

Gatekeeper's Dialog - Xuzz
http://dcurt.is/gatekeeper-s-dialog

======
patio11
This dialog makes me very, very glad I have moved the vast majority of my
users off of downloadable software. That's going to cause a lot of "Why did
your Googles download me a virus?!?" complaints.

~~~
petercooper
What's coming for apps may in turn come for the Web. With the commotions
around link sites, piracy, and pedophilia, a similar "must be
signed/registered with us"-type restriction for accessing specific Web sites
isn't a particularly tin foil hat idea now.

~~~
finnw
Yes, and that would be as simple as disabling HTTP in the commercial browsers
(allowing only HTTPS.) The remaining handful of nerds who compiled their own
browsers would require far fewer resources to track.

Note to self: don't buy a SSL certificate from GoDaddy.

~~~
sirclueless
Which commercial browsers? You mean the ones that Apple vetted and allowed on
the App Store?

------
xdissent
It might be aggressive to suggest you put it immediately into the trash, but
"... has not been signed by a recognized distributor and may damage your
computer" is totally accurate.

The suggested "The app Adium hasn't been checked by Apple. It can't be
trusted. Use the App Store to find trusted apps." is less scary, but more
inaccurate. Apple doesn't check signed apps - they only issue the
certificates. The app store is also not the only place to find trusted apps,
which a major point behind the Gatekeeper system.

~~~
jfarmer
It's accurate but overly technical and unnecessarily frightening. You
shouldn't be using terms of art anywhere in your copy unless that's the
language your audience speaks, too.

The average user will think they're about to get a virus or do irreversible
damage to their computer, both of which are very, very far from the truth.

It's as bad as this type of error dialog:

    
    
      +---------------------+
      |                     |
      |                     |
      |  An error occurred  |
      |                     | 
      |             [ OK ]  |
      +---------------------+
    

What am I supposed to do with that? It provides no information and doesn't
give me the opportunity to fix the (very mysterious) problem.

In some ways this is worse because while the dialog is technically accurate,
the presentation will alarm anyone who doesn't understand exactly what's
happening.

tl;dr: Imagine if your grandma saw this error message. How would she react?

~~~
msbarnett
> The average user will think they're about to get a virus or do irreversible
> damage to their computer, both of which are very, very far from the truth.

Very far from the truth, _today_ , when this is a brand new beta that Devs are
just getting their hands on.

But 6 months from now? A year? It's not going to be long before an unsigned
binary probably is a trojan or similarly untrustworthy. It's not like Adium
isn't going to be signed by the time Mountain Lion ships.

> tl;dr: Imagine if your grandma saw this error message. How would she react?

She'd freak out and throw it in the trash -- _which is exactly what I want her
to do with unsigned binaries_.

There's really no analogy with the "An error occurred" dialog. We want to
scare users away from blindly trusting binaries from the internet. "An error
occurred" serves no similar purpose in training the user.

~~~
fpgeek
I doubt trojans will bother with unsigned binaries. I suspect they'll just do
some sort of "social engineering" to get all the developer certificates they
want.

~~~
finnw
Or maybe we'll see malware distributed in source form. That could be nasty if
the development environment gets compromised. Probably more dangerous than a
compromised website.

------
tedsuo
Reminds me of the same issue with CA warnings, which used to be very alarmist
but often incorrect in terms of the actual danger, so users just got used to
pushing "Ok I don't care."

Basically, if you have something alarming show up in from of every install
created prior to OS X 10.8, it will be the "boy who cried wolf" scenario.

------
phillco
I wrote an article about Windows' take on this, some time back:
<http://usersinhell.com/unhappy-security-dialogs/>

There, they have a different set of problems. In both cases (signed and
unsigned), you can proceed...but Microsoft doesn't really distinguish between
the two types of warnings well, turning the whole thing into noise. I'm
convinced nobody pays attention to it.

------
blahedo
Also, check out the available buttons on the dialog---"Cancel" and "Eject disk
image". I'm guessing that "Cancel" is the one you need to click to say "Cancel
the warning and mount it anyway", which in other contexts is known as "OK".
Argh.

~~~
dchest
I think "Cancel" means close the dialog and not run the program.

~~~
jonhendry
Mounting a disk image is a step before trying to run the program. The dialog
shown is what you would see when you first download the app in a .dmg file.
Then you mount the disk image, and either run the app from the disk image by
double-clicking on it, or copy the application to your computer.

------
kogir
I think that as long as Apple stays impartial, verifies the identities of
developers, and fights attempts by governments to abuse revocation, this is
actually a development we should welcome and encourage.

Imagine if by default, all software most users install on their Macs will be
traceable to a real entity - be it a person or company. This entity can be
held responsible for the behavior of the software it distributes. If the
distributed software is malicious, it's possible to immediately revoke the
entity's certificate, stopping the software from running on future, and
possibly even current machines. Legitimate entities that don't distribute
malware are only mildly inconvenienced whenever they register or renew their
Mac Developer Program membership.

In fact, a system like this only has value if it's difficult to opt-out. For
an example of how useless signing is without a mandate, look at Windows:
Unsigned apps run just fine, and most malware has no certificate to revoke -
it keeps working long after it's discovered.

Even better, if all applications are required to be signed, it's now possible
to verify the signature of everything on the system. You can prove that
nothing has been tampered with, and in the event tampering has occurred, you
potentially know what to replace to return to a known good state. I think this
alone is awesome!

Now, could Apple use this to stifle competition? Maybe. Does it raise the bar
to distribute an app on the Mac? Sure (but I'm not sure that's a bad thing).
As long as disabling the signature mandate is an option, power users are free
to do whatever they want, and most other users will be _much_ better off.

