Last week, Apple released the much-awaited macOS Big Sur update for everyone. While everyone rushed to get a new update, folks who didn’t update at that moment faced a peculiar problem: they couldn’t open their apps.
It’s a frustrating situation when you rely on your computer for work, but can’t do anything because a server is messed up. That’s right, as developer Jeff Johnson noted, the issue was caused by Apple’s Online Certificate Service Protocol (OCSP) server crashed — largely due to many users downloading the new update simultaneously.
The OCSP server is responsible for authenticating digital certificates of all apps — both Apple and third-party. Apple calls this feature Gatekeeper, and the company claims it helps to prevent apps without valid certificates from opening to maintain user security.
It doesn’t matter if you’ve downloaded your app from the App Store or not. So when users were trying to just open their apps, they had to wait for the OCSP server to authenticate the app for them, but they weren’t getting any response. The easiest solution was to turn off the internet to launch apps. Apple evidently fixed the problem in a few hours.
Hey Apple users:
If you're now experiencing hangs launching apps on the Mac, I figured out the problem using Little Snitch.
It's trustd connecting to https://t.co/FzIGwbGRan
Denying that connection fixes it, because OCSP is a soft failure.
(Disconnect internet also fixes.) pic.twitter.com/w9YciFltrb
— Jeff Johnson (@lapcatsoftware) November 12, 2020
After the incident, security researcher Jeffery Paul wrote a blog alleging that macOS sends app hashes to Apple every time you run them. He also accused the company of knowing your rough location. Later, developer Jacopo Jannone explained that the company doesn’t really send hashes to servers every time you launch apps.
In response, Apple has updated its support page called “Safely open your apps” by defending its Gatekeeper mechanism and said the company never collects users data for it:
Gatekeeper performs online checks to verify if an app contains known malware and whether the developer’s signing certificate is revoked. We have never combined data from these checks with information about Apple users or their devices. We do not use data from these checks to learn what individual users are launching or running on their devices.
Notarization checks if the app contains known malware using an encrypted connection that is resilient to server failures.
The Cupertino tech giant noted that next year it’ll launch a project to reduce server dependencies and even give its users an option to opt-out of these security measures. We’ll have to wait for the implementation to see how they act in real-life usage. Hopefully, we won’t have to face the frustration of waiting for a server to authenticate an app that you downloaded and used plenty of times.