!"
    Me: "Sigh. This is going to be stupid, isn't it?"
    Computer: "Click it! Click it!"
    Me: "Yes. Yes it was. Why do I allow comments at all?"
    Computer: "Because you're an idiot."
    Me: "Oh yeah, that's right."

    • Mark says:

      I was under the impression that you allowed comments for the entertainment of those of us who go running to make popcorn as soon as you write a post with "Apple" in the title.

      • jwz says:

        Half the time I can't even tell the comments here from the spambots that post shit like "I have found the informations here very valuables."

      • Edouard says:

        And bikes. Don't forget the bike posts!

        • Sheilagh says:

          THOSE are a laugh riot. The Apple ones are filled with bland "why bother?" quips.

    • Angel Ortega says:

      > "...but I repeat myself..."

      This is the most hilarious thread I've seen in years. Thanks and never die, jwz.

  6. Owen says:

    I get the idea that you don't like Apple? But you don't hate them enough to go somewhere else?

    This is sounding a lot like an bad marriage, where you're still in it for the children? I suppose Apple wasn't always like this? There was a time when you were really in love?

    • jwz says:

      Oh, fuck off.

      • chilly willy says:

        Apple only hits me when I deserve it!

      • Eric TF Bat says:

        I think Owen (and similar others) kind of have a point, seriously, though they should stop expressing it because it's redundant.

        My logic says: this is your blog. Which means: you can vent about how fucking stupid Apple are being, and that's perfectly fine because, after all, who are we to tell you what to do? But what Owen etc forget is something I figure you know already: not all venting was created equal. When you vent about the San Franciscan zoning laws that make your life hell, we read and enjoy your turn of phrase and we sympathise. When you vent about Apple, we read and enjoy your turn of phrase but we don't really sympathise, because this one is self-inflicted. That is, there's not much you can do about government interference in your legitimate business, but your choice of operating system (and of what you do in your spare time) is not subject to the same limitations. So yeah, you get people who are unsympathetic.

        But you're not here for sympathy. You do this stuff, I think, because you know you're smarter than 99% of the planet and you want to prove that the kind of adversity that would reduce demigods to quivering jelly is not enough to cow you. Hillary-style, you do it because it's there. Frankly, any clinical psychologist worth his salt would kill to have you as a patient. There's a wealth of research papers in your masochism.

        So yeah. No sympathy. It's self-inflicted. But we love reading about it, and that's all that matters.

        • jwz says:

          And your monumentally misguided and point-missing comment here is why I don't bother engaging with people like you. If you have been reading my blog for more than five minutes and still misunderstanding my goals so badly, I can't explain it to you. Which brings us to the only possible response:

          Oh, fuck off.

          This post makes a great honeypot for the killfile, though!

          • zaba says:

            Your problem is you are a hack. Everything you have ever done, you have stolen from others. Netscape Navigator would have been NOTHING if you didn't STEAL directly from Internet Explorer (the only true web browser!)

            I heard you even stole your idea of the camo office from that fine team in Redmond!

            What is your problem with paying less than 100 bucks... twice? Are you really that broke that you can't afford that small deposit to give your crappy program away for free?

            You, sir, should be ashamed of yourself.

            When you are done with the garbage that Apple puts out, I suggest pulling your head out of your nethers and moving back to MS products. If that it too big a transition, there is this new OS called Gentoo which might be more up your alley. As soon as it is done compiling, you might actually understand how it works.


            Honeypot Killfile

            • zaba says:

              P.S. Any plans on getting your POS app on Android?

              (This comment is for the humor-impaired and brought to you by the number Five and the letter U

        • tfb says:

          Also, yes Apple are scum, but may be the alternatives are even more crap.

        • Who would you consider better at coding than JWZ? Bill Joy when he was at UC Berkeley? Larry Page? Uhh...I forgot what else.

          • Eric TF Bat says:

            Well, yeah, that's my point. "This is Zaphod Beeblebrox, you know, not bloody Martin Smith from Croydon!" JWZ has the street cred to look at the Apple bullshit and decide he values the software and hardware enough that he's going to put up with the quasi-religious restrictions on his lifestyle. So when he rants about how insanely stupid it all is, there's no real point saying "why not pick a different system" because he's already chosen, and that's that. So the comments from Owen et al are just mammothly pointless.

            Now the fact that he doesn't see what I said that way might just indicate that I'm expressing myself poorly, or maybe he doesn't like the fact that I equate any use of Apple hardware and software at all with clinical masochism, but never mind that.

            • Lun Esex says:

              I equate any use of Apple hardware and software at all with clinical masochism

              Cool story, bro.


              "I've noticed you complain a lot about the enjoyment you get out of having your 'nads crushed in a vice. Have you tried having objects of improbable size shoved up your rectum, instead?"

              *Funny how the argument "but (x) doesn't make hardware!" isn't going to work, any more.

        • pavel_lishin says:

          Why would you sympathize with him for his SF problems? Just like he doesn't have to stick with Apple, he could migrate to any one of a number of alternative operating systems! Why, there's Windows, Linux... Ubuntu... um... anyway, just like his options of operating systems, he could just pick up his business and move it to another great city, like New York, or Austin, or, um, I think Portland isn't bad... um. I'll get back to you.

    • Ronald Pottol says:

      Just because apple sucks doesn't mean everything else doesn't suck worse.

      To quote from a certain FAQ:


      3.1) Are there any OSes that don't suck?


      3.2) How about any hardware?

      The PDP-100 was pretty nice. Pity they aren't made any more.

      • Mark says:

        Or to put it another way, just because everything else sucks worse doesn't mean Apple doesn't suck.

        • Lun Esex says:

          Hey, maybe what we need is a browser-based OS! Yeah, that'd be awesome!

          There's this programmer guy who worked for Netscape and Mozilla and now runs a bar and is always complaining about the computers and OS he uses who I bet would love to work on that!

    • LafinJack says:

      You can like parts of a thing and dislike other parts of a thing. It's not an either/or proposition.

  7. Kyzer says:

    If ALSA changing the sound config file was enough to make you say "Fuck Linux, I'm getting a Mac", what do Apple have to do to make you say "Fuck Apple, I'm getting a SomethingElse"?

    Are you waiting for someone to invent the SomethingElse first? I hear HP are considering re-starting WebOS development, maybe in 10 years it won't suck. I just hope that in the meantime, your heart doesn't lead you to sign an agreement with Apple promising to pay them $10 every time a customer runs DaliClock in order to allow Apple to generously discount it to just $5 per invocation for end-users.

  8. Jeremy Wilson says:

    Right now I'm battling with Apple Notification Service and how it has no feedback mechanism, nor any troubleshooting method (logs, etc.) to figure out why it doesn't work half the time.

    Apple doesn't give a shit about developers.

  9. Other than the fact that they are charging you for a product similar to one you already bought, what's your complaint?

    I buy a ticket for Death Guild each time I go, even though the experience is nearly identical every time. Granted, $99 worth of Death Guild is lots more fun than a year with Xcode.

    • Cow says:

      At the risk of feeding the troll...

      To extend your analogy: he didn't buy a ticket, he bought a season pass. (A certificate to sign apps with an expiry date sometime in the future for $99/year.) So, the venue owner sees a lot of people buying these season passes, and retroactively changes the terms and conditions so that the season pass is not valid on Saturday nights, when most people want to attend. (I suspect far, far more people use DaliClock on Mac than on iOS, at least at this point.) So he shows up to the show one Saturday night, shows his pass, and gets told, no, that pass isn't valid, and he has to buy a different season pass just for Saturday nights now.

      That'd be bullshit, and no venue owner would do that.

      • Ok, if that was true, I agree it'd be bullshit. But the iOS ticket was never offered as a way to get into the MacOS show. Hell, the Mountain Lion show wasn't even on the calendar yet when the iOS tickets went on sale.

        I've seen plenty of comments here jumping to conclusions about what exactly he's complaining about. If I read only what JWZ wrote, and nothing between the lines, it seems he's complaining that the ticket Apple is selling him for one show isn't good on two nights, even though they're printed on nearly identical paper.

        If he's complaining that the shows are pricy, well, it seems to be a popular show. The damn kids these days ruin everything!

        • Stephen Harris says:

          I think a better analogy might be the satellite/cable TV market.

          "Sign up for our Ultimate package; receive all of our channels (see list) for the low price of $x/month."
          Time passes.
          "The ultimate package has been closed to new customers; existing customers may maintain their existing package. NEW! Ultimate Plus! All the channels our Ultimate package had PLUS all these extras; all for the low price of $2x/month"
          Time passes.
          Rinse, repeat.

          Apple never _claimed_ the key would work for MacOS but... CableCo never _claimed_ you'd receive new channels, but... It's bait'n'switch.

          I consider it healthy that jwz has enough free vitriol to spend on crap like this; it means the DNA planning crap hasn't worn him down, yet!

          • Why would anyone ever have expected than an iOS developer membership offer Mac OS benefits? They didn't call it the "ultimate package", the "everything package", or even the "bunch of stuff package". It has always been called the iOS Developer Program. That's iOS, as in, NOT Mac OS. How is this unclear?

        • Jon says:

          The point of the certificate is to make the process of publishing the software cryptographically secure. The point of charging for the certificate is to cover the costs of administering the PKI infrastructure. JWZ has a pile of bytes which is sufficient, technically, to prove who he is when publishing Mac software, and he's paid for the admin costs of administering the PKI. He's now being asked to pay again, for a second pile of bytes to achieve the same thing.

          None of these analogies are precise enough.

        • Max says:

          The complaint is that Apple, instead of building their developer programs around a single Apple identity credential, is choosing to build their developer programs around program specific identity credentials. The technical particulars of a single program would probably even be simpler and cheaper to administrate.

          There are lots of hand wavy apologies to offer for the choice, but none of them make it particularly less arbitrary or byzantine.

    • Richard says:

      Just a quick plot summary for the reading comprehension impaired: he's paying $200/year (and rising, plus medical expenses) to a bunch of extortionate bastards (who incur $0 cost) for the privilege of giving stuff away for free.

      • Bzzt, wrong. There's no need to pay for the Mac OS certificate unless he wants the Mac app to run without an "unidentified developer" warning. It says that right in the dialog he put in the post.

        What I'm asking is, why should Apple offer that service for free? We could argue about what would be a fair price, but I think expecting things for free is unreasonable.

        And extortion? Really? I don't think that word means what you think it means.

        • Jon says:

          I don't recall anyone suggesting it should be for free. I believe the point is, he's already paid them money for his pile o' bytes.

  10. DaveL says:

    I want to buy/download that perfect computer/os/application that is so perfect I never have any reason to criticize that computer/os/application. Where is it for sale/download? Where did I sign away my right to complain about things I don't like?

    • I just wish people would complain about the right things. For example, the real bullshit move by Apple is that you can't use certain new APIs unless you offer your software via the App Store, which prohibits using a bunch of other APIs and requires you make Apple your legal agent. That is extortion.

  11. Khakionion says:

    You need a Developer ID, and those are free. The system isn't the best, but it certainly doesn't cost another $100.

    • donfabio says:

      Actually you need a Developer ID certificate signed by Apple if you enrolled for the Mac Developer Program which is 99$/year.
      "Only Mac Developer Program members are eligible to request Developer ID certificates and sign applications or installer packages using them." And this is for distributing outside the Mac App Store just to avoid the Gatekeeper message pictured above.

      I would like to know if you can use a certificate authority other than Apple to sign your code, because this guide hints it:
      "Note: Apple uses the industry-standard form and format of code signing certificates. Therefore, if your company already has a third-party signing identity that you use to sign code on other systems, you can use it with the OS X codesign command."

      • nooj says:

        This issue isn't about whether apps can be signed by non-Apple entities. It's about Apple putting big blinky signs that say, "Whoah, hang on! We didn't get paid $100 by this developer^A^K This app hasn't been signed by Apple. Do you really want to turn off our security and open yourself up to the big, bad world? We didn't think so."

        Apple is using its OS to draw a new line in the sand that says everything done in the Apple Way is okay; everything anyone else does is untrustworthy.

        • Apple is using its OS to draw a new line in the sand that says everything done in the Apple Way is okay; everything anyone else does is untrustworthy.

          Yup. You disagree, and believe that all software is trustworthy?

          • nooj says:

            No, I disagree, and believe Apple is deliberately stifling competition.

            (To everyone who says, "Stifling competition is perfectly normal in America!": it's still bullshit.)

  12. nooj says:

    Apple spends more money polishing gold toilets than they will ever make off those fees. Seriously, how many developers can there possibly be? 100,000? So the most they probably make on the extra license fee is about ten million dollars per year. This is the biggest company in the world, with more money than god. They blow off mistakes bigger than this all day long.

    This is what I don't understand: Why does Apple want to restrict entry into their world? Microsoft understood the value of what I have heard referred to as the "network effect"--the more people join, the more everyone involved benefits, and the more benefit new joiners see. It worked for .doc files, and it worked for The Facebook. Apple should be saying things like, "Hey, everyone! Websites are dead! Twitter is dead! Use our methods of distributing information to your people!" Instead they are saying things like, "This helps you more than it helps us, and frankly, we don't need you."

    • This is what I don't understand: Why does Apple want to restrict entry into their world?

      The certificate in question ties software to the identity of a specific organization. It gives Apple a mechanism for enforcing a killfile against malware developers. The $99 fee is there to raise the bar on the cost of entry for malware. (Possible unintended consequence: future malware will more aggressively pursue an economic return.)

      • nooj says:

        Okay, sure; $100 is the cost of doing business with Apple. Do you think a killfile against malware is worth it? And that there's no other way to disincentivize malware developers? And no one can address why the extra $100 fee is there instead of signing all certs as valid for both iOS and OSX.

        Also, back to the network effect, if Apple was more welcoming about 3rd party interoperability, I think they would benefit. For instance, cars don't come with builtin ipod/iphone connections (partly) because Apple is known for changing their connectors. What was the point of this latest iphone connector change? What, 30 pins is too many now, but was absolutely necessary a few years ago? So rather than have every new car in America for the past five years and the next five years come with an iPhone slot--and thus, people who end up with these cars being more likely to buy iPhones--we get whack-a-mole idiocy.

        • Ah, now we get into reasonable questions! Do you think Apple just didn't consider those questions? Or do you think your conclusions are superior? After all, you've probably spent at least the last few minutes considering how these actions could affect their $600B enterprise.

          • nooj says:

            I asked for speculation. Don't be an asshole.

            • Ok.

              Do you think a killfile against malware is worth it?
              Hell yes! Particularly if I can still choose to override it.

              no other way to disincentivize malware developers?
              I think this is just another tool in the box. Apple's trying just as hard as anyone else to find and prevent security compromising bugs, but there will always be bugs. It's also an effective barrier to trojan horses, which are becoming the typical sort of malware.

              why the extra $100 fee is there instead of signing all certs as valid for both iOS and OSX.
              My guess is that this has more to do with Apple's internal organizational structure than anything else. Should they reorganize departments or develop new processes and tools just to offer this product more efficiently? On the surface it seems foolish. Actually, maybe they should, because what they are risking here is habitually treating developers as if they aren't users too. Apple's greatness comes from their focus on ease of use, and cutting corners on the developer experience is a slippery slope.

              if Apple was more welcoming about 3rd party interoperability, I think they would benefit.
              I agree in general, but not in this specific case. All of the documentation and tools are available for free. The $99 registers an identity. That's not an unreasonable bar. I do agree that Apple should be making their developer tools and documentation much better. But I know that they are trying. I also know why they're struggling, and it has to do with the politics of a big organization, not any sort of machiavellian plan.

