back to panic.com

Panic Blog

From the desk of
Steven
Engineering Dept.

About Gatekeeper

Today’s Mountain Lion announcement introduces an important new security feature, called Gatekeeper, in addition to the “sandboxing” feature that premiered in Lion. I’d like to talk a little bit about it, and why it’s important to all Mac users.

Malware is out of control. Almost every day I read a new article about a major security breach in a well-known organization. There is big money to be made from stolen credit card numbers and identities. End-user applications on individual computers are a prime attack vector because, even with the best tools and the best programmers, vulnerabilities sneak their way in. Trying to make applications free of vulnerabilities (while still an important goal) is to lose the overall cat-and-mouse race.

As Mac users, we’ve mostly enjoyed a life free of the worry that has followed Windows users for years. Mac OS X is pretty damn secure. But it could be more secure. As Macs enjoy increased popularity, they become a more attractive target to identity thieves and other criminals. Sooner or later, bad people ruin every nice thing. It’s an immutable law of humanity.

So, what to do about this? Code-signing, although it can’t single-handedly fix the problem forever, is a vital weapon in the fight against malware. But many folks are unclear on how it works, or how it helps. Let me try to explain in as close to plain English as I can.

An explanation of code-signing for humans

What is code-signing? Let’s start with a slightly higher-level question: what is signing? Signing is based on technology similar to encryption, so let’s discuss them both broadly.

One of the most prevalent and secure methods of encrypting or signing data is to use what’s called a “key-pair”. As the word “pair” suggests, this means there are two keys which can “unlock” the encrypted data in certain ways.

A “key” is literally just a number. But it’s a very big number, and this is important. If I asked you to guess a number between 1 and 100, you’d have a 1% chance of guessing it on your first try, and you’d be guaranteed to guess it correctly if I gave you 100 tries. But what if I asked you to guess a number between 1 and 3 trillion? That’s a bit more of a challenge.

You’ve probably heard at least in passing about encryption keys and that they have different sizes or lengths (such as 40-bit, 128-bit, or 256-bit). Just like in my number guessing example above, longer keys are harder to guess. Each additional bit that is added to a key makes it exponentially harder to guess or figure out by brute-force attempting to decrypt the data with every possible numerical key. (Is 1 the key? No. Is 2 the key? No. Is 3 the key? Is 3,426,989,662 the key? No.)

We want encryption keys to be very long so that brute-force guessing attempts would take literally thousands of years. They become an unreasonable attack vector given the current average human lifespan.

So, why two keys? In key-pair encryption, one key is called the “private key” and the other is called the “public key”.

The keeper of the private key is able to “sign” data; a process which both identifies its origin and provides reasonable proof that it has not been altered. Private keys must be guarded very carefully, so that signatures cannot be forged.

The public key, as its name suggests, may be distributed freely. In encryption, the public key can be used to encrypt data which can only be read by the owner of the corresponding private key. In other words, with my public key, you could send me a secret message that only I could read.

In signing, the public key can be used for another purpose: to verify (with an extremely high degree of mathematical probability) that a “signed” piece of data came from me. Or, to be more specific, could only have come from someone with access to my private key. Which, hopefully, is just me.

In a nutshell, that’s what signing is. Even without actually encrypting it, I can take a chunk of data, run it through a very complex mathematical process to “sign” it with my unique private key, thus generating a second chunk of data called a “signature” that could (statistically speaking) only have come from that specific combination of data chunk and my private key.

Anyone with that signature and my public key can then be almost 100% sure that data came from me, and that it was not modified by any third-party along the way. The data could’t have any virus or vulnerability injected into it, because then the signature would no longer match the data.

So, signing allows us to, with very high confidence, ensure that we are who we say we are, and that the data we produce really came from us. Code-signing, then, is simply applying that signing process to executable code like a Mac app. If I try to start up an app, the operating system can validate that the app’s signature is valid, and perhaps also that it is the signature of a known, trusted developer. If it doesn’t pass muster, the OS can refuse to run the application.

Which brings me to Gatekeeper.

