Who are the "Identified Developers"?

Brawdy14

macrumors member
Original poster
Feb 1, 2018
44
3
Devon, England
Hi

At this Apple Support link. https://support.apple.com/en-us/HT202491

Apple says ...

"When you run installer packages from outside the App Store, macOS
checks the Developer ID signature and notarization status to verify that
the software is from an identified developer and that it has not been
altered."


My friend has suggested to me that ClamXAV (an Anti-Virus software for the 'Mac' - totally unnecessary in the opinion of many) may well be a scam of some kind. The software is marketed by Canimaan Software Ltd in Edingurgh, Scotland. The Directors of the company are Mr & Mrs Allan.

Companies House information about the directors of this company can be found here:

https://beta.companieshouse.gov.uk/company/SC500971/officers

What I'd very much like to know is if Mr Mark Allan is an 'identified developer'?

How can one check? Is there a list of such "identified developers'?
 

aristobrat

macrumors G5
Oct 14, 2005
12,269
1,319
How can one check?
Here's a link that explains how to do that:
https://www.jamf.com/jamf-nation/articles/299/verifying-that-a-package-is-signed

This is what it looked like on my Mac:
Code:
pkgutil --check-signature ClamXAV_3.0.9_7713_Installer.pkg
Package "ClamXAV_3.0.9_7713_Installer.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Mark Allan (75FD6A6E5A)
       SHA1 fingerprint: BA 09 82 DA CD 50 6D ED 59 31 34 C1 04 6C 7E 85 30 AF 12 4F
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
5th line in mentions him by name, which surprised me. I thought it would have been in his company's name.
 
  • Like
Reactions: BasicGreatGuy

Brawdy14

macrumors member
Original poster
Feb 1, 2018
44
3
Devon, England
Here's a link that explains how to do that:
https://www.jamf.com/jamf-nation/articles/299/verifying-that-a-package-is-signed

This is what it looked like on my Mac:
Code:
pkgutil --check-signature ClamXAV_3.0.9_7713_Installer.pkg
Package "ClamXAV_3.0.9_7713_Installer.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Mark Allan (75FD6A6E5A)
       SHA1 fingerprint: BA 09 82 DA CD 50 6D ED 59 31 34 C1 04 6C 7E 85 30 AF 12 4F
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60
5th line in mentions him by name, which surprised me. I thought it would have been in his company's name.
Many thanks for your very helpful response 'aristobrat'. It is very much appreciated.

Here's an extract from my recent exchange on Usenet (to save re-inventing the wheel!)

On 02/02/2019 00:15, André G. Isaak wrote:

If you'd followed my earlier advice and opened the ClamXAV in pacifist, you would have found out that he is a registered developer. You would also have discover exactly which files it installs thereby alleviating your need to investigate this great mystery.


André

I DID follow your advice! I thought I'd responded and posted a screenshot of what I had seen. LOTS of files and folders! There's no way in the world that anyone is going to sift through each and every item to discover exactly what each one contains.

What I fear is that it MIGHT be possible for someone really clever to 'outsmart' Apple's defences - so that if someone gullible DOES download a 'package' from the Internet and opens it, the inbuilt defences may NOT be triggered - allowing an UNIDENTIFIED developer to install malware along with the software programme.

Do you actually understand what Gatekeeper even does? If Mr. Allan were actually the nefarious person you seem to think -- absent any actual evidence -- he is, how would Gatekeeper interfere with his Evil Plan™?

I've been thinking deeply about this and have decided that Gatekeeper will be NO protection against any person who Apple has classified as an "Identifiable Developer" if that individual decides to 'go rogue' as it were.

I've not yet discovered a way to check that ClamXAV has NOT loaded something nefarious onto someone's Apple computer. Apart from me, who has even THOUGHT to check? Certainly not the folk who have downloaded and installed the software!

=

Further comments on this matter welcomed!

D.
 

aristobrat

macrumors G5
Oct 14, 2005
12,269
1,319
I've been thinking deeply about this and have decided that Gatekeeper will be NO protection against any person who Apple has classified as an "Identifiable Developer" if that individual decides to 'go rogue' as it were.
In a case where a developer "goes rogue" (or their certificate was used in a rouge way by someone else), Apple simply invalidates their developer certificate and their apps cease to run anymore.

Apple just did that this week with Facebook's enterprise developer certificate (which Facebook uses to make apps for their internal use). All of the apps stopped working:
https://appleinsider.com/articles/19/01/30/apple-has-revoked-facebooks-enterprise-developer-certificates-after-sideload-violations

Also back in 2016, Apple revoked the certificate of another developer that was used to sign a popular app that had been altered to include malware:
https://www.cso.com.au/article/595368/apple-shuts-down-first-ever-ransomware-attack-against-mac-users/
 

Brawdy14

macrumors member
Original poster
Feb 1, 2018
44
3
Devon, England
In a case where a developer "goes rogue" (or their certificate was used in a rouge way by someone else), Apple simply invalidates their developer certificate and their apps cease to run anymore.

Apple just did that this week with Facebook's enterprise developer certificate (which Facebook uses to make apps for their internal use). All of the apps stopped working:
https://appleinsider.com/articles/19/01/30/apple-has-revoked-facebooks-enterprise-developer-certificates-after-sideload-violations

Also back in 2016, Apple revoked the certificate of another developer that was used to sign a popular app that had been altered to include malware:
https://www.cso.com.au/article/595368/apple-shuts-down-first-ever-ransomware-attack-against-mac-users/
Thank you so much for those links. ;)

What they confirm is that it's highly likely that there are SOME bad apples in the Developer barrel!

How can one focus the attention of Apple itself to carry out a 'test' of ClamXAV to ensure that it is safe to use?

Any ideas?

D.
 

jtara

macrumors 68000
Mar 23, 2009
1,860
433
Identified developer: the developer registers with Apple. Apple issues a certificate. The developer signs the app using the certificate. It serves exactly the purpose it sounds like it serves: it IDENTIFIES the developer. No more or less. It prevents others from making apps that fraudulently claim they are from the IDENTIFIED developer. Apple does NOT vet the apps in any way.

Notarized app: I hate this term! In the U.S. there are "notary publics". Notary publics have a government charter that allows them to officially attest to signatures. "Notarized app" has nothing to do with this! Notarizing an app goes one step further than signing the app as an identified developer. Apple runs some automated tests on the app to see if they detect anything fishy. That is it. There is no human review of the app.

And that is the extent of Apple's involvement in apps that are installed outside of the Mac App Store. MacOS makes it relatively more difficult for you to install apps that aren't notarized or not from an identified developer. You can still install them. But it hopefully slows you down enough to stop and think.

If you want more certainty, only install apps that are downloaded from the Mac App Store. Of course, many apps are not available from the Mac App Store. It's still your choice.
[doublepost=1549149795][/doublepost]
How can one focus the attention of Apple itself to carry out a 'test' of ClamXAV to ensure that it is safe to use?
Apple doesn't do that. Why would you expect them to?

If the publisher wishes to publish their app in the Mac App Store, then Apple will vet it for safety and conformance with their guidelines, as they do every app in the Mac App Store.

----
As far as ClamXav goes: did you bother to search for information?

ClamXav is a GUI "wrapper" for ClamAV. ClamAV is an open source project with a very long history. Cisco Systems currently holds the copyright.

According to Wikipedia:

https://en.wikipedia.org/wiki/Clam_AntiVirus

  • ClamXav is a port which includes a graphical user interfaces and has a "sentry" service which can watch for changes or new files in many cases. There is also an update and scanning scheduler through a cron job facilitated by the graphical interface. ClamXav can detect malware specific to macOS, Unix, or Windows. The ClamXav application and the ClamAV engine are updated regularly.[24]ClamXav is written and sold by Canimaan Software Ltd.[15]
[doublepost=1549150518][/doublepost]
In a case where a developer "goes rogue" (or their certificate was used in a rouge way by someone else), Apple simply invalidates their developer certificate and their apps cease to run anymore.

Apple just did that this week with Facebook's enterprise developer certificate (which Facebook uses to make apps for their internal use).
Apples and oranges.

What Apple briefly revoked was a certificate meant to be used to distribute internal iOS (NOT MacOS) apps for Facebook's internal use. For ordering lunch, reserving a seat on a bus, reporting expenses, or scheduling a meeting, etc. Facebook was misusing it to distribute apps to the public, without first being vetted by Apple.

If an app is distributed through the Mac App Store, Apple could revoke their certificate if they find they have not been following the rules.

For "identified developer", I doubt Apple would go beyond revocation in case the publisher turns out to not be who they say they are. That's the IDENTIFIED part! (But I have not read the terms.)
 
Last edited:

patent10021

macrumors 68030
Apr 23, 2004
2,961
407
Even with a company the "developer" is a person. A company's registration is different than the registration of a developer.

Can anyone tell me if they have seen a developer which is actually a company? I would genuinely like to know. I guess if I legally changed my name to this it would work.

first name: ClamXAV
last name: Inc
 
Last edited:

jtara

macrumors 68000
Mar 23, 2009
1,860
433
I guess if I legally changed my name to this it would work.

first name: ClamXAV
last name: Inc
No, it would not "work". Do you really think that Apple is that stupid? As well, do you think that a court is that stupid to let you change your name to that?

You would have to join the Apple Developer Program as a corporation. First, you would have to have a DUNS number issued to ClamXAV Inc.

As well, Apple checks with government authorities. In the U.S., it is quick, generally only take a couple of days, since most states have their corporation, LLC, and non-profit organization records online for the public. I had a client in Argentina that took a couple months, because Apple had to exchange postal mail with a government office to verify them. They will verify that your postal address is the registered address of the corporation.

I've walked several companies through this, so I know from personal experience. Caveat is that I do iOS - not MacOS development. But apparently the way a MacOS app gets marked as from an "identified developer" is that it is signed by XCode with a distribution certificate, just like iOS apps.
 

Brawdy14

macrumors member
Original poster
Feb 1, 2018
44
3
Devon, England
Identified developer: the developer registers with Apple. Apple issues a certificate. The developer signs the app using the certificate. It serves exactly the purpose it sounds like it serves: it IDENTIFIES the developer. No more or less. It prevents others from making apps that fraudulently claim they are from the IDENTIFIED developer. Apple does NOT vet the apps in any way.

Notarized app: I hate this term! In the U.S. there are "notary publics". Notary publics have a government charter that allows them to officially attest to signatures. "Notarized app" has nothing to do with this! Notarizing an app goes one step further than signing the app as an identified developer. Apple runs some automated tests on the app to see if they detect anything fishy. That is it. There is no human review of the app.

And that is the extent of Apple's involvement in apps that are installed outside of the Mac App Store. MacOS makes it relatively more difficult for you to install apps that aren't notarized or not from an identified developer. You can still install them. But it hopefully slows you down enough to stop and think.

If you want more certainty, only install apps that are downloaded from the Mac App Store. Of course, many apps are not available from the Mac App Store. It's still your choice.
[doublepost=1549149795][/doublepost]

Apple doesn't do that. Why would you expect them to?

If the publisher wishes to publish their app in the Mac App Store, then Apple will vet it for safety and conformance with their guidelines, as they do every app in the Mac App Store.

----
As far as ClamXav goes: did you bother to search for information?

ClamXav is a GUI "wrapper" for ClamAV. ClamAV is an open source project with a very long history. Cisco Systems currently holds the copyright.

According to Wikipedia:

https://en.wikipedia.org/wiki/Clam_AntiVirus

  • ClamXav is a port which includes a graphical user interfaces and has a "sentry" service which can watch for changes or new files in many cases. There is also an update and scanning scheduler through a cron job facilitated by the graphical interface. ClamXav can detect malware specific to macOS, Unix, or Windows. The ClamXav application and the ClamAV engine are updated regularly.[24]ClamXav is written and sold by Canimaan Software Ltd.[15]
[doublepost=1549150518][/doublepost]

Apples and oranges.

What Apple briefly revoked was a certificate meant to be used to distribute internal iOS (NOT MacOS) apps for Facebook's internal use. For ordering lunch, reserving a seat on a bus, reporting expenses, or scheduling a meeting, etc. Facebook was misusing it to distribute apps to the public, without first being vetted by Apple.

If an app is distributed through the Mac App Store, Apple could revoke their certificate if they find they have not been following the rules.

For "identified developer", I doubt Apple would go beyond revocation in case the publisher turns out to not be who they say they are. That's the IDENTIFIED part! (But I have not read the terms.)
How can I determine whether ClamXAV has, or has not, been Notarized?

I did send a request to the company to ask, but they have so far failed to tell me.

D.