This was a bug exacerbated by a server-side misconfiguration.
GateKeeper notarization checks already "fail open" by allowing the launch if something goes wrong. Unfortunately a bug in certificate revocation checks caused excessive delays when the server fails to respond so unlike notarization checks this didn't "fail open" as intended.
GateKeeper notarization checks already "fail open" by allowing the launch if something goes wrong. Unfortunately a bug in certificate revocation checks caused excessive delays when the server fails to respond so unlike notarization checks this didn't "fail open" as intended.