Espionage 3.7.4 introduces some minor (but necessary) updates as we migrate our mailing list.
We’re also doing something new for this release: we’re releasing two versions of this app: one that is “Apple approved (but messed with)” and another that comes directly from us.
You see, many years ago, Apple decided that Apple developers were no longer allowed to distribute apps directly to users. Instead, they require that, in addition to local code signing, apps be first uploaded to Apple’s servers to be messed with (for “notarization”), and then redownloaded before distributing it to users.
We think this is a terrible idea.
What’s stopping Apple’s servers from injecting some malware into our app to bypass our encryption and spy on our users?
It’s true, as developers we are already forced to trust both Apple’s operating system and developer tools, so technically there isn’t much of a difference in terms of trust assumptions here. Xcode’s compiler could already inject malicious code into our app. macOS could already come with built-in spyware.
But it’s the principle that matters here. Apple is reaching their tentacles even further and telling developers in a rather explicit way that not only are they not allowed to build software for the platform without Apple’s explicit permission, but they aren’t even really allowed to own their own software. Apple needs to **** in it first.
On Linux, it isn’t like this. Linus Torvalds doesn’t reach over the Internet and tell developers what apps they are and are not allowed to create. He’s not requiring his personal approval to distribute apps to users. Apple is doing this though. And although they haven’t abused this power too much, the system is in place for them to abuse this power even more than they already have.
If you think this is a terrible idea too, you can instead download the non-notarized version of our app here (and the signature file here).* And for those with the skills to compare binaries, we welcome and encourage you to compare the two versions to see if Apple (or someone who hacked Apple) has added anything shady to the notarized version. Let us know if you find anything.
*Note: macOS won’t let you run the non-notarized version, so you will have to right-click it and click “Open” in order to manually run it.
Changes
- Improvements
- Updated mailing list subscription.
- Misc.
- Removed support for all versions below macOS 11 (Xcode requirement).
The signature for Espionage.dmg is here and also here (pubkey here). The SHA256 of the main binary is also noted below.
Enjoy! 😀
$ openssl dgst -sha256 Espionage.app/Contents/MacOS/Espionage
SHA2-256(Espionage.app/Contents/MacOS/Espionage)= 09fe29511334787e30f7bf88f24043a306b47333bd04a06bca36a041288ff67