Distributing Mac software is increasing my cortisol levels

Any user who does not like Gatekeeper can turn it off on their machine in ten seconds by running this in a Terminal:

    sudo spctl —-master-disable

People will say, no, that’s too big a hammer, it’s not safe… but then, like, what do you actually want? Either you keep Gatekeeper because you like the friction it introduces, or you don’t like that friction and you should go turn it off. Pick one, you obviously can’t have both!

Of course, you as the developer can’t make this choice for your users… but isn’t that as it should be? The user decides what code is allowed to run on their machines. And the default setting is restrictive because anyone who knows what they’re doing can easily change it.

P.S. Meanwhile, on iOS there’s no way to install unsigned software at all, and on Android (starting soon) the process takes 24 hours instead of ten seconds. That is actually ridiculous because it’s taking away user choice.

P.P.S. To be clear, modern macOS has plenty of other restrictions which can’t really be turned off and which I find super annoying. Gatekeeper just isn’t one of them.

Edit: I’ve just learned that as of Sequoia, you have to also tick a box in Settings after running the Terminal command. So maybe it takes 30 seconds instead of ten seconds. That’s mildly more annoying, but still doesn’t really seem like a big deal to me.

I shared the author's frustration when figuring out how to ship such binaries to end users so I wrote a guide [0] detailing exactly how to do it. Apple's documentation is surprisingly poor and I couldn't find any blog posts so I ended up reverse engineering what works via trial and error as well as popular OSS projects on GitHub.

[0]: https://ofek.dev/words/guides/2025-05-13-distributing-comman...

I have been developing software for Macs and PCs as an Indie for 20 years now. I sympathize with the author of the post. You get the feeling that Apple thinks you should be grateful that they allow you to develop apps for their platform.

The author didn't mention Apple's contempt for backward compatibility. Apple like to regularly nuke their entire developer system from orbit. Try running an app developed 10 years ago on the latest version of macOS. It probably won't run.

Microsoft are much better at backward compatibility and they don't force you to join a developer program. But you get totally reamed every time you have to update your authenticode digital certificate for Windows. Just the digital certificate will cost you more than $99 per year. It is a total racket.

Author here, just pushed a quick update to the article.

To be fair, compared to the prices of Certum and other providers if you ever want to sign something for Windows, perhaps Apple isn't uniquely overpriced (they all seem to be that way): https://www.certum.eu/en/code-signing-certificates/

Looking more into the Windows side of things, I also found Azure Artifact Signing which is supposedly affordable at 8.54 EUR per month, but unfortunately they don't actually support individual users in the EU (only in US & Canada, meanwhile EU only gets support for organizations). I'd probably have to set up a SIA (equivalent of Ltd.) here first - it was in the plans for later, but this is a bit of a roadblock for using Azure too: https://azure.microsoft.com/en-us/products/artifact-signing

My tone might have been frustrated, but I will absolutely say that the code signing industry needs to have a Let's Encrypt moment of some description - at least commoditize it like Azure Artifact Signing was trying to do, but also for individual developers, across all platforms! Sadly, that doesn't seem to be possible when the platforms are intentionally walled gardens.

As a user I actually like Gatekeeper. 95% of the time it's not a problem. the other 5% of the time I have to click a button in my settings to allow unsigned code. But at least it gives me pause to think about the source and if I really trust it (which is mostly offloaded to Apple the other 95% of the time).

Free business idea: get an Apple developer account and then agree to sign code for other people in exchange for a small piece of their income. I'm surprised that doesn't exist yet (or does it?).

How does anyone who cares about open source or even development more generally see this and go "Yeah that's the OS I want to use"?

I genuinely don't understand why so many developers are willing to compromise so much for a thin laptop.

It's interesting that sanctioned Russian banks still find the ways to push their apps into Apple repository by disguising them as a different app. They get removed several months later, but I assume it is done only because someone complains.

Tangential but this made me appreciate how Gatekeeper is perhaps a notorious example of a great naming choice for a piece of software.

So, Linux gets a free pass for requiring chmod +x to run his tool, but needing to run xattr on MacOS is somehow worthy of an entire blog post to complain about it?

Serious question - Is it really true that Windows 11 will run an untrusted .exe without a warning?

Sometimes I wonder why we don't just treat an installation script like curl https://alx.sh | sh as a universal option for distributing applications. The provenance is there via the HTTPS certificate, and if you're already about to trust an application that can compromise your system, why not trust the installation script as well?

My favorite is when someone discovers they haven't yet granted Zoom screensharing permission, and that they need to exit the call to re-launch the application with the permission granted.

> I can use SmartID to verify my ID (and age) in about 20 seconds when buying an energy drink at the local grocery store

Where do you have to show ID for that??

Maybe I'm too dumb, but I haven't figured out a good way to sign just a binary (or a tar/zip containing a few binaries). I zipped up the binaries, sent them off to Apple, Apple comes back and says "yup, notarized!", and they still trigger the popup. I'm probably missing a step. I guess I'm not currently stapling the ticket to the binary, but supposedly you don't have to if you are running with a network connection.

Try to open the file, say ok to the ‘can’t check for malware’ prompt, go to settings, security, approve running the software.

Annoying, but if you’re delivering your app to semi-technical users, not really a problem.

I don't get the part about Homebrew. If you're using Homebrew, it doesn't make a ton of sense to use Itch.io. Just use Homebrew. Seems like a more appropriate place to distribute a dev tool anyway. You could set up a patreon and print a link to it when appropriate. That's basically what Vim does.

I agree that Apple is dumb of course.

> I'm sure that other countries also have plenty of similar services for ID and age verification

laughs in Bundesdruckerei

I love when my Mac declares random PDFs malware and deletes them when I try to open them.

On two occasions I've been completely dumbstruck when the software I was using was deleted out from under me. I'm not a fan of the overuse of "gaslight", but it sure felt like that when I had to restart Docker and the OS was like "what do you mean, Docker? You've never had Docker installed! What are you talking about? Are you feeling ok?"

https://news.ycombinator.com/item?id=42649790

It's a backwards walled garden which I mostly avoid to avoid problems like this

I am not entirely against the whole notarization thing.

If it is good for the end-user, it is usually also good for the ecosystem a a whole, trust is valuable.

But ffs, they are rich enough to make this a lot less painful and hostile for developers.

And this is not a new thing, I used to develop games for iOS, from the very beginning, and while the process somewhat simplified over time, it was a huge cortisol inducing process, not to mention the regular forced OS+SDK updates where the procedures changes almost every time and could fail in not-so-evident ways.

Siri has the same effect.

Apple's ID verification failed for me and I am now banned for life. There is no opportunity to appeal this or to ever participate in the Developer Program for me. Which sucks because I am now permanently locked out of developing seriously for any of the Apple ecosystem, ever.

I went through this recently. Got as far as verifying my identity, which Apple happily accepted as verified from my UK driving license. Unfortunately, they then automatically set my first and last name from that identity verification step, and some how managed to use a section of my driving license number as my surname - a string of random uppercase letters and numbers - and it's impossible to edit it. So fuck them, that's $99 they've lost.

Notarize the application and staple the receipt to your app bundle. It won’t trigger the Gatekeeper warning.

[0]: https://ofek.dev/words/guides/2025-05-13-distributing-comman...

Author here, just pushed a quick update to the article.

How does anyone who cares about open source or even development more generally see this and go "Yeah that's the OS I want to use"?

I genuinely don't understand why so many developers are willing to compromise so much for a thin laptop.

Tangential but this made me appreciate how Gatekeeper is perhaps a notorious example of a great naming choice for a piece of software.

My favorite is when someone discovers they haven't yet granted Zoom screensharing permission, and that they need to exit the call to re-launch the application with the permission granted.

> I'm sure that other countries also have plenty of similar services for ID and age verification

laughs in Bundesdruckerei

It's a backwards walled garden which I mostly avoid to avoid problems like this

Siri has the same effect.

Any user who does not like Gatekeeper can turn it off on their machine in ten seconds by running this in a Terminal:

    sudo spctl —-master-disable

P.P.S. To be clear, modern macOS has plenty of other restrictions which can’t really be turned off and which I find super annoying. Gatekeeper just isn’t one of them.

Rather than just having the options "Done" and "Move to Bin", give me an option to actually run it without having to manually go into System Settings each and every time without disabling security features?

The added friction feels more like a way to force developers to pay Apple an annual fee for distributing rather than for my safety. Not saying it doesn't help with safety, just that it's more weighed to the former.

This is not the developer choosing what software can run on their computer, this is Apple choosing for you and then you having to go disable protections (with what implications?) to then be able to choose what software you run.

This has more to do with putting up a scary dialog for normies than it does protecting anyone. A non-technical user isn't going to go bypass this in the terminal, they're going to run back to the App Store where Apple can collect that sweet 30% and analytics.

10 seconds or 30 seconds, it's just too much friction to ask end users to do. I actually develop on a Mac, but I've written off Apple as a target system for hobby/open source projects. Between quarantine, code signing, and notarizing (which requires $99 a year), it's just not worth it. Good for Apple users if they like this shit--I'm just not going to bother with distributing to the platform anymore.

macOS is slowly getting like Windows, where, on a fresh install you have to go through and turn off all sorts of unwanted software just to have a sane environment where you, the user, are actually controlling your computer.

> The user decides what code is allowed to run on their machines.

Apparently Apple disagrees, Apple decides. Typical users aren’t going to find their hidden 5 step process to enable non-blessed apps and obviously they know that. Gatekeeper is an appropriate name considering the user themselves are on the outside of the gate. It’s the culimination of everything Stallman and the FSF warned everyone about for decades. By its logic we should install police officers in our living rooms for safety.

Free business idea: get an Apple developer account and then agree to sign code for other people in exchange for a small piece of their income. I'm surprised that doesn't exist yet (or does it?).

If that isn't already a violation of the developer account ToS, it would be in short order. The dialog is about keeping normal non-technical users (Apple's primary market) from straying away from the App Store where they can collect 30% and analytics. They're not protecting you, they're herding you.

So, Linux gets a free pass for requiring chmod +x to run his tool, but needing to run xattr on MacOS is somehow worthy of an entire blog post to complain about it?

Serious question - Is it really true that Windows 11 will run an untrusted .exe without a warning?

By default Windows 11 will not run an untrusted .exe/PE file - it's governed by Microsoft Defender SmartScreen that will present a pop-up scaring people away and it actually isn't intuitive to click-through to run the program unless you've done it before.

You can configure it in a way that it won't allow you to run it at all, but out of the box, you will receive a message which forces you through three clicks. Enough to scare off people with no deep knowledge.

And yes, you can turn all of that off.

The most important argument is phishing. People aren’t good at recognizing when a web site is legitimate. One reason that app certification is a shitshow is that recognizing bad players while minimizing false negatives and false positives is a difficult problem. Domain names fundamentally don’t solve that problem.

Because even with HTTPS that script might not do what you expect and then is too late, xz style attack.

> I can use SmartID to verify my ID (and age) in about 20 seconds when buying an energy drink at the local grocery store

Where do you have to show ID for that??

I was also taken aback by this, but apparently it's a real trend.

https://en.wikipedia.org/wiki/Age_restrictions_on_energy_dri...

Under 16s can’t buy energy drinks in the UK

Edit: currently a voluntary but widespread scheme by retailers, proposed to be law. TIL

another feature of UK dystopia

You have to distribute a "bundle" in a particular directory layout.

Try to open the file, say ok to the ‘can’t check for malware’ prompt, go to settings, security, approve running the software.

Annoying, but if you’re delivering your app to semi-technical users, not really a problem.

There's some official documentation for this process: https://support.apple.com/en-gb/guide/mac-help/mh40616/mac (and this works ok for terminal stuff too! Though it looks like the process will always fail to run the very first time, meaning you can't obviously pre-approve its first launch)

It's only a problem if you want people to use your software

I agree that Apple is dumb of course.

They want to have a way for users to pay them. Itch.io has that, homebrew doesn't.

I love when my Mac declares random PDFs malware and deletes them when I try to open them.

https://news.ycombinator.com/item?id=42649790

In ten years of using Macs, I have never encountered this behaviour. I've never heard this from anyone else either. Is this new in Tahoe? I haven't upgraded yet, but your link seems to be from before Tahoe was released.

Maybe the PDFs were malware?

I am not entirely against the whole notarization thing.

If it is good for the end-user, it is usually also good for the ecosystem a a whole, trust is valuable.

But ffs, they are rich enough to make this a lot less painful and hostile for developers.

> The user decides what code is allowed to run on their machines.

> Domain names fundamentally don’t solve that problem.

App certification doesn't solve that problem either.

Because even with HTTPS that script might not do what you expect and then is too late, xz style attack.

I was also taken aback by this, but apparently it's a real trend.

https://en.wikipedia.org/wiki/Age_restrictions_on_energy_dri...

Under 16s can’t buy energy drinks in the UK

Edit: currently a voluntary but widespread scheme by retailers, proposed to be law. TIL

another feature of UK dystopia

You and I have very different ideas of dystopia.

You have to distribute a "bundle" in a particular directory layout.

It's only a problem if you want people to use your software

They want to have a way for users to pay them. Itch.io has that, homebrew doesn't.

Maybe the PDFs were malware?

Making it take some pain for developers is precisely what makes it valuable. If you could automate signing up for a developer account and didn’t have to put up some cash it would lose all value as a trust signal.

Notarize the application and staple the receipt to your app bundle. It won’t trigger the Gatekeeper warning.

Doesn't that still require going though all the hoops that they were struggling with, or is this a different verification flow with Apple?

You talk as if the author doesn't know that.

That's literally what this post is about.

>give me an option to actually run it without having to manually go into System Settings

I've run several PiHoles for several years, primarily on latest versions (up to v5; current is v6.4.x) – recently updating to v6 has been extremely frustrating [0], e.g: realizing that even when you tell the pi's/en0 ("internet") interface to use a specific DNS server (in GUI/network settings), it still uses the DNS-server recommended by your local DHCP server [1].

[0] I am aware that this is a joint-issue between RaspbianOS and Pi-Hole teams

[1] which requires TWO sudo nmcli which newbs have no business configuring – what happened to -simple- ?

----

If you ever want to consider how crazy DNS-capture is getting, realize that Firefox/&c are all dark-patterning the abilities to turn off "secure"-DNS. The latest Raspian/Pi-Hole defaults are terrifying... [2]

[2] another example: why doesn't v6 enable HTTPS localhost web-access, by default (like all previous versions?!)? Do the developers really expect us commoners to know how to generate localhost certificates – this is obviously behavior due to how the pihole useraccount behaves differently then the previously-root-blessed v5-behavior

----

Thankfully, I've kept a local copy of my favorite distro of Pihole v5, and it is readily-cloneable.

When I attempted to pass a --version tag during a freshinstall (requesting v5 from remote installer), it went ahead and installed latest v6 (so why even.?!).

I also have things I want to change in gatekeeper, but that feature is not one of them. Just gut feeling but I would say 110% of all users, would just click ”start” on every unsigned app if it was that easy.

> give me an option to actually run it without having to manually go into System Settings each and every time without disabling security features?

People reflexively hit yes to these things.

Posit it saves a decent number of folks who are unable to follow the scammer’s necessary instructions:

“Press command space, no no hold down the command key - gosh it’s in the bottom left - okay, now type “privacy”, now scroll, no you scrolled too far …”

> without disabling security features?

With Gatekeeper turned off, you’ll still get a warning on first launch which you can easily click through. (Unless Apple changed something in the last few versions—let me know if that’s the case—but it would be out of character for them to remove a warning...)

The “security feature” you don’t want to disable is precisely the thing you are complaining about, so I don’t understand why you’d keep it around.

> The added friction feels more like a way to force developers to pay Apple an annual fee for distributing rather than for my safety.

I don’t imagine Apple makes a substantial amount of money from $99/year developer subscriptions. The App Store is another story of course.

Isn't code signing even harder/more expensive on Windows?

And yes, you can turn all of that off.

Why isn't the author getting that warning then? Is it because he's only testing the tool on the same machine that it was built on?

But after enough people run it, that disappears. They implement crowdsourced trust, because it isn't a rent extraction exercise but actual concern about malware.

You talk as if the author doesn't know that.

Doesn't that still require going though all the hoops that they were struggling with, or is this a different verification flow with Apple?

>give me an option to actually run it without having to manually go into System Settings

[0] I am aware that this is a joint-issue between RaspbianOS and Pi-Hole teams

[1] which requires TWO sudo nmcli which newbs have no business configuring – what happened to -simple- ?

----

Thankfully, I've kept a local copy of my favorite distro of Pihole v5, and it is readily-cloneable.

When I attempted to pass a --version tag during a freshinstall (requesting v5 from remote installer), it went ahead and installed latest v6 (so why even.?!).

> give me an option to actually run it without having to manually go into System Settings each and every time without disabling security features?

People reflexively hit yes to these things.

> without disabling security features?

The “security feature” you don’t want to disable is precisely the thing you are complaining about, so I don’t understand why you’d keep it around.

> The added friction feels more like a way to force developers to pay Apple an annual fee for distributing rather than for my safety.

I don’t imagine Apple makes a substantial amount of money from $99/year developer subscriptions. The App Store is another story of course.

Posit it saves a decent number of folks who are unable to follow the scammer’s necessary instructions:

“Press command space, no no hold down the command key - gosh it’s in the bottom left - okay, now type “privacy”, now scroll, no you scrolled too far …”

But after enough people run it, that disappears. They implement crowdsourced trust, because it isn't a rent extraction exercise but actual concern about malware.

> Domain names fundamentally don’t solve that problem.

App certification doesn't solve that problem either.

You and I have very different ideas of dystopia.

it's really cool when i can fall a sleep in peace knowing this keeps my folks from getting rooted

Okay, but then the argument that Apple is charging them to certify their software and that is excluding hobbyists falls away doesn’t it? Now you’re not a hobbyist.

That's literally what this post is about.

Sorry, it was meant to be a reply to a comment.

Isn't code signing even harder/more expensive on Windows?

The extended validation code signing certificate you need to avoid having your installer blocked by Windows SmartScreen is quite a bit more expensive.

Well, you can still run unsigned software (by clicking through to a bit of a hidden option in the popup dialog), and they also even remove that through "reputation" if enough people approve said binary (exact bitwise binary, so every new version released will go through the same issue).

Why isn't the author getting that warning then? Is it because he's only testing the tool on the same machine that it was built on?

Yes, downloaded files have a specific attribute, and unless you explicitly unblock the file, it will give a warning.

Sorry, it was meant to be a reply to a comment.

The extended validation code signing certificate you need to avoid having your installer blocked by Windows SmartScreen is quite a bit more expensive.

Yes, downloaded files have a specific attribute, and unless you explicitly unblock the file, it will give a warning.

it's really cool when i can fall a sleep in peace knowing this keeps my folks from getting rooted

Gatekeeper doesn't fully prevent you from downloading malware. It just replaces one attack vector with another: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...

Okay, but then the argument that Apple is charging them to certify their software and that is excluding hobbyists falls away doesn’t it? Now you’re not a hobbyist.

1. Having a way for some users to show their appreciation by paying you a few bucks doesn't make it not a hobby

2. The expected income is way less than the developer fee, much less the expensive hardware required.

Gatekeeper doesn't fully prevent you from downloading malware. It just replaces one attack vector with another: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...

1. Having a way for some users to show their appreciation by paying you a few bucks doesn't make it not a hobby

2. The expected income is way less than the developer fee, much less the expensive hardware required.

Date: 2026-05-09

I'm creating a simple developer utility to make managing Claude Code profiles (e.g. running it with DeepSeek, or some OpenRouter models) a little bit easier.

Edit: I just did the first release, which you can check out on ccode.kronis.dev, or go directly to the Itch.io page to either download or buy the pre-built binaries or look at the source code. It's a simple utility and it's early on (consider getting it for free first and only paying later, if it feels useful), but currently the code is not signed.

The utility is written in the Go language, and the tooling there makes it really easy to compile for various platforms - I get a static executable that I can put anywhere I want. Even before the release, I wanted to see how easy it would be to ship it.

It works just fine for distributing Linux software (same deal, after chmod +x).

It works sort of fine for distributing Windows software (I get an .exe, SmartScreen might have a word or two, though you can click through it in the same pop-up).

Distributing Mac software

It does not just work for macOS and my MacBook instead shows me this:

01-quarantine

What you see is their quarantine kicking in for downloaded software, even if I share it with myself over Nextcloud.

Technically, you can ask your users to override it manually, in the terminal:

02-manual-override

Most developers might be willing to do that. It is not, however, good user experience and might raise some eyebrows.

Doesn't seem like such a big deal, right? I'll just enroll in their Apple Developer Program, sign the executable and be on my way, right?

03-enrollment-requirements

Giving Apple money, and failing

Wait, they want how much money for the account?

04-the-pricing

And it's a yearly subscription? My brother in Christ, I intend to release a utility maybe a dozen or two dozen people are going to download, tops, for like 7 USD on Itch.io with a pay-what-you-want model, meaning that most of those people will probably choose the price of 0 USD instead (since I don't intend to be like Apple, people have various circumstances).

That means that even if it works out that much, there's going to be VAT and Itch.io will also take a cut so out of those maybe 50 USD I'll get about 25 USD, which funds me about 3 months of that Apple Developer Program price. I guess the reason for it being priced like that lies somewhere between greed and wanting to gatekeep hobbyists out and only support Serious Users™, but it seems a bit stupid. Oh well, I already had to get the overpriced MacBook for another freelance thing, because they also won't let me compile macOS/iOS apps on Windows or Linux, so I guess this is just them spitting on me after slapping me in the face.

What I get from that is that articles like An app can be a home-cooked meal are cool but don't take the economics of wanting to release something publicly into account - unless you're developing something that you'll add a bunch of monetization to, you'll be losing money. For desktop software there is Homebrew but that also means that you couldn't charge a few bucks for it even if you wanted to (or that you'd need to add mac-homebrew-install-instructions.txt to the Itch.io downloads page when doing the pay-what-you-want approach, which would feel awkward).

I don't like that the economics are pushing software and app development in a direction where releasing a package (that might be non-open-source or just source-available, but you want to release binaries) costs money, though I also acknowledge that there would be other issues, like insane amounts of spam, with not doing that.

Then, we get to the actual verification process - it's understandable that they'd want to verify my ID. The problem is that on the MacBook they also expect me to use its webcam to take a picture. I will admit that my M1 MacBook Air is getting dated at this point, but regardless of what lighting I tried, I could just not get a good picture of the document. It's not like they were like "Oh hey, we've detected that your own iPhone is connected to the same local network as this MacBook, would you like to use it as a camera?", so for about 10 attempts, this is what I saw:

04-upload-error

Eventually, I moved over to trying to use my main webcam for that, since their built in one just doesn't work:

05-custom-camera

Why they can't just let me upload a scan of the document eludes me. I mean, I guess I can imagine a few reasons why, but it'd probably be easier to forge my own ID so it's not as glossy rather than having to turn my small kitchen table into this. Pictured for maximum frustration, a dongle that I needed:

06-jank-setup

Even that wasn't good enough, because understandably it doesn't have autofocus for something that you hold close. Not only that, but every 2nd failure seemed to just give me a generic error and I'd have to start the whole enrollment process from the beginning again:

07-whole-process-fails

Luckily I realized that I can install the app on my iPhone directly. There, it worked on the first try. I guess it must really suck if you don't have an iPhone or a fancy webcam, better spend some more money so you can give them money! The payment went through okay, soon after I had an activated developer account.

Except of course I didn't, look, the app tells me to await an e-mail (which I seemingly already received?):

08-failed-status-update

And the desktop app doesn't care at all either, it doesn't even know that I've tried the enrollment, and offers me to start the whole thing over again, despite me being signed into the exact same account:

09-desktop-app-doesnt-care

It's probably a case of eventual consistency and some background processes or whatever, but it's also quite frustrating and, in a word, stupid.

Apple is kind of frustrating

Apple, I think you make hardware with pretty good build quality and the M-series chips made for pretty much the perfect notebook for me - and I'm sure they're great main dev machines for those that can afford the higher spec versions.

I think that's nice and I genuinely enjoy having the iPhone SE 2022, at least before learning that you killed off the budget series altogether (your new e-series are more expensive) and removed the nice silent mode toggle on the side and removed TouchID. That's before we even start talking about the 3.5mm jack and frankly all of that makes me question whether my next phone shouldn't just be an Android again.

I can deal with needing software like AutoRaise and Rectangle and DiscreteScroll alongside others to customize your OS to my liking because you won't let me do that myself like most Linux distros do. I can even deal with your window focus needing an extra click across multiple monitors and AutoRaise being nice but perhaps too aggressive, since the developers are at least trying to make the experience nicer!

I can deal with your keyboard shortcuts being odd and not even having a "Cut" option in your Finder program.

I can deal with your weird Control/Command button setup which even breaks remote desktop software.

I can deal with your weird "programs you close aren't actually closed" approach even though you sold me a MacBook with 8 GB of RAM just so I could develop software in your walled garden ecosystem.

But to first vendor lock me to your ecosystem for developing apps, then demanding a whole bunch of money so I can sign my software and it not get quarantined all while I'm not too well off financially, then refuse to let me submit my documents to you because your hardware produces pictures that are not good enough and make me have to install the app on a phone that's also expensive and that not even everyone has, then to still make me wait and have your apps not even show that I've submitted my application?

You know what? Apple, fuck you and your forsaken ecosystem. This sucks.

A more sane world

I can use SmartID to verify my ID (and age) in about 20 seconds when buying an energy drink at the local grocery store.

I can use eParaksts to digitally sign documents in about a minute, from either my PC with a card reader (using my government issued ID card), or my phone with their app, ending up with a proper cryptographic signature either attached to the EDOC container (ASIC-E) or a PDF file directly.

I'm sure that other countries also have plenty of similar services for ID and age verification, signing documents, and other digital services. I acknowledge that that's not all of them, and that things are all over the place in this regard (alongside the credit card mafia holding a lot of the world's payment infrastructure hostage), but come on, surely it's possible to create something that works better than my experience did.

Having a bunch of scrappy Baltic software packages working better than those by a multi-billion dollar company feels silly.

Update

You know what, Apple isn't the only company where things are somewhat messed up.

If you want to sign some code for Windows, you can find Certum offering code signing, but that also costs around 209 EUR per year, all while they're supposed to be one of the affordable options out there! I'm not singling them out as much as acknowledging that they're one of the cheaper options and that many others out there are worse. What the fuck?

And then you look at Azure Artifact Signing noticing that their basic tier only costs 8.54 EUR per month and for a bit feel happy that someone has at least tried to disrupt the extortionate prices - until you set up your Azure account and notice that you cannot sign certificates as an individual if you're outside of US & Canada, in the EU only organizations can sign code through them.

This feels about as bad as getting TLS certs was before Let's Encrypt displaced most of that rent seeking behavior - the problem being that there aren't many alternatives or competitors to them, which on one hand means that we're moving towards a massive point of failure, and on the other hand means that if they ever decide to demand money, then a large part of the Internet will be straight up fucked.

I thought that maybe I'm overreacting a bit - since my previous issues were mostly about the Apple signup process being annoying and the way they've treated their users being worse than it could be, but no, I should be more angry - the whole code signing space is stupidly expensive for what it is. You have arguments in the opposite direction? Just know that they said the exact same kind of stuff about TLS before Let's Encrypt and how you have to pay 100 EUR a year for a cert that's not even a wildcard because of reasons™.

Just let me sign my code with my governmental ID card and be done with it, jeez.

Hacker Times

Hacker Times

Distributing Mac software is increasing my cortisol levels

Discussion

Discussion

Distributing Mac software

Giving Apple money, and failing

Apple is kind of frustrating

A more sane world

Update