What is trustd?

If you use a firewall like Little Snitch, you have probably seen trustd connecting to Apple servers. It can look worrying, especially when it happens every time you open an app.

What is trustd?

trustd checks whether certificates and code signatures are valid. Every time you open an app, macOS checks that the developer certificate has not been revoked. trustd does that check.

Why does it connect to the internet?

trustd contacts Apple OCSP (Online Certificate Status Protocol) servers to confirm a developer certificate is still valid. The request contains a hash of the certificate. It goes over the internet because revocation lists change all the time.

The server it reaches is usually ocsp.apple.com.

Does it leak which apps you use?

This became a big talking point in November 2020 when Apple OCSP servers went down and Macs became very slow to open apps. People noticed every app launch was waiting for a reply from Apple.

The OCSP request holds a certificate hash, not the app name. But since each developer has a unique certificate, someone could in theory match requests to apps. The requests also went over plain HTTP, not HTTPS, so anyone on the network path could read them.

What did Apple do about it?

Apple made three changes:

  1. A new encrypted method for certificate checks, replacing plain HTTP.
  2. A promise to stop logging IP addresses tied to these checks.
  3. A fallback so Macs do not freeze when the check servers cannot be reached.

Can you block it?

You can block trustd in your firewall, but it is not a good idea. macOS will still try to check certificates, and if it cannot reach the server, apps will open slowly while the system waits for the connection to time out. In some cases, apps may not open at all.

Should you worry?

With the updated method, the privacy concern is much smaller. Certificate checks are now encrypted and Apple says IP addresses are no longer logged. It is a real security feature that stops you running apps with revoked certificates.

Enjoyed this post?

Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.

Tags

Category:

Tags:

Year: