Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is ridiculous. The macOS app is signed.

    codesign -dv /Applications/Obsidian.app
    Executable=/Applications/Obsidian.app/Contents/MacOS/Obsidian
    Identifier=md.obsidian
    Format=app bundle with Mach-O universal (x86_64 arm64)
    CodeDirectory v=20500 size=759 flags=0x10000(runtime) hashes=13+7 location=embedded
    Signature size=8975
    Timestamp=Sep 29, 2025 at 12:22:41 PM
    Info.plist entries=39
    TeamIdentifier=6JSW4SJWN9
    Runtime Version=15.4.0
    Sealed Resources version=2 rules=13 files=23
    Internal requirements count=1 size=172
Also, I love OSS as much as the next person, but not everything needs to be.


I'm not sure how this is relevant? The code is signed but that doesn't mean it doesn't contain backdoors. Without it being open source or at the very least source-available, we can't know

This is of course true of many other apps we run on Mac (though I suspect a non-zero number of common apps have backdoors); Obsidian also runs without sandboxing though, is used by many to record their innermost thoughts, and as the author mentioned, there's also the potential for data to leak via compromised extensions.

Am I missing something, or does the fact that it's signed tell us nothing except that the Obsidian company signed off on it? If so, I'd really like to understand if you had a purpose of sharing this... is there a tacit implication that "surely a company can be trusted"?


does the fact that the app is signed mean it must use sandboxing?

> it isn’t required to use sandboxing




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: