Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Anybody know if they has code-signed their Windows and macOS binaries with 2.0?

It's a shame so many "core" developer tools are not code-signed. It makes life hard in companies where binary whitelisting is used.




> It makes life hard in companies where binary whitelisting is used.

The application would still have to be audited, signed or not, prior to whitelisting.


In practise it's much easier to just trust well-known developers by whitelisting their code-signing certificates.

You could still get owned, of course, but the benefit here is that you're excluding everything not explicitly whitelisted, including drive-by downloads, crap on portable devices or random programs downloaded off the internet that someone thinks will solve their problem of the day.

When people do not code-sign their software every software update is painful. At work, where we run https://github.com/google/santa, it frequently happens that companies with code-signed software forget to code-sign their auto-updater, or random binaries that run during installation. Most of the time the application crashes/hang during the update (because some piece weren't allowed to run), only to remind to you update the software again when you restart the application.


Does santa work with brew? If not, how do you even function?


Personally I've managaged to avoid using it so far. But yes, you can whitelist individual binaries or even directories. The lack of code-signing doesn't prevent whitelisting, it just makes your life harder than necessary.


It also creates an unnecessary attack surface against core infrastructure.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: