Notarization is mostly a glorified malware scan. There's no Apple engineer auditing what's being sent for notarization. Even clever malware can evade notarization scans and be distributed as a notarized binary, it has happened in the past [0]

There's no better way for auditing such an app than having the code easily available and looking through it, and compiling it yourself. Which is already the case here.

[0] https://thehackernews.com/2025/12/new-macsync-macos-stealer-...

Your link says that Apple revoked the certificate used to sign the malware by the time the story was published.

After a different company detected it, figured out what it did, and reported it to Apple. The app was notarized on November 17, screenshots in the researchers' post are from December 16. That's a month of fully notarized distribution.

It's literally a single .swift file. Ask your LLM to audit it.

Do you expect this programmer is in cahoots with Anthropic?

The opposite, actually: that the code tricks the LLM.

if you use code you can't trust to audit code you can't trust, you're not doing an audit at all

personally I do not implicitly trust Anthropic or any other company

ok but who will audit your compiler?

While I disagree with you, thank you for sharing your decision-making process: you're probably not the only one who thinks this way.

In general, would you pay for a notorised build of free software, if you had use for that software, even if an un-notorised build or the source code were available?

It depends: having it notarized is a way to show someone with a certain reputation of "Hey! This is my code, this is me, if something happens, you can kill the switch".

If notarisation requires you some kind of payment, I would be okay with you charging me some money, if I obviously find your code has a good value for me.

I read comments around here about "Well: you can compile it yourself" or "it's open source! You can check the code by yourself".

And, while all of those arguments are accurate and valid, the point is "I do not feel like it" or, a little reminder, "The Great Suspender" was an example of a beautiful open source little app to suspend tabs on Google Chrome that, one glorious day, switched hands and, suddenly, after some time, someone noticed the repository and the code from the add-in were different, and those changes were made with nefarious intent.

Luckily, somehow found out, but some people do not have the time or the will to be playing that game.

A piece of code that requires access to my camera, regardless of size (<1000 lines of code) or build, it's something I just don't put on my computer without thinking it twice.

Thank you for the tone: I hope I responded to your question :)

I seriously doubt that he actually would. And in that unlikely event he'd be in a miniscule minority. Not a good open source monetisation strategy.

You may be severely wrong: I like to pay and contribute to things I use, believe it or not.

I love to buy small apps from indie developers or donate some money to things I use and I love: when I was a student, of course, things were different.

Nowadays, luckily, I can contribute and I do it gladly.

Posturr is now notarized!

Are you serious? It's open source. And there's less than 1000 lines total. Get Codex or Claude to review it if you're paranoid.

Go easy on the guy. Mac users are so used to overpaying for trivial functionality.

The thing is that how do you know at the end of the day that the compiled binary hasn't been tampered with "extra code" besides what's in the repo?

I don't even think notarization gets rid of this problem neither, so the best you can do for this is compile it yourself. Maybe I'm wrong!

Compiling it yourself is the best/only thing you can do if you really want to know what code went into a binary.

What prevents you from compiling it if it is open-source?

That's what I do with every project delivered as docker image. I rebuild the app and the image.