              What was the point of this latest iphone connector change?
              All of Apple's success in the last 15 years can be traced to their willingness to throw away the past. The iMac had only USB and no floppy drive. The iPod has no radio. The iPhone has no buttons or battery. The MacBook Air has no DVD. You can call it "whack-a-mole idiocy," but they call it "innovation," and to say that it's working for them is a massive understatement.

              And if their business plan still isn't convincing enough, consider that each year so far, Apple sells more iOS devices than all of the devices they've sold earlier, combined. So in 12 months, the new connector will be more common than the old one.

  13. JJ says:

    I have found the informations here very valuables.

  14. Stoffe says:

    It boggles the mind why you even want to have the stuff on their platform when so very clearly so many of your posts is about how it sucks. And also, they clearly do not want your kind of stuff on their platform. I mean I kind of enjoy reading these posts in a way, but if it's that terrible, why stay?

  15. Could be incompetence at play here, not necessarily malice. A clueless developer putting one check too many in the signature verification code. And QA not bothering to create a test case for that, because, as you said, they don't really give a fuck.

    Then again, it is Apple we are talking about here, so it could be them being evil on purpose. These days, even Microsoft are better the Apple when it comes to developer relations.

    • Dave Pease says:

      I don't see how this can be carelessness on Apple's part.

      I enjoy the people saying that they aren't making anything on these licenses. Apple takes making money seriously on the rest of their products, why wouldn't they be doing that carefully with this program? I'm sure they have their reasons for the policy being what it is, and I guarantee from lots of angles it looks like "fuck you, now pay up".

  16. gryazi says:

    All of this Internet point-and-laughery (while everyone continues being separate-but-equally fucked by different products, because, y'know, computers) is really a request for you to opine on how operating systems are supposed to work without stepping on your dick (useful stable APIs that aren't constantly ripped out from under good software for the Next Big Thing, etc.) so that the next time someone proposes a genius move like this people can point the Well-Meaning Youth of Today to it and go "b-but Netscape! jwz!"

    The merits of the exercise, when put that way, do seem somewhat debatable. (But I personally would enjoy reading some architecture-fantasy in between these 'AW SHIT I GOT MY HAND SLAMMED IN THE DOOR AGAIN AND YOU CAN TOO' wince-posts.)

  17. Revenue unit Y5M82TL69N, you are in breach of clause 371.23.g "revenue units shall not whine during the extraction process".

  18. Elbow Freemason says:

    Apple does not care about your $99. Put together, every $99 payment from every developer in every developer program at Apple accounts for less than 0.006% of Apple's revenue. "Extortionate" is the wrong word to use.

    Apple is trying to deter people from creating lots of certificates, probably because they plan to use revocation of those certificates to shut down scam developers.

    • So much apple genius bullshit you have there. That would already work with a $1 or worst-case-scenario a $10 certificate.

      The fact it's $99 and not $100 should be enough of a proof of that: that $1 is a concession to their sense of guilt. (no it isn't, it's a sales practice, but a sales practice that builds on the common sense feeling there SHOULD be some sense of guilt there)

      I will concede that maybe yes, Apple isn't satisfied enough with that $99 fee, after all the dollar lost so much value. In fact they are trying to make it $198.

  19. PSA: If you're still butthurt about something mean jwz said about your favourite OS the better part of a decade or so ago, and have an uncontrollable urge to make an allegedly witty comment when he finds dealing with his current OS painful: Don't. Just. Don't.

    It doesn't lead anywhere good.

  • Previously