
About Gatekeeper - ssclafani
http://www.panic.com/blog/2012/02/about-gatekeeper/#
======
petercooper
_If my app were to do something nefarious, my developer ID would get revoked
and that would be the end of that._

Sure, but this strikes me as naïve. It can take less than being nefarious to
get booted off of a service (like having an Apple developer ID) like having a
corporation or government agency filing a potentially unfounded complaint
against you (as we've seen with YouTube videos and, this very week, Jotform's
Web site.)

The problem _I_ have with Gatekeeper isn't in the pleasant, straightforward
scenario Apple wraps into its copy. The problem is giving a corporation direct
control over whose apps can and cannot work on a computer by _default_ is a
set up for some depressing abuse stories that can only be rectified by turning
off security or performing UI acrobatics.

~~~
reidmain
The problem with your comparison is that the stakeholders of SOPA/PIPA are
people who want to screw you. They don't care about your experience they want
to make the most possible money off you.

I'd argue that to Apple the consumers are their stakeholders. They want to do
everything in their power to make the user's experience better.

If we see Apple pulling apps of honest hard working people then I'll eat crow
but in the five years of the iOS App Store how many horror stories do we have
(if any)?

I will continue to give Apple the benefit of the doubt until they do something
to make me question. So far I've never been inconvienced and only had a better
computing experience since I got my Mac and my iPhone. That is why I, and many
other people, will continue to use their products.

~~~
petercooper
There are stories. Some of the recent ones:

[http://www.appleinsider.com/articles/12/01/03/ataris_legal_t...](http://www.appleinsider.com/articles/12/01/03/ataris_legal_threats_prompt_apple_to_pull_some_games_from_ios_app_store.html)
<http://mashable.com/2011/12/12/apple-pulls-app/>
[http://www.iphonehacks.com/2012/01/process-killer-app-
that-a...](http://www.iphonehacks.com/2012/01/process-killer-app-that-allowed-
users-to-close-all-apps-running-in-the-background-was-briefly-available-in-
the-app-store.html) [http://www.neoos.ch/blog/30-quickpick-pulled-from-app-
store-...](http://www.neoos.ch/blog/30-quickpick-pulled-from-app-store-our-
statement) [http://lifehacker.com/5614752/grooveshark-iphone-app-
pulled-...](http://lifehacker.com/5614752/grooveshark-iphone-app-pulled-from-
app-store) [http://www.joystiq.com/2011/12/28/imame-app-pulled-from-
ios-...](http://www.joystiq.com/2011/12/28/imame-app-pulled-from-ios-app-
store-after-a-few-short-days-of-fr/) <http://techcrunch.com/2011/12/01/match-
com-app-store/>

Most (but not all) orient around violations of Apple's developer TOS which are
famously fickle and changeable. No emulators? Can't use "private APIs"?
Microsoft was hauled in front of the DOJ for better. Could those using an
Apple account to sign their non App Store apps be subject to similar, shifting
rules about what's kosher and what's not?

And if Atari has _really_ had apps pulled for supposedly bearing a "passing
resemblance to an Atari classic", we're in weird territory. From my POV,
there's just a creepy potential for blacklist first, ask questions later style
arbitration on Apple's part.

As a once Apple fanboy who's still surrounded by Apple gear, this all seems a
bit weird to say, but as a developer I'm not keen on this move at all.

~~~
rimantas

      > Can't use "private APIs"? Microsoft was hauled in front
      > of the DOJ for better.
    

Utter bullshit.