The role of Gatekeeper

The iOS devices (iPhone and iPad) effectively have had a Gatekeeper built into them since their very first release. When we write an iOS app, we sign it, then send it to Apple to review. Apple can validate the signature to ensure that it hasn’t been tampered with — that it really came from us — and then it goes into the app review process.

If the app passes review, it is then signed again by Apple, and posted to the App Store. Since Apple is the only entity able to sign App Store applications, iOS will simply refuse to run any app that doesn’t have Apple’s signature — it obviously didn’t come from the App Store. (If you “jailbreak” an iOS device, this is the security check you are bypassing. You are lobotomizing iOS so that it will merrily run “unsigned” code from any source. As you can hopefully tell by now, this has both benefits in terms of flexibility and very significant risks in terms of security.)

But how to bring this level of security to Mac OS, which has always allowed unsigned code from any source to run more-or-less without restriction?

The simplest thing Apple could have done would have been to make the Mac App Store the sole source for Mac apps, in the same way the App Store is the sole source for iOS apps, shutting off every other app distribution venue in the process. While this would have immediately solved the problem, you would have seen developers’ heads bursting into flame and flying across the room in rage. Why?

Although security is a vital feature for Apple, developers, and users alike, being unable to run unsigned code cuts a lot of really great things off at the knees. You wouldn’t, for example, be able to just download and run an open source project unless it had been submitted to and reviewed by the App Store. Highly disruptive software (think Napster or BitTorrent) may have not been able to exist on the Mac platform since it would have been likely to run afoul of Apple’s App Store guidelines. Major vendors such as Adobe and Microsoft might have withdrawn their support for the platform, being unwilling to cede 30% of their revenue to App Store distribution.

So, for a while, there was a great deal of consternation among Mac developers, including this author, that this might be the route Apple would take. In recent years, Apple has shown a trend of following the most hardline possible stance that will benefit users and Apple, often at the expense of developer freedom, and gradually backing in certain affordances (push notifications, for example) as user-impacting problems became evident. So it seemed feasible that we’d wake up one day and Apple would decree that all Mac apps must be sold through the App Store.

But instead, Apple went to considerable effort and expense to find a middle ground.

Controlling Gatekeeper in Mountain Lion

In Mountain Lion, you, the user, have three options:

1. You can let anything run on your system, whether or not it is signed. This is the Mac OS of today. It’s like having a jailbroken iPhone.

2. You can allow only Mac App Store apps to run on your system. This is the most secure option, but you lose the ability to run non-App Store software, which currently includes such products as Microsoft Office and Adobe CS.

3. You can allow only Mac App Store apps or apps signed by a developer. This is the new default.

It’s this third option that is critical. As a developer, I can register for a unique ID which allows me to sign my app but does not require it be sold through the App Store. Users get the benefit of knowing the app came from a trusted source. But I retain the ability to sell my app directly to end users.

If my app were to do something nefarious, my developer ID would get revoked and that would be the end of that. My app would no longer be allowed to run (unless you specifically allowed unsigned apps). As a matter of fact, if you try to launch an unsigned or unvalidatable app on a Mac with Gatekeeper enabled, the default button is “Move To Trash”. Pretty hardcore. Kind of awesome.

It is really quite a nice compromise.

I have a personal flaw in the form of a small conspiracy theorist who lives in my head. He worried that this may have been created as just a temporary stepping stone — like Rosetta for the Intel transition, or Carbon for the OS 9 to OS X transition — and that one day, the Mac App Store-only option might still be enforced.

But I can’t find it in me to disparage this goodwill effort that Apple has undertaken to not turn every third-party developer upside-down with regard to app distribution. To me it’s a great sign that they’re aware and at some level sympathetic to our concerns, while remaining committed to a high-security experience for users.

Further cementing this feeling is the fact that we were invited to a private briefing at Apple about Gatekeeper a week before today’s announcement. Cabel was told point-blank that Apple has great respect for the third-party app community, and wants to see it continue to grow — they do not want to poison the well. I think their actions here speak even louder than their words, though.

One worrisome rift

There remains one thing that is of concern to me. Despite these great strides forward, Apple is walking a dangerous line with regard to features that are only available to App Store distributed apps. The two most prominent examples are iCloud and Notification Center. Cabel asked Apple if, thanks to Gatekeeper and Developer ID, App Store-only features would be eventually be available to signed apps that were not distributed through the App Store. There was some shuffling of feet and a “we have nothing to announce at this time”. It didn’t sound particularly optimistic.

It would be a shame if this trend continues, as it creates an artificial gulf between App Store and non-App Store apps. For example, as things stand today, we won’t be able to offer iCloud syncing in, say, Coda 2, when you purchase it directly from us. Only App Store purchasers would get that feature. Making matters worse is Apple offers us no real facility to “cross-grade” you from a direct purchase to an App Store purchase, should you change your mind.

There’s no real engineering reason that I can think of for this. It seems marketing or money-driven, and I think it’s un-Apple-like to chase the money at the expense of user experience in that manner. We hope they change their minds about that particular facet.

Moving forward

Other than that though, we think Gatekeeper is a bold new feature that should do wonders for the security of your Mac for years to come. Even though their rapid pace of development is at times difficult for us to keep up with, we are excited that Apple continues to aggressively push the envelope when it comes to keeping Mac OS X safe and secure.

Posted at 2:34 pm 76 Comments

Sebastiaan de With

2/16/2012 2:53 PM

Well written explanation, Steve. A joy to read. :)

Do youall have any sense of what this does to the time-honored practice of opening up app bundles and switching out icons, or diddling with a text file or a plist to give you more better options…or fixing a broken component by using this great hacky solution posted on Ars or MacOSXHints or wherever? Would code-signed apps NOT from the App Store (i.e. Gatekeeper apps) stop running if you “messed around inside”?

I’m so glad to see rational explanations of this. It seems developers are really quite pleased, while the forums are alight with totalitarian fantasies.

Tom Miller

2/16/2012 3:03 PM

Excellent post Steve. Better explained by you than Apple ;)

Peter Halverson

2/16/2012 3:04 PM

I agree it’s a solid security move for Apple. But I’d also voice my concern of the App Store / non-App Store rift. It seems to me there is little motivation for Apple to keep non-App Store from becoming 2nd class citizens. Hopefully enough developers who share this concern will offer Apple their opinion.

jcburns, while I am not a developer and have no experience with the developer preview, it was explained in one of the posts I read today (MacWorld maybe?) that Gatekeeper only checks the app on first run. Once verified, it stays verified, leaving you to muck around in the app resources. Again, though, I have no first hand knowledge of this scenario.

Dustin Dawes

2/16/2012 3:15 PM

jcburns: From what I know, only the executable bits are checked for consistency. Changing graphics are still fair game.

Second: Jailbroken apps are still signed, they just don’t care about being signed by Apple. Code signing is still mandatory.

Well structured and well written. Nice job, Steve.

Regarding the gulf between the App Store and non-App Store apps, if they still allow the first option, the move can eventually allow third-party replacements of the key features to thrive. For example, haven’t seen Mountain Lion’s Notification Center but Growl should be able to do something similar (and no, there was no pun intended). iCloud is also something that DropBox could continue competing with (and beating in many cases). Apple will want these features to be implemented but if prominent app developers are not using them, they may go back and change their policies.

Cheers

Matthias Fichtner

2/16/2012 4:03 PM

I’m pretty sure that you got your encryption example backwards. Usually, data is encrypted using the public key, not the private key. You give your public key to people who need to send you encrypted data. And only you — the owner of the private key — can decrypt that data. Encryption wouldn’t be very secure if done the other way around. ;-)

Signing, on the other hand, works as explained: The owner of the private key signs a chunk of data, and anyone in possession of the public key can verify that signature.

I don’t really see anything here to make the existence of Gatekeeper less unacceptable from a developer perspective. The problem is that although “get a free cert from Apple, apply it to your apps, that’s all”, as the feature appears to be currently (…appears? Apple has done a terrible job of explaining what the default Gatekeeper policies will be) is not particularly bad by itself, we have no guarantees about how the feature will evolve in future. Okay, so now everyone who publishes Mac software has to get an Apple cert, which Apple can retroactively revoke at any time for any reason. Once a majority of Mac apps have moved over to the signing model, what’s to stop Apple from suddenly changing terms– like requiring a fee to get a cert, or putting App Store like conditions (“don’t use this internal API”, etc) on your cert’s continued validity, or moving the default from “app store and signed apps” to just “app store”?

If “signing” meant, I dunno, an SSL cert or something it would be one thing, but this system puts an enormous amount of power in Apple’s hands, power they’ve done nothing to demonstrate they can be trusted with. I will not be signing my software and I’m legitimately startled to see there are people who aren’t alarmed and disgusted by the basic idea that Apple will now have person-by-person approve/deny power on who can be a Macintosh developer.

Code signing is great, and of course Apple doesn’t want to poison the well.

But is there some reason why Apple wouldn’t want to slowly convince people away from that well? Is it really so hard to imagine that Apple would prefer everything was just sold through the App Store?

If tomorrow, all your Mac software stopped working, that would surely be bad business for Apple. But gradually ostracising and creating, as you say, “2nd class apps” seems like exactly the right business strategy to get everybody to buy from the App Store.

It’s not really a conspiracy theory, because there is a already a very well-established precedent with iOS, which seems happily-enough accepted by developers. Good will on Apple’s part would be allowing Gatekeeper-signed apps to run on iOS, even if not purchased through the App Store.

I’m sorry to come off as negative on this, and your explanation of what exactly code-signing is is very lucid. But at the end of the day I do feel a bit like you are saying, “We were really worried we would instantly lose 30% of our income to Apple, but whew! It’s not nearly as bad as we thought…”

Overall this turn of events is not surprising, not terrible on it’s own, but also not exactly reassuring if you value open computing.

Great article. Well written and informative, for developers and normies alike.
Thanks for the great insight!

Two dumb cents:

Mcc: In my opinion, it’s good to be cautious, but not good to act on conspiracy theories. Apple has the power to revoke Developer ID’s, yes, but they told me they will only do that for malware (or leaked keys), and I have to take them at their word. If they mess up, or change terms, there will be a huge uproar, and of course we’ll make a decision if that happens. But until then, well, this is all about trust, right?

PsySal: If Apple’s end game is to be App Store Only, it’d be totally crazy to spend all of this time and energy on Developer ID and Gatekeeper. They could have easily had done nothing at all. Again, it really is a conspiracy theory at this point — until I see (actually see!) otherwise on the Mac, I’ll can only believe their intent, which is to keep independent apps alive, but make them more secure.

Christopher Masto

2/16/2012 4:14 PM

Great article, but I think it’s also significant and worth pointing out that this entire feature is tied only to files that were downloaded from the Internet (quarantined), so it’s not like everything on your computer suddenly stops running.

Matthias: You’re right that encryption is generally performed in the other direction than signing. I tried to address that later in the footnote because it’s a bit of a tangent. But let the record show that yes, encryption is usually performed with a public key to be sent to the particular individual who owns the corresponding private key.

jcburns: My understanding is that non-executable application resources are signed but not validated by the OS currently. It seems unwise to depend on this lasting forever, though.

Hi all. I’ve modified the post slightly to address some technical inaccuracies, hopefully without making my explanation too much harder to understand for non-technical readers. Thanks for your feedback.

“It seems marketing or money-driven, and I think it’s un-Apple-like to chase the money at the expense of user experience in that manner.”

You’re kidding, right? This is I course in direct opposition to having no emulators or tethering or wireless syncing in the iOS app store. Everything Apple does is money driven (the share holders aren’t just ‘good guys’ and make sure of this!), and user experience just happens to make a lot of money.

I don’t think the lack of a “cross-grade” path is motivated by greed, as in a desire to force users to pony up more cash. I think it’s a prioritization issue, motivated purely by a desire *not* to expend any resources on things that *don’t* bring in any money. There’s a difference. One is malice, the other isn’t. I would expect some sort of trial-period system LONG before I’d expect to see a cross-grade path.

Thanks for this post! I’ve genuinely been worried sick about this. However I’m relieved to understand what the “anywhere” option in Gatekeeper means. I’m still a little worried the they’re still eventually building up to “Mac app store only”, and your notion of the ever growing divide between indie and AppStore apps is a great reason to stay concerned.

I guess we all have some serious thinking to do, and should remain aware and vocal about our dislike for this direction. I’d really, really hate to try to go back to Linux. As much as I enjoyed those days in the 90’s and early 2000’s, I’ve been happier and more productive in OSX than on any other platform, including system 7,8,9.

/rant

I love The Secret of Monkey Island…

Will there be an update like this on the sandboxing issues? Is that still supposed to take place the start of March?

Andre: You hit the nail on the head with your last line — a good user experience makes money. Apple is of course concerned about making money but they do it in a way driven by customer demand.

It’s interesting to note that there ARE emulators on the App Store — but only ones where the ROMs have verifiable copyright provenance, such as the Atari Classics.

If a majority of users were complaining about general purpose emulators not being available, Apple would I think want to resolve that, which would in turn bring the money. That’s what I meant by that quote. They generally care about things when they become a thorn in majority user’s sides — not “power” users with fringe needs/desires, or developers.

Doug Sheppard

2/16/2012 5:45 PM

“no emulators or tethering or wireless syncing in the iOS app store”

Settings > Personal Hotspot > On.
Settings > General > iTunes Wi-Fi Sync > Sync Now.

If these options don’t work for you, you should talk to your carrier and call them bad names. Apple seems to be happy to give them away for free in the core OS and add value to the device.

As for emulators, I’m playing Zork right now. It’s no Coda for the Atari 2600, but it has its charms.

Love the Monkey Island spoof picture. That alone was worth the cost of admission! Oh, the article was quite enlightening, too.

Now I’m just waiting for OS X 10.9 “Bobcat”!

Regarding App Store-only features: “It seems marketing or money-driven”

Maybe – but I think it’s more likely to be an incentive to encourage developers to migrate to a more secure world of the Mac App Store. That doesn’t mean their intentions are nefarious and I don’t think their cash cow is the app stores. They have an interest in incentivizing over time more secure applications.

Apple is opinionated. Even beyond security, they believe the app store is a *better* way to obtain, update and explore apps. So far I think they’re right. If you’d like to use iCloud’s API, you need to be in the App Store. It’s not always perfect, but as Steve Jobs said at D8 before he died (wow), “clearly [they're] doing something right.”

Dan Cameron

2/16/2012 8:25 PM

Great post.

The cost of the iCloud and Notifications infrastructure must play a role in their decision to only allow those features App Store apps only. It’s still all about money but leaving it open to every app would probably be significant only because there will be apps that try to take advantage of the features and do something unintended.

Bozzified

2/16/2012 9:13 PM

Steven said: “For example, as things stand today, we won’t be able to offer iCloud syncing in, say, Coda 2, when you purchase it directly from us. Only App Store purchasers would get that feature.”

BINGO Steven, you just answered your own question. Instead of shocking you right away and completely cutting you off if you don’t use app store, Apple will force you to do it one way or the other by limiting you access to the APIs. Either way you WILL be selling through app store.

Regarding the transfer from a personal store to the App Store, you guys (developers) can’t generate promotion code for the ones that already bought the app? I always thought that this could be a solution but it seems that nobody is doing it. Just wondering.

Guill: Developers are limited to 100 promo codes per app. Not nearly enough to migrate a user base.

Developers could offer a higher-priced version on the Mac App Store for those customers who desire iCloud functionality. Higher-priced in order to make up for Apple’s 30% cut.

Nice write up.

I’m no coder but I’ve been known to push out a few homebrew scripts, apps and droplets to scratch particular itches. Most of these have been put together using tools like AppleScript Editor. I wonder where code signing and Gatekeeper leaves users like myself who create tools to help in their own workflows as well as their limited audience?

As a designer with aspirations to code the Mac has always been a great playground to create tools like these and I’d hate to see that lost.

“I’m no coder but I’ve been known to push out a few homebrew scripts, apps and droplets to scratch particular itches. Most of these have been put together using tools like AppleScript Editor. I wonder where code signing and Gatekeeper leaves users like myself who create tools to help in their own workflows as well as their limited audience? As a designer with aspirations to code the Mac has always been a great playground to create tools like these and I’d hate to see that lost.”
———-
I’m no coder but my OS X Lion is covered in homebrew scripts apps and droplets that clearly scratch someone else’s itches. I quickly assumed most had been put together using tools that I have no use for, personally. I wonder where code signing and Gatekeeper leaves users like myself who were under the impression we were paying Apple for Macintosh software, rather than the somewhat more ubiquitous “Apple Developer Community”. If I wanted strangers who feel compelled to develop free system files for the core of my system, but for which they wanted no remuneration and for which they were unwilling to put their name / brand on; I would just use another Unix OS? Windows or Linux? As a non-designer who literally cannot get a straight answer out of designers on their own forums, in response to evidence submitted that fairly warrants one, the Mac has clearly been a great playground for those who create tools like this and I’d love to see that lost.

What I would like to see is the ability for a user to self sign an app. This would give you the advantage of being able to run signed only code while still being able to run disruptive technologies & open source.

I do find the trend worrisome especially as one entity could eventually decided what type of technologies and software innovations are allowed to run on your own personal computer. If OS X and Windows go that route, I forsee a future where hacking your computer is necessary to run code that would run “afoul” of their respective Marketplace “policies”. Over and over we often see that the usual response to disruptive technologies is to try and contain and control them. I don’t want to rely on either camps to forsee what the next big push comes from.

Proper sandboxing that doesn’t cripple apps is more effective in my opinion. Even if the software is dangerous, it is still neutralized. Not only that it creates a safespace to actually monitor the offending software. Gatekeeping requires a vigilance that will not always detect and can falsely keep outsiders at the gates out of prejudice.

“Making matters worse is Apple offers us no real facility to “cross-grade” you from a direct purchase to an App Store purchase, should you change your mind.”

How about providing the app for free, with the full app being unlockable with an in-app purchase. The same thing is unlockable without an in-app purchase (i.e. non App Store Serial Number).

Problem solved, or does this violate App Store guidelines?

Arthur Doohan

2/17/2012 6:21 AM

I’m a watcher rather than a coder….and I am more concerned about the deletion of your Option 1 that might force signing of all app’s…..

Just letting my inner paranoid self out for a little air…..

Apple is just waiting for the big apps to enter the App Store (Photoshop, Office, etc.). Once that happens, it will shut that door, only allowing App Store apps into the Mac. Then IOS and OSX can finally merge and become one.

[I'll agree, pretty fair post, though somewhat Apple-biased, it seems.]

Unless I misread the options, I see a major flaw therein. Apple failed to provide opt-in or opt-out at the individual app level. E.g., if I choose the “default” route, with App Store or “signed” apps only; and if I decide to install just one “unsigned” app (e.g. LibreOffice) which has decided *not* to pursue “signature” verification, then I am SOL. Thus, to ensure in the future that I will be able to install *all* beneficial but I suspect certainly harmless apps, I must expose myself to the bad guys as well. Epic fail on Apple’s part, and I cannot see how it is other than money-motivated (as opposed to noble-minded).

Westacular

2/17/2012 7:53 AM

fjpoblam: It’s not in this article, no, but if you look at Macworld’s coverage of GateKeeper, you’ll see that you can leave it on its default setting and still have a pretty straight-forward way to override it for unsigned apps on a case-by-case basis:

http://www.macworld.com/article/165408/2012/02/mountain_lion_hands_on_with_gatekeeper.html

Westacular

2/17/2012 8:11 AM

Regarding iCloud and Push Notifications being exclusive to the App Store: There are quite a few technical reasons for this. (Not insurmountable ones, but things that show it’s not simply a purely money-driven choice on Apple’s part).

Both iCloud and Push Notifications depend on server resources from Apple. The App Store validation process acts (as Apple sees it) as a crucial step in verifying that those resources aren’t being abused or misused.

All of the provisioning for both iCloud and Notifications depends on the internal App Store IDs of an app and the app’s developer. That’s how they know where to save data on Apple’s back-end — and the App Store review process helps ensure apps aren’t spoofing IDs to steal data from other apps. It’s all dependent on the whole cryptographic pipeline of the App Store. The new non-App Store Developer IDs are just signing certificate — they don’t provide the necessary sort of Apple-recognized identifiers for individual apps.

Alastair: You cannot mix in-app purchase with external serial numbers, as Apple wouldn’t be receiving their 30% cut of the external revenue despite the app being installed via the Mac App Store.

Apple is paying for iCloud and Push Notification services. It may be the reason.

Randolph M. Fritz

2/17/2012 9:55 AM

Seems to me that a serious malware writer–a criminal attacking financial software, say–could do a lot of harm before their ID was revoked. Hey, anyone here old enough to remember the Internet Exploder? That’s “exploder” with a “d,” as in boom. It was a demonstration IE control which shut down your computer. It went right through the process–got signed and all. This doesn’t look any different to me; malware can get through, and by the time the permissions are revoked, a lot of harm could be done.

I also wonder if Apple is going to be charging for developer IDs, and if the use of their developer ID system is going to be compatibile with the GPL.

I don’t get how the “your app does bad things and Apple revokes your ID” thing is supposed to work.
 
Others have described Gatekeeper as operating based on the filesystem metadata that gets attached to apps to mark them as having been downloaded from the Internet, and is removed after the first time you launch it. Which means if you’ve already used the app, Gatekeeper has no control over it.
 
So suppose you’re a malware developer. You’ve written a botnet app that’s designed to sit dormant for some period and then “activate”. People download it and use it. Time passes. The app goes rogue, people complain to Apple, and Apple revokes your ID. Great; now new people downloading it won’t be able to launch it. But what about all the people who have already been using it? Gatekeeper doesn’t get involved, and the developer’s botnet (made up of an army of computers whose owners have downloaded what appeared to be an innocuous and useful app) is still up and running. Revoking the ID doesn’t do a thing to disable it. I mean, isn’t that the primary MO for botnet developers–get as many people as possible to download and install something as fast as possible, get them using it, and then send out the activation signal after some dormancy period? And won’t Gatekeeper be powerless against this tactic?
 
Do I have this right, or am I missing something?

I’d suggest agreeing on a common iCloud type API and notification API (or just adopt Growl and Dropbox or other) and agree to use it as an iCloud substitute, thereby keeping feature parity and showing Apple that restricting features to “encourage” App Store distribution is futile.

This is very worry to me, as an aspiring OSX developer for a number of reasons.

1) OSX remains effectively malware free, despite claims every year in the tech press that a Windows-like malware barrage is right around the corner. It hasn’t happened. Even when Apple stumbled with their ‘open safe attachments’ mistakes and their dismal failures to patch reported issues for years. It hasn’t happened. So why the sudden crack down?

2) The days of teenagers writing macro worms for kicks are long over. Todays serious virus and trojan writers are criminal organizations targeting big organizations. IOS aside, these organizations do not typically use Macs, nor are they attractive markets to Apple.

3) Code signing has been around on Windows since Vista if not before. In fact Microsoft have historically beaten Apple in tightening up their systems, adding things like address space randomization to processes. Has it helped? You tell me.

4) Not all of us are Cocoa developers. I tried Cocoa but I didn’t like it. Objective-C feels like a relic from the 80s with modern functionality bolted on. I use C++ (which has made great strides recently with C++11) and Qt, neither of which are particularly welcomed on OSX. It is not possible right now to distribute a Qt app to the AppStore without a lot of hassle and every time Apple makes another big change, Qt falls behind and may not catch up at all.

I’ve been a mac user for many, many years. But if Apple turns OSX into a walled garden like iOS I might switch to linux or (God forbid) Windows.

Very good article. Thank you.

Unfortunately, I believe that this is merely another stepping stone on Apple’s path to a fully walled Mac OS X.

The signs are all there, and have been for years. Apple are pushing us towards the AppStore, and taking money from our sales in the process. Once enough momentum has been developed, they will close off the platform entirely.

And with full respect to Panic, it’