~~~
jnhnum1
The problem is with the hypothesis that Apple would stay impartial and fight
attempts by government to abuse revocation. This is highly unrealistic, and
we've already seen Apple use the App Store policies to keep competitors' apps
out (Google voice for a long time, 3rd party browsers, ...), calling them
"redundant functionality".

~~~
kogir
I think that even if you add up all of Apple's indiscretions so far (and I
agree with you they've made mistakes), you'd find the number to be small, and
the number still outstanding even smaller. It's not going to be a perfectly
smooth ride, but _as long as disabling signature verification is an option_
users will be able to work around Apple's obtuseness in situations like this
until they're resolved.

~~~
silentOpen
As long as no one comments out _that_ _checkbox_ , we still have a general
purpose computer...

------
thought_alarm
It looks about right to me. It's warning the user of untrusted software from
an anonymous source, and its message should be strongly worded.

If you don't want your users to see that message, make sure your stuff is
signed.

~~~
patio11
Thought experiment for you: is the analogous message for untrusted webpages or
emails from "anonymous" sources a good idea for usability?

"'Facebook' has not been verified by a certificate authority and may damage
your computer. You should close this window."

"'Bob Smith' may not actually be the author of this message and the contents
may be lies. You should delete this email."

The _happy_ outcome there is users learn to ignore both of them inside of a
week.

~~~
lsb
The analogous message for untrusted webpages is "Go ahead, browse, because
this is in the sandbox of the browser.".

And, when you type stuff into a textbox and POST it over HTTP, a text box
often pops up the first time, saying "This is insecure, fyi".

For text-only emails, it's plenty fine. For emails with images, there's some
privacy issues, and for emails with attachments, even more issues.

For the average user that won't check MD5s, saying "This can't be trusted,
throw it out" is probably the right idea. There's a lot of history of people
telling others their password for a candy bar, so anything that users really
want they'll get, scarygram or no.

------
r00fus
This reminds me of when Firefox, Chrome and other browsers decided all self-
signed certs are malicious, and forced all https websites (even intranet) to
sign up with some CA or get users to install their certs in the browser.

As an enterprise web-app dev for a small company, it was an incredible pain-
in-the-ass.

However, now, like then, the issue will dissipate once the developers get
their (free) OSX signing key... just another item on the checklist before
distributing your code.

------
kellishaver
The suggestion to trash the app is a bit harsh. The rest doesn't seem bad,
though. Maybe something like "The identity of this application cannot be
verified by Apple. Only install applications from vendors you trust.
Installing applications from unknown sources may damage your computer."

Also, that "Cancel" button is pretty ambiguous. I'd think "Eject Disk Image"
and "Proceed Anyway" would be better options.

~~~
CountSessine
There is no "Proceed Anyway" option. That would make it just another Button-
That-I-Have-To-Click-To-Get-What-I-Want dialog that are so pervasive on
Windows. The options are "Don't mount the DMG" and "Don't mount the DMG and
throw that mofo straight into the trash".

If Apple is consistent with their past behaviour and their uncanny
understanding of user psychology, setting the "Allow all unsigned programs to
execute" option in System Preferences won't add a "Proceed Anyway" button -
it'll just suppress this dialog altogether.

~~~
kellishaver
Ah, I misunderstood the intent. I thought cancel would close the warning and
allow the application to be installed anyway.

So there will be no way to bypass this in a per-app basis without changing the
system preferences for all applications? You either completely disallow
unsigned applications, or you always allow them?

I'm not sure that's the best approach, but I'm not sure it isn't, either. :)

~~~
msbarnett
You can right-click it and open it and the system will remember it as a per-
app exception, from what I can tell.

That this isn't achievable directly from the standard dialog is probably a
good idea to avoid training Joe Average User to become blind to the warnings.

~~~
kellishaver
Ah, nice.

> That this isn't achievable directly from the standard dialog is probably a
> good idea to avoid training Joe Average User to become blind to the
> warnings.

Yes, this is a very good point.

I feel like there's a (probably smaller, but still not insignificant) middle
ground of people who generally know what they're doing, but would still like
the extra layer of protection, for whom the per-app exceptions would be handy.
Having it not the default, though, is probably a good thing.

~~~
msbarnett
> I feel like there's a (probably smaller, but still not insignificant) middle
> ground of people who generally know what they're doing, but would still like
> the extra layer of protection, for whom the per-app exceptions would be
> handy. Having it not the default, though, is probably a good thing.

Well, that's effectively what the default is, where the "middle-ground" people
will know to go into the contextual menu (or if you're feeling particularly
keen, to disable the quarantine bit on the DMG from the command line, which is
what triggers the signing check in the first place).

------
psychotik
Where's the "Proceed Anyway" button? In this context, 'Cancel' is super
ambiguous.

