Who are the "Identified Developers"?

[Brawdy14]

Hi

At this Apple Support link. https://support.apple.com/en-us/HT202491

Apple says ...

"When you run installer packages from outside the App Store, macOS
checks the Developer ID signature and notarization status to verify that
the software is from an identified developer and that it has not been
altered."

My friend has suggested to me that ClamXAV (an Anti-Virus software for the 'Mac' - totally unnecessary in the opinion of many) may well be a scam of some kind. The software is marketed by Canimaan Software Ltd in Edingurgh, Scotland. The Directors of the company are Mr & Mrs Allan.

Companies House information about the directors of this company can be found here:

https://beta.companieshouse.gov.uk/company/SC500971/officers

What I'd very much like to know is if Mr Mark Allan is an 'identified developer'?

How can one check? Is there a list of such "identified developers'?

 

[Mr_Brightside_@]

ClamX is legit. Malwarebytes is a good alternative.

 

[aristobrat]

How can one check?

Here's a link that explains how to do that:
https://www.jamf.com/jamf-nation/articles/299/verifying-that-a-package-is-signed

This is what it looked like on my Mac:

pkgutil --check-signature ClamXAV_3.0.9_7713_Installer.pkg
Package "ClamXAV_3.0.9_7713_Installer.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Mark Allan (75FD6A6E5A)
       SHA1 fingerprint: BA 09 82 DA CD 50 6D ED 59 31 34 C1 04 6C 7E 85 30 AF 12 4F
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

5th line in mentions him by name, which surprised me. I thought it would have been in his company's name.

 

[Brawdy14]

Here's a link that explains how to do that:
https://www.jamf.com/jamf-nation/articles/299/verifying-that-a-package-is-signed

This is what it looked like on my Mac:

pkgutil --check-signature ClamXAV_3.0.9_7713_Installer.pkg
Package "ClamXAV_3.0.9_7713_Installer.pkg":
   Status: signed by a certificate trusted by Mac OS X
   Certificate Chain:
    1. Developer ID Installer: Mark Allan (75FD6A6E5A)
       SHA1 fingerprint: BA 09 82 DA CD 50 6D ED 59 31 34 C1 04 6C 7E 85 30 AF 12 4F
       -----------------------------------------------------------------------------
    2. Developer ID Certification Authority
       SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86
       -----------------------------------------------------------------------------
    3. Apple Root CA
       SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

5th line in mentions him by name, which surprised me. I thought it would have been in his company's name.

Many thanks for your very helpful response 'aristobrat'. It is very much appreciated.

Here's an extract from my recent exchange on Usenet (to save re-inventing the wheel!)

On 02/02/2019 00:15, André G. Isaak wrote:

If you'd followed my earlier advice and opened the ClamXAV in pacifist, you would have found out that he is a registered developer. You would also have discover exactly which files it installs thereby alleviating your need to investigate this great mystery.

André

I DID follow your advice! I thought I'd responded and posted a screenshot of what I had seen. LOTS of files and folders! There's no way in the world that anyone is going to sift through each and every item to discover exactly what each one contains.

What I fear is that it MIGHT be possible for someone really clever to 'outsmart' Apple's defences - so that if someone gullible DOES download a 'package' from the Internet and opens it, the inbuilt defences may NOT be triggered - allowing an UNIDENTIFIED developer to install malware along with the software programme.

Do you actually understand what Gatekeeper even does? If Mr. Allan were actually the nefarious person you seem to think -- absent any actual evidence -- he is, how would Gatekeeper interfere with his Evil Plan™?

I've been thinking deeply about this and have decided that Gatekeeper will be NO protection against any person who Apple has classified as an "Identifiable Developer" if that individual decides to 'go rogue' as it were.

I've not yet discovered a way to check that ClamXAV has NOT loaded something nefarious onto someone's Apple computer. Apart from me, who has even THOUGHT to check? Certainly not the folk who have downloaded and installed the software!

=

Further comments on this matter welcomed!

D.

 

[aristobrat]

I've been thinking deeply about this and have decided that Gatekeeper will be NO protection against any person who Apple has classified as an "Identifiable Developer" if that individual decides to 'go rogue' as it were.

In a case where a developer "goes rogue" (or their certificate was used in a rouge way by someone else), Apple simply invalidates their developer certificate and their apps cease to run anymore.

Apple just did that this week with Facebook's enterprise developer certificate (which Facebook uses to make apps for their internal use). All of the apps stopped working:
https://appleinsider.com/articles/1...eloper-certificates-after-sideload-violations

Also back in 2016, Apple revoked the certificate of another developer that was used to sign a popular app that had been altered to include malware:
https://www.cso.com.au/article/5953...rst-ever-ransomware-attack-against-mac-users/

 

[Brawdy14]

In a case where a developer "goes rogue" (or their certificate was used in a rouge way by someone else), Apple simply invalidates their developer certificate and their apps cease to run anymore.

Apple just did that this week with Facebook's enterprise developer certificate (which Facebook uses to make apps for their internal use). All of the apps stopped working:
https://appleinsider.com/articles/1...eloper-certificates-after-sideload-violations

Also back in 2016, Apple revoked the certificate of another developer that was used to sign a popular app that had been altered to include malware:
https://www.cso.com.au/article/5953...rst-ever-ransomware-attack-against-mac-users/

Thank you so much for those links.

What they confirm is that it's highly likely that there are SOME bad apples in the Developer barrel!

How can one focus the attention of Apple itself to carry out a 'test' of ClamXAV to ensure that it is safe to use?

Any ideas?

D.

 

[jtara]

Identified developer: the developer registers with Apple. Apple issues a certificate. The developer signs the app using the certificate. It serves exactly the purpose it sounds like it serves: it IDENTIFIES the developer. No more or less. It prevents others from making apps that fraudulently claim they are from the IDENTIFIED developer. Apple does NOT vet the apps in any way.

Notarized app: I hate this term! In the U.S. there are "notary publics". Notary publics have a government charter that allows them to officially attest to signatures. "Notarized app" has nothing to do with this! Notarizing an app goes one step further than signing the app as an identified developer. Apple runs some automated tests on the app to see if they detect anything fishy. That is it. There is no human review of the app.

And that is the extent of Apple's involvement in apps that are installed outside of the Mac App Store. MacOS makes it relatively more difficult for you to install apps that aren't notarized or not from an identified developer. You can still install them. But it hopefully slows you down enough to stop and think.

If you want more certainty, only install apps that are downloaded from the Mac App Store. Of course, many apps are not available from the Mac App Store. It's still your choice.
[doublepost=1549149795][/doublepost]

How can one focus the attention of Apple itself to carry out a 'test' of ClamXAV to ensure that it is safe to use?

Apple doesn't do that. Why would you expect them to?

If the publisher wishes to publish their app in the Mac App Store, then Apple will vet it for safety and conformance with their guidelines, as they do every app in the Mac App Store.

----
As far as ClamXav goes: did you bother to search for information?

ClamXav is a GUI "wrapper" for ClamAV. ClamAV is an open source project with a very long history. Cisco Systems currently holds the copyright.

According to Wikipedia:

https://en.wikipedia.org/wiki/Clam_AntiVirus

• ClamXav is a port which includes a graphical user interfaces and has a "sentry" service which can watch for changes or new files in many cases. There is also an update and scanning scheduler through a cron job facilitated by the graphical interface. ClamXav can detect malware specific to macOS, Unix, or Windows. The ClamXav application and the ClamAV engine are updated regularly.[24]ClamXav is written and sold by Canimaan Software Ltd.[15]

[doublepost=1549150518][/doublepost]

In a case where a developer "goes rogue" (or their certificate was used in a rouge way by someone else), Apple simply invalidates their developer certificate and their apps cease to run anymore.

Apple just did that this week with Facebook's enterprise developer certificate (which Facebook uses to make apps for their internal use).

Apples and oranges.

What Apple briefly revoked was a certificate meant to be used to distribute internal iOS (NOT MacOS) apps for Facebook's internal use. For ordering lunch, reserving a seat on a bus, reporting expenses, or scheduling a meeting, etc. Facebook was misusing it to distribute apps to the public, without first being vetted by Apple.

If an app is distributed through the Mac App Store, Apple could revoke their certificate if they find they have not been following the rules.

For "identified developer", I doubt Apple would go beyond revocation in case the publisher turns out to not be who they say they are. That's the IDENTIFIED part! (But I have not read the terms.)

 

[patent10021]

Even with a company the "developer" is a person. A company's registration is different than the registration of a developer.

Can anyone tell me if they have seen a developer which is actually a company? I would genuinely like to know. I guess if I legally changed my name to this it would work.

first name: ClamXAV
last name: Inc

 

[jtara]

I guess if I legally changed my name to this it would work.

first name: ClamXAV
last name: Inc

No, it would not "work". Do you really think that Apple is that stupid? As well, do you think that a court is that stupid to let you change your name to that?

You would have to join the Apple Developer Program as a corporation. First, you would have to have a DUNS number issued to ClamXAV Inc.

As well, Apple checks with government authorities. In the U.S., it is quick, generally only take a couple of days, since most states have their corporation, LLC, and non-profit organization records online for the public. I had a client in Argentina that took a couple months, because Apple had to exchange postal mail with a government office to verify them. They will verify that your postal address is the registered address of the corporation.

I've walked several companies through this, so I know from personal experience. Caveat is that I do iOS - not MacOS development. But apparently the way a MacOS app gets marked as from an "identified developer" is that it is signed by XCode with a distribution certificate, just like iOS apps.

 

[Brawdy14]

Identified developer: the developer registers with Apple. Apple issues a certificate. The developer signs the app using the certificate. It serves exactly the purpose it sounds like it serves: it IDENTIFIES the developer. No more or less. It prevents others from making apps that fraudulently claim they are from the IDENTIFIED developer. Apple does NOT vet the apps in any way.

Notarized app: I hate this term! In the U.S. there are "notary publics". Notary publics have a government charter that allows them to officially attest to signatures. "Notarized app" has nothing to do with this! Notarizing an app goes one step further than signing the app as an identified developer. Apple runs some automated tests on the app to see if they detect anything fishy. That is it. There is no human review of the app.

And that is the extent of Apple's involvement in apps that are installed outside of the Mac App Store. MacOS makes it relatively more difficult for you to install apps that aren't notarized or not from an identified developer. You can still install them. But it hopefully slows you down enough to stop and think.

If you want more certainty, only install apps that are downloaded from the Mac App Store. Of course, many apps are not available from the Mac App Store. It's still your choice.
[doublepost=1549149795][/doublepost]

Apple doesn't do that. Why would you expect them to?

If the publisher wishes to publish their app in the Mac App Store, then Apple will vet it for safety and conformance with their guidelines, as they do every app in the Mac App Store.

----
As far as ClamXav goes: did you bother to search for information?

ClamXav is a GUI "wrapper" for ClamAV. ClamAV is an open source project with a very long history. Cisco Systems currently holds the copyright.

According to Wikipedia:

https://en.wikipedia.org/wiki/Clam_AntiVirus

• ClamXav is a port which includes a graphical user interfaces and has a "sentry" service which can watch for changes or new files in many cases. There is also an update and scanning scheduler through a cron job facilitated by the graphical interface. ClamXav can detect malware specific to macOS, Unix, or Windows. The ClamXav application and the ClamAV engine are updated regularly.[24]ClamXav is written and sold by Canimaan Software Ltd.[15]

[doublepost=1549150518][/doublepost]

Apples and oranges.

What Apple briefly revoked was a certificate meant to be used to distribute internal iOS (NOT MacOS) apps for Facebook's internal use. For ordering lunch, reserving a seat on a bus, reporting expenses, or scheduling a meeting, etc. Facebook was misusing it to distribute apps to the public, without first being vetted by Apple.

If an app is distributed through the Mac App Store, Apple could revoke their certificate if they find they have not been following the rules.

For "identified developer", I doubt Apple would go beyond revocation in case the publisher turns out to not be who they say they are. That's the IDENTIFIED part! (But I have not read the terms.)

How can I determine whether ClamXAV has, or has not, been Notarized?

I did send a request to the company to ask, but they have so far failed to tell me.

D.

 

[Lucas!]

ClamXAV is recommended in the recently updated book by Joe Kissell of 'Take Control Books'?

In his new edition of 'Take Control of Your Online Privacy' publication, on page 116, there is this statement:-

“So unless you’re a sophisticated user with a strong spider-sense about potential dangers (and good backups), a third-party anti-malware app is not a bad idea. Two such apps worth looking at are ClamXAV and Malwarebytes.”

I'm aware that Apple Support condones the use of Malwarebytes.

But install ClamXAV?

I wonder why he chose ClamXAV ....... above all other available options.

 

[ChrisA]

Hi



...My friend has suggested to me that ClamXAV (an Anti-Virus software for the 'Mac' - totally unnecessary in the opinion of many) may well be a scam of some kind....

How can one check? Is there a list of such "identified developers'?

Your friend is right in that this kind of software is not needed.

The only way you can find out who is on the list is to try and install the software. As it turns out almost none of the software I use is on Apple's list.

The software is only a scam in that they are using fear and ignorance to sell a product that is not needed. It does actualy do what it claims.

I like to use an analogy, there are companies that sell ultraviolet toothbrush lamps that "kill germs" on toothbrushes. They are not scams, they do create UV light, but you can live a normal and healthy life without owning an LED that shines UV light on your toothbrush. They are not needed.