~~~
tonyedgecombe
[http://www.crn.com/news/channel-
programs/18821233/microsoft-...](http://www.crn.com/news/channel-
programs/18821233/microsoft-to-publish-385-windows-apis-protocols-to-make-
antitrust-case-go-away.htm)

------
ImprovedSilence
While I can't say much bad about Gatekeeper (yet), I can't help but feel this
article is a bit scare-mongery (" As Macs enjoy increased popularity, they
become a more attractive target to identity thieves and other criminals.
Sooner or later, bad people ruin every nice thing. It’s an immutable law of
humanity.") And I think the author takes a scary turn, in that he grows used
to the loving walls of the closed garden. Just the quote("You can let anything
run on your system, whether or not it is signed. This is the Mac OS of today.
It’s like having a jailbroken iPhone.") makes it feel like a walled garden of
ios is the norm, not a computer where you have full root access, and
undoubtedly, that kind of sentence has the average computer user thinking
"omg!, you mean my computer is out in the wild, just like a jailbroken phone,
that sounds dangerous!". If this starts to become the prevailing viewpoint,
it's lights out, free and open world.

[Edit]: Obligatory Ben Franklin quote: "They who can give up essential liberty
to obtain a little temporary safety, deserve neither liberty nor safety."

~~~
lukifer
This feature isn't for us. Playing Captain Hindsight and telling a regular
user "you shouldn't have opened that suspicious attachment" doesn't get their
data back.

Put simply, a computer is a dangerous tool in inexperienced hands, no
different than a table saw or a gun. A user has the ability to do serious
damage to themselves, by destroying or leaking personal information; adding a
reasonable safety feature that is activated by default is not an infringement
of your freedom when you have the ability to disable it trivially.

Now, if we're talking the App Store, then I agree with you completely. iOS
should behave exactly like Mountain Lion, and if I had my druthers, the level
of vendor lock-in they employ on that platform would be considered anti-
competitive and illegal. If it turns out that Gatekeeper is merely a stepping
stone to similarly walling off the Mac ecosystem, then I suppose I will have
to eat my words.

~~~
astrodust
For anyone who manages "IT" for their relatives, I'm sure they'll upgrade to
Mountain Lion and lock down the application execution to "App Store and Signed
Only" right away.

Some people have a talent for getting malware on _anything_.

~~~
Tyrannosaurs
I'd actually like a setting that says "Install nothing, change nothing, bloody
leave it all alone" for my Dad's computer.

~~~
jonny_eh
That'd be nice but the "App Store Only" option should be pretty damn close.

------
AdrianRossouw
I have no issues with signing applications and I heartily support it.

I have many (so many) issues with trusting apple to tell the world which
applications are the 'trustworthy' ones, when they have proven time and time
again that they will purposefully hobble their software/devices in such a way
as suits their business models and bank balance.

As a life-long open source enthusiast who has been pragmatic around the
existence and use of propriety systems, this entire situation is the straw
that broke the camel's back. I won't give them any more of my money,
regardless of how sexy the hardware is, because ultimately the Price is just
too high.

~~~
wtallis
_"As a life-long open source enthusiast who has been pragmatic around the
existence and use of propriety systems"_

If you're boycotting Apple over this, you're no longer being pragmatic, you're
being fanatic. Yes, Apple has closed platforms (iOS, iTunes, Mac App Store),
but they aren't adding Macs to that list or doing anything else objectionable
_yet_. If you _were_ ok, you should still be. Macs are, and will continue to
be, awesome Unix workstations that you can run whatever you want on.

Apple also has nothing to gain from completely closing off OS X. It would
destroy their developer base and be really bad PR, with only potentially a bit
of added revenue (and Apple is anything but financially desperate).

If you're pissed that Apple is merely _capable_ of acting unethically, and
you're going to boycott them because of that, then don't call yourself
"pragmatic".

~~~
AdrianRossouw
I'm hardly being fanatic and I'm not "pissed at apple for being capable of
acting unethically". I simply don't trust them enough to act ethically, it's
more of a resignation to that fact.

I have just reached the limits of what freedoms I am comfortable with
relinquishing to Apple. Having to ask Apple for the permission to be able to
write and distribute software that can actually be used on the majority of
computers crosses that line for me.

I don't care if apple has anything to gain from closing OSX, because it has
become too closed for me to consider it a serious option anymore. That wasn't
always the case. I've loved all my macs, including this snow leopard MBP i am
writing this on.

To boycott something would mean not buying something that you might have
bought otherwise. 'as punishment'.. That's really not what is going on here.
OSX has changed in ways that make it no longer meet my requirements for what a
computing device needs to be, so i won't buy another one. that's all.

~~~
wtallis
OS X is _not_ becoming more closed in any real sense. As described so far,
launching an unsigned app (or even one signed with a blacklisted key),
regardless of system settings, will take at most _one_ extra click. If that's
your "pragmatic" definition of "too closed", then I can't imagine what you
must think of Windows these days, especially with what's on the menu for
Windows 8.

~~~
AdrianRossouw
You said before : "If you were ok, you should still be."

I wasn't OK with it when they introduced the mac app store, I got really
unhappy with it when random open source tools suddenly disappeared offline and
became $2 pay-to-play software on the mac store. Then the sandboxing
restrictions and now the signature things.

I never wanted to play in apple's walled garden. It was fine when it was all
the way over there on ios. But the walls are going up around OSX as we speak,
and someday they might even remove the back gate, but at that point it will be
too late.

Because you will already be living in a world where to get into the nickle-
and-dime scam that is the mac app store, you need to bow to apple's wishes,
which get even more erratic as it gets more powerful (see sandboxing).

For anyone who doesn't want to play on the app store they now have to now get
'certified' by apple that they are allowed to write software for the mac. If
you don't play by those rules, you can expect your software to be widely
ignored regardless of the quality or malware status.

And really, the operating system is so much less important than the browser
these days.

*edit: typo

~~~
alwillis
_I wasn't OK with it when they introduced the mac app store, I got really
unhappy with it when random open source tools suddenly disappeared offline and
became $2 pay-to-play software on the mac store._

So that's Apple's fault? You wouldn't be referring to Growl, would you?
They're complying with open source licenses; you can get the source code and
build it yourself: [http://growl.info/documentation/developer/growl-source-
insta...](http://growl.info/documentation/developer/growl-source-install.php)

~~~
wtallis
That's actually exceeding the requirements of the license, since Growl uses
the BSD license:
[http://code.google.com/p/growl/source/browse/License.txt?nam...](http://code.google.com/p/growl/source/browse/License.txt?name=Growl.app+1.3.3)

------
augustl
As pointed out in other Gatekeeper threads, it would be nice if users could
choose which signing authorities to trust. Signing is a good security model,
but a single authority sounds risky to me. Perhaps I feel that Signing
Authority Foo has a better definition of malware (read: which certificates to
reject) than Apple has.

~~~
jensnockert
It could be useful to be able to remove the Apple root from trust as well,
only running locally signed applications.

(Could be useful for public environments, schools, libraries, enterprise etc.)

~~~
duskwuff
I wouldn't be all that surprised if this were already possible through
Keychain Access.

------
CmdrKrool
Two concerns.

Say you've made a bunch of apps and you are signing them and one day Apple
judges that one of them is nefarious and revokes your developer key. Does that
mean that /all/ of your apps will now fail to run in the "signed apps only"
mode, rather than only the nefarious one? If so that's more punitive than the
iOS App Store, where I've heard of individual applications being taken down
but never of a developer itself being black-balled. (Will you be able to apply
for another key? Will you have to play identity games to try and pass yourself
off as another person?)

Secondly, I've said above that an unsigned app will no longer "run", which is
what the language on the Panic blog implies. Will it really check the validity
of the developer's certificate every time a program is /run/? Will you be
happily using someone's app one day, and then the next day find it doesn't
start up anymore because some other app from the same developer which you
might have no interest in or knowledge of has been judged to be bad? That
doesn't sound very user friendly. I mean, I would have assumed that such a
check would only apply at /install/ time, rather than run time, but everything
I've read so far seems to be leaning towards the latter.

(Sorry - doing a quick check before posting this of Gruber's article - which I
hadn't actually read yet - seems to confirm that both of my concerns are real.
Oh my.)

~~~
callahad
> _Does that mean that /all/ of your apps will now fail to run in the "signed
> apps only" mode, rather than only the nefarious one?_

Probably. From what I've read, it sounds like Apple's revocation mechanism
more or less involves simply pushing a blacklist of keys. Thus, if your key
appears on that list, none of your apps signed by that key will work.

------
smsm42
So if I upgraded to that version (which after nightmares I've seen my fellow
coworkers undergo after upgrading to Lion I'm not very keen to do) I'll be
greeted by the system that by default does not let me to install any software
except one approved by the OS maker without annoying me with scary warnings
that will not be even read, let alone understood, by 99.9% of its users? I
think I know one OS that already does that. There was a view held by some that
Apple innovates and then other companies (including certain Redmond one) copy.
Now it seems to be going in the opposite direction.

~~~
reidmain
You actually don't know of a OS that does that.

Windows Vista's UAC was to ask "Are you sure?" for everything, not just
running applications. There was no whitelist of secure apps short of what was
installed with Windows.

The major difference with Mountain Lion is Apple actually has an App Store
which 99% of the people who need this feature will use by default.

Everyone else will turn of(or turn down) this feature just like they did with
UAC.

Changing one setting so I don't get emails from my mother saying she ran
virus.app and now her computer is acting funny is worth it to me.

~~~
smsm42
No, 99% of people will be using whatever they used before to get programs.
Because these programs won't be in App Store, at least for quite a while, so
people will get trained in ignoring those warnings and turning them off. The
direct consequence of the system that brands thousands of legit and safe apps
"dangerous" would be desensitizing of users to this system and training them
that the warnings system gives mean nothing and proper reaction to them is
turning it off. You yourself would do this once asked to install new IM
program that somehow isn't in Apple store. And then virus.app would have
absolutely no problem running.

~~~
reidmain
The app does not have to be in the Store, it only has to be signed by Apple.
The default setting is to allow any app that has been signed by Apple to run.
If a developer does not have the time in the next six months to sign their app
then I do want a warning.

I agree with you in that too many modals can desensitize a person but let us
look at what would need to happen to occur in this space.

Your average consumer would buy their new Mac with Mountain Lion and would
immediately be prompted to look at the App Store. It is right in their dock
and constantly promoted by Apple. This person downloads an app or two that
they heard they MUST get (through friends/family/colleagues whatever). Some of
the apps the person hears about are not in the App Store so they go to Google.
Maybe they've been told about Adium or VLC or Chrome or Firefox or any of the
other extremely popular Mac apps that have active developers. These apps are
all signed by Apple because it takes like 15 min to get a certificate
generated.

So now let's say we're at 4-8 apps downloaded. I would say a case could be
made that your typically consumer isn't going to install 50 apps right after
they get their computer but let us assume they download some app that is not
signed by Apple. They are prompted with this warning and here is the valuable
first impression and the learning experience. If this warning can properly
convey to the user why the app doesn't start then you've won. The user will
either decide they don't want to run "unsafe" apps or they will change the
setting.

This warning isn't going to be constantly popping up because you wouldn't see
this each time you went to run the app because you can't even run it. The only
options are "don't run this" or "don't run this an get rid of it". The user
can't just blindly click past this they need to understand it before they can
advance.

Now let's say your typical use sees this and is scared and decides installing
this apps isn't worth the risk. If for whatever reason they have been told to
download a lot of unsigned apps they will then need to make a choice. Do I
turn this feature off or am I OK with not having this app.

If you think the typical user is going to be installing dozens of apps from
lazy developers then yes the user could be desensitized.

I believe that from past experiences we can see that even having to download a
DMG is a jumping off point for so many people. Most users are going to
experience this just a few times and if Apple controls the experience
correctly then the user will be smarter and more protected than before.

------
jcromartie
Allowing only App-Store-signed apps on the Mac would be suicide for Apple.
They know this. It wouldn't happen, and if it does happen, then it would mean
the end of the platform. Techies only have locked-down iPhones and iPads
because they can still run any open-source or third-party tools they want,
wether to write their own programs or just create content like websites, or
play indie games, etc..

It just won't happen. If anybody was going to do this on the desktop already,
it would be Microsoft, and they've already made it clear that "trusted
computing" is just a feature along side that all-important cornerstone of
computing: running whatever the flip you want.

~~~
wazoox
> _Techies only have locked-down iPhones and iPads because they can still run
> any open-source or third-party tools they want ..._

This is not my experience. All of the iphone-carrying techies I know have them
jailbroken.

------
jack7890
I think it almost goes without saying that the messaging will be changed
before the public release.

~~~
callahad
Does it? Without strongly worded messaging, users would be apt to blindly
forge ahead and run untrusted binaries, wouldn't they?

It's exceptionally frustrating to see this situation playing out. I really,
fundamentally, do _not_ trust Apple, but at the same time, this sort of
pervasive code signing is an _enormous_ boon to the majority of their users.
And I think fear-mongering dialogs may be an important part of actually making
that work.

------
joejohnson
That all sounded really thoughtful and was pacifying me until that very last
bit ("One worrisome rift"). If Apple is going to make non-App Store apps begin
to look inferior, then eventually they will want every one to move to their
distribution network.

~~~
wizzard
Agreed. I'm trying to figure out the logic behind the decision to restrict
iCloud and Notification Center access to Apple-signed apps, and I just can't.
If you have installed malware on your machine, you have bigger problems than a
few spam notifications showing up.

~~~
rbarooah
The difference is that for those, services - which cost Apple to provide on an
ongoing basis, they want your app to go through App review. I could easily
imagine a poorly written app that still worked and was useful, but that caused
a disproportionate load on the iCloud service perhaps even through just a bug.
If it went through app review, Apple would be able to enter into a dialog with
the developer to fix the issue.

If it was just signed and wasn't actually malware, then would Apple be able to
legitimately disable all of that developer's apps because of a performance
problem with just one of them?

Basically, signing apps provide some assurance against obviously ill
intentions, but no quality control. Since it's your machine, this is a
reasonable balance - if you're ok with an inefficient app that does something
you need, then that's your choice.

App store apps can use infrastructure _outside_ of your machine that is
provided by Apple. This means they have a stake in quality control as well as
assuring benign intent.

~~~
joejohnson
I guess that is fair. The point I guess is that developers will always be able
to develop and distribute outside of Apple's channels, so I guess all this sky
is falling talk is unwarranted.

------
frankiewarren
I don't understand the "Move to Trash" default for Apps that are unsigned if
your default is to only run signed apps.

I think the chances are greater that a user intentionally downloaded a piece
of software that happens to be unsigned rather than unintentionally downloaded
malware. Wouldn't it be more appropriate to prompt the user something along
the lines of "This application was not created by a trusted developer. Run
anyway?"

~~~
danbee
Most users don't read dialogue boxes and will just click on 'Yes'.

~~~
frankiewarren
I guess that's true, but they already take a similar approach with the "This
program has been downloaded from the internet," box.

------
mcantelon
>So it seemed feasible that we’d wake up one day and Apple would decree that
all Mac apps must be sold through the App Store. >But instead, Apple went to
considerable effort and expense to find a middle ground.

Offering an option to users that locks out even signed apps is a middle
ground? Huh.

------
feefie
for some warm-and-fuzzies, mac old-school nostalgia:
[http://homepage.mac.com/chriswjohnson/gatekeeper/gatekeeper-...](http://homepage.mac.com/chriswjohnson/gatekeeper/gatekeeper-
intro/gk-installing.html)

