So I think, if I am reading this correctly, that the best way to get software at this point is through the store of whatever platform you are using.
That's one thing that scares me about linux. Software is all developed by mostly single people or a couple of people. Who's to say there's not malicious codes built in.
Yeah thats the thing.
People whine and complain about “i paid for the computer i should be able to run what i want! gatekeeper bad!” etc.
BUT…. It’s not just these big corps being bad. They do bad things too, but code signing, TPM, etc. is all a legit effort to at least attempt to mitigate malware damage/spread as much as possible.
The concept is:
* author makes software, signs it with their developer cert granted to them by the platform.
* software reviewed by store to make sure it is clean then added to store
* device only runs software signed with valid certificate from vendor
* if the vendor discovers the software is malware, they revoke the digital certificate and the OS no longer trusts it to be run, even if it was already downloaded, virus scanner didn’t find anything in it because the malware was sneaky/unknown when it was scanned, etc.
Whether its apple, google, microsoft the tech is basically the same. This is the flip side to security vs. just fixing bugs… if the site hosting the software you download gets hacked and the hosted software gets compromised, that’s a “supply chain attack” and you inadvertently end up installing malicious software.
This is why almost all my mac software is from the store if at all possible, and why i seriously recommend people to stick to apps in the Apple/Play/MS store as much as you can, and to leave things like gatekeeper and system integrity protection TURNED ON. If you need something not in the store, so be it, just be aware that there may be some additional risks. Even if you’re a technical, competent user, supply chain attacks like the one currently in the news for cpu-Z are things you will never detect just by being competent. Getting things from the store at least gives you the chance that the vendor detects the issue before it hurts you too much and they revoke the software’s ability to run.
If you disable gatekeeper on your machine - this process to save you doesn’t work because you told macOS to ignore security certificate requirements. Apple can disable the certificate but your mac is configured to not check it.
This is a huge reason why all the mobile/tablet platforms are far more secure than Windows and macOS in general - they never ran unsigned software (well, android did, but google are trying to backtrack on that and push you to the store), whereas mac and windows have been doing it for years, and both vendors are gradually trying to wean people off that. At least if software is signed it can be “turned off” globally if it is found to be malicious by revoking its cert.
With Linux? Yeah, it’s a bit wild out there. IN theory the same tech can be applied BUT… linux is full of anti-authoritarian evangelists so trying to get digital signing implement is… hard. In theory, its all open source but yes - on linux you have a choice to either get your software from random places on the internet, or get it from the distribution store/package repository and hope that the maintainers of the distribution audit it well enough.
www.tomshardware.com
