Did we read the same article? Seems like Apple has been happy for this guy to have a signing certificate for his kernel extension for years. And he has been using it, and everything has been fine. Now the guy decides (not unreasonably, IMO, though it clearly impacts a lot of people who're used to getting the benefit of his efforts for free) that he wants to make some money... and the conclusion is "fuck Apple"?
Well, they allow one blessed developer to have a cert, only for historical reasons, leading to exactly this situation. That doesn’t seem like something to cheer about to me. Like it said in the article, a fork is impossible because they won’t get a cert.
Also, my complaint is mostly that apple keeps changing their API’s, as you can also read in the article.
All together this kind of stuff makes life needlessly hard on third party developers, so yeah, fuck apple.
Uh no. There’s nothing that says Apple only allows 1 kext developer. The article only says that getting the dev cert is such a significant pain in the ass that only one has ever gone through the effort. Anyone motivated enough to fork MacFuse can apply.
On a tangent: wouldn’t it be nice if all packages were signed? It would do the community a great service if an organization like Brew negotiated an agreement and implementation with Apple (and something that no one could unilaterally retract).
> The article only says that getting the dev cert is such a significant pain in the ass that only one has ever gone through the effort. Anyone motivated enough to fork MacFuse can apply.
I've been there. It's not just "a royal pain".
I implemented a clean-room Xbox One controller kext to expose it as HID Class gamepad in macOS some years ago†. I paid the Apple dev license on my own dime, and applied multiple times for the dev cert to be upgraded to kext dev. I was rejected each time, the answers each time being entirely tone deaf. Apparently I'm not notable enough, not commercial enough, not big company enough to get either a kext dev cert or an exception in the kext whitelist as others did.
The discussion on GitHub strongly implies that it's more than effort, and that random people don't just get certificates regardless of effort, because Apple is being cagey and reluctant to issue them even to large and prominent companies. I wonder what the specifics of that are...
Well, compromising a kext would be a significant 0wn and quite difficult to explain away.
I can see how Apple would be cagey and reluctant: although it’s technically feasible to revoke compromised publishers imagine the hysteria “OMG Apple kernel got 0wnd!”, “Apple kernel phones home to spy your extensions!”, “Apple can remotely brick your Mac with key revocation!”
It’s bull of course...
... I guess FUSE is one kernel service Apple should just provide out of the box
It's far from impossible, or I wouldn't have to try to figure out which developer accounted for which kexts and whether I should just remove them instead of granting permissions for something like twenty developers when I upgraded to macOS Catalina.
