Security breach may be reason for Gatekeeper app signing changes (Updated)
A discussion has been brewing on Twitter today regarding the recent app signing changes that could leave some apps blocked by Gatekeeper if developers don't re-sign the apps. Apple had let developers know that "With the release of OS X Mavericks 10.9.5, the way that OS X recognizes signed apps will change." According to Twitter user @SomebodySW, the change may actually be a response to a security breach in the Developer Portal, not just a change in the method of recognizing signed apps.
Update 11:54 AM 08/19/2014: TUAW received separate confirmation of the breach from a second source via IRC, stating that Apple's certificates may have been compromised and that the company's changes to Gatekeeper are in part intended to mitigate the risks of those breaches. We have still not received any confirmation or denial of the Dev Portal breaches from Apple.
How plausible is a security breach that resulted in the theft of not only Gatekeeper's keys but "many other keys for many other things"? Plausible enough that we reached out to Apple for confirmation. At this point, no response has been received. Ben Doernberg, a security and bitcoin expert, has also pinged Apple, saying in a recent tweet that:
Just talked with Ryan James at Apple, says he'll look look into if device signing keys were stolen last year, no confirm or deny @SomebodySW- Ben Doernberg (@BenDoernberg) August 18, 2014
According to @SomebodySW, "Other keys were stolen too: The Enterprise Signing Key, a key that could be used (and was) used to sign Activation Tickets (bypassing iCloud locks) and several developer ID related keys also some keys iPhone 4/4s/5 hardware 'knows', used to authenticate the OS installed as being from Apple/unmodified".
@SomebodySW notes that he received an offer to buy the device signing keys from the person who performed the breach of the Apple Dev Portal shortly after the theft occurred. While this still isn't definitive proof that the Gatekeeper and other security keys were stolen, TUAW received separate confirmation from a second source.
We'll keep on top of this story and let you know how it develops.
Subscribe to Newsletter
Software Updatesmore updates
- Vizzywig 8xHD price tag now a very affordable $49.99
- Automatic targets teen drivers with License+ service
- Dropbox adds support for TouchID
- YouTube for iOS gets updated with full support for iPhone 6 and 6 Plus
- iOS 8.0.1 update now available (Updated -- Don't update!)
- NFL Mobile updated for 2014 Season with new Fantasy Football features, NFL Now integration