~~~
CountSessine
Not ambiguous. Cancel means don't mount the DMG, but don't move it to the
trash either. There is no 'Proceed Anyway' option, unless you enable it in
System Preferences.

~~~
mnutt
Which is a problem. Suppose I want to run an app that _I_ trust, but Apple
does not. I'm going to go find the option in System Preferences and turn it
off so it stops bugging me, then probably never turn it back on.

~~~
comex
There is an option to 'proceed anyway' by right clicking on the app.

~~~
mnutt
Thanks, I didn't see that initially but it's mentioned in the Macworld
article.

------
jcromartie
Does anybody else find it ironic that this complaint comes from the guy who
_invented_ "You should follow me on Twitter"?

~~~
stanleydrew
I've been thinking about it for a minute and a half and I actually have no
idea why that's ironic.

~~~
jcromartie
Just because he says

> Also, saying "You should move it to the Trash" is weirdly strong wording.

when he published a very influential write-up[1] of how he discovered that
"you should follow me on Twitter" was the best text to use to actually _get_
people to click the link and follow him. It's not unlikely that people
implementing this UI were actually influenced by Dustin's original findings
when choosing this wording.

So he may be calling his own idea "weirdly strong", which is how I always felt
about his "you should follow me on Twitter" phrase (and the resulting
explosion of it around the web). It's a meme come full-circle, and the father
doesn't recognize it!

[1]
[http://www.dustincurtis.com/you_should_follow_me_on_twitter....](http://www.dustincurtis.com/you_should_follow_me_on_twitter.html)
Dustin has clout in the web UI/UX/whatever designer blogo-webo-sphere.

------
hcarvalhoalves
"You should move it to the Trash"? What kind of crap is that? Apple is going
down the terrorism route to make sure developers pay them to join the walled
garden?

I'm afraid this is a glimpse of the post-Jobs era. Modal dialogs with
technical, scary non-sense and money trumping good UX.

------
robryan
Maybe this is so when they water it down they arrive at something strongly
worded that we would have originally disliked but can live with it because it
is a lot better than the current implementation.

------
nkassis
What about adding an option, "proceed anyway, I understand the risks" ?

Currently in 10.7 there is something for downloaded apps the first time it
pops up and has an option to continue. Why not continue with that? And yes
this will just lead to people deactivating the thing completely and it will
now offer 0 protection in the future.

~~~
coob
Idiots will just click it anyway.

This doesn't appear if you have the preference to run everything turned on.

~~~
huhtenberg
Idiots will Google for how to work around the warning and run the program
anyway.

~~~
sipefree
That takes a lot more effort. Besides, most apps will be signed by the time
it's released.

------
there
Of all the Mac viruses, worms, malware, etc. that have been distributed, how
many of them came in the form of a dmg that the user opened and installed? I
would think most of the things that "may damage your computer" would come in
the form of vulnerability exploits and other stuff that the user will never
see or get a chance to block.

~~~
tvon
> how many of them came in the form of a dmg that the user opened and
> installed?

Erm, in recent years, all of them? I can't think of any exploits in the wild
that have been anything other than a trojan.

------
elmindreda
It's good to see that Apple is getting more open about being an enemy of
software freedom.

------
tlb
_The vast majority of apps people download will not damage their computer_.
That's irrelevant. Downloading 100 good apps and one malware app still means I
have malware. It's reasonable to warn people when they are doing something
risky.

~~~
dchest
It's not a warning, it's a verdict. There's no button to "proceed anyway".

------
laconian
Apple's pieces are in place. This is the personal computing endgame.

------
nickpp
'saying "You should move it to the Trash" is weirdly strong wording'

closelly followed by:

"You should follow me on Twitter here"

------
fabiandesimone
Couldn't the dialog have an option to take you to the app store and show you
similar apps?

------
gojomo
Seems very Apple-like to me: they provide a more controlled environment for
users and developers – providing warm security fuzzies – and want to collect a
toll for that service (via 'recognized distributor' registration).

The toll isn't very large, and while imperfect, it does add a level of
accountability/reputation that isn't there otherwise.

I wonder, though: is every signature-verification reported back to the
Cupertino mothership? That would offer some interesting capabilities: "there's
a statistically significant larger number of [crashes|support-
requests|upgrades|etc] from users of developer X's software".

------
drivebyacct2
Forgive my naivety, but what problem is this solving? Maybe I'm not in the
loop, but I'm not aware of a large amount of malware that forcibly downloads
itself marked as an Adium.dmg file. It seems like this is a hoop to jump
through. Come to Apple or else your users will be scared to install your
application.

(also, none of the comments seem to touch on the fact that this is OPTIONAL in
Mountain Lion. Of course, I hope it stays that way or it is modified to be...
less fear mongering)

