Tuesday, February 21, 2012

Mountain Lion and GateKeeper

Last week, Apple surprisingly announced the next release of Mac OS X: Mountain Lion. They also officially dropped the "Mac" part, so it's actually: OS X Mountain Lion.

Not only did they announce Mountain Lion, they also made it available for members of the Mac Developer Program for testing.

Like everyone else, I was quite surprised to see a new version of OS X announced by Apple so soon after Lion, which was only just released in July 2011.  In fact, I only just upgraded my main Mac to Lion about a month ago!

With this progress comes questions and for Real Studio developers, some of those questions are about the new GateKeeper feature.

GateKeeper is a newish security feature that aims to prevent users from launching compromised applications.

In Mac OS X Lion, the first time you launch an application downloaded from the Internet, you are prompted with a warning:
This is called "File Quarantine" and was introduced in Mac OS X Leopard.

GateKeeper extends File Quarantine to do a few other things.  Essentially, GateKeeper really wants you to only run applications that have been digitally signed to ensure their authenticity.  Why?  Because if a signed application is hacked (to add malware, for example) or otherwise modified, then the signature is invalidated and OS X will not run the app.  A valid signature tells the user that this app has not been modified by anyone other than the original developer.

This is all controlled with a new System Preference containing three options:
  1. Run Mac App Store Apps only
  2. Run Mac App Store Apps and Apps that have been digitally signed
  3. Run any app

Option 3 is the same as things are now with Lion (and Snow Leopard and Leopard).  Option 2 is going to be the default with Mountain Lion.  Option 1 is for your parents.

A digitally signed application is an application that has been signed using a certificate provided by Apple to you.  So what does it mean for Real Studio developers?

If you are already submitting apps to the Mac App Store, then you are a member of the Mac Developer Program and can sign your applications using the certificate you already have.  The command-line tool (codesign, provided with Xcode) is used to sign your apps with your certificate using syntax like this:

codesign -f -s "3rd Party Mac Developer Application: Your Company Name" --entitlements entitlements.plist "AppName.app"

You can start signing apps not submitted to the Mac App Store at any time; they will work fine in Lion, Snow Leopard and Leopard.

For those that are not members of the Mac Developer Program, you do not yet have a certificate to use.  According to John Gruber's post about Mountain Lion, Apple will not require you to pay to get a certificate.  But they have not yet specified what this free method will be, so we have to wait and see.  It is really in Apple's best interest to have the certificates be freely available, so I'm confident a free way to get them will appear soon.

GateKeeper Limitations
There has been much concern that GateKeeper will completely prevent some apps from running at all and that it gives Apple the ability to remotely "kill" applications.  Both of those concerns are false.

First, GateKeeper only runs when the app is first launched.  If the certificate is proven valid at that time, then the app will launch.  The certificate is not checked again.

Apple can certainly invalidate certificates, but that will only prevent the app from being run on someone else's Mac, someone who has not already run it.  Invalidating a certificate does not give Apple the ability to "kill" or remove previously installed applications.

Secondly, even with the most restrictive setting of "Mac App Store Applications only", you can still force an app to run by right-clicking on it and selecting Open.  This will display a warning that lets you override the restriction and run the application.  Again, you only have to this the first time you run the app.

Final Words
I hope this helps you understand GateKeeper a bit better.  And rest assured, the team at Real Software is investigating Mountain Lion further.  But due to NDA, we won't be able to comment on specifics until it is released.


LVWolfman said...

Microsoft has been doing this for years, so it isn't really too big of a deal. Well, the not allowing unsigned apps to run was only in IE but the apps warnings are old hat.

What Apple REALLY wants is a curated experience as on IOS where the only programs you may run are those purchased through Apple. We'll end up needing an Apple Developer license to run our own creations.

Paul Lefebvre said...

"What Apple REALLY wants is a curated experience as on IOS where the only programs you may run are those purchased through Apple. We'll end up needing an Apple Developer license to run our own creations."
I don't agree with that. I think Apple recognizes that Mac and iOS are different things for different types of users.

Shamino said...

Wolfman: Gatekeeper only acts on downloaded apps. Anything you install through other means (CD, flash drive, self-compiled, etc.) never gets authenticated.

This isn't even close to what iOS does. And given the fact that all current Mac malware arrives via download channels, it's probably all we need.