Technical reference · for engineers

How a Macfax cert is bound to one specific Mac.

The five components that make a Macfax cert un-replayable across devices. Plain-English first; cryptographic depth as you scroll.

Step 01

Server-issued nonce

Every cert request begins with a server-issued nonce. The seller's app embeds it in the diagnostic payload. This prevents replay attacks where a seller would save an old cert and reuse it for a different device.

Step 02

Apple's Activation Lock attestation

Before any heavy diagnostic runs, we check Apple's Activation Lock and Find My state. A device with Activation Lock on cannot be transferred to a buyer; we surface that immediately rather than letting the seller waste 45 minutes on burn-in.

Step 03

Secure Enclave signature (App Attest)

The diagnostic payload is signed by the Mac's Secure Enclave key via Apple's App Attest API. The enclave key is fused to the logic board at manufacture and cannot be moved between devices. This is the load-bearing primitive; without it, the cert would be a glorified PDF.

Step 04

Hardware fingerprint hash

We hash the chassis serial, logic-board serial, and model identifier together. On a logic-board swap (a real Mac Studio attack vector), the chassis and logic-board serials disagree, and the hash changes. The cert records the hash; mismatch is detectable.

Step 05

Time-bounded validity (30 days)

Every cert expires 30 days from issuance. This forces fresh certs on listings that linger and prevents stale certs from being sold years later as 'still valid.' Re-issuance is free within 14 days for the same device.

Verification flow

How buyer-side re-attestation closes the loop.

Buyer's Mac

opens /verify/[id]

→

Macfax verifier

re-attests enclave key

→

Cert

match or mismatch

JSON variant · machine-readable

Every cert URL has a `.json` twin.

Append .json to any cert URL to get the structured payload, useful for programmatic verification by escrow agents, marketplaces, or third-party tools.

# Request

$ curl https://macfax.com/r/k7m4q9xa.json

# Response (truncated)

{
  "cert_id": "k7m4q9xa",
  "display_id": "K7M4-Q9XA",
  "issued_at": "2026-05-04T14:22:00Z",
  "valid_through": "2026-06-03T14:22:00Z",
  "status": "active",
  "subject": { "model": "Mac Studio (2025)", ... },
  "checks": { "hardware_verified": true, ... },
  "signing": { "hardware_signature": "0x8f3c91…", ... }
}

JSON is unsigned at MVP; verify the source by trusting TLS to macfax.com. JWS-wrapped JSON is on the roadmap.

Ready to certify your Mac?

$39 one-time. Refund if generation fails. No account, no subscription.

Get started →See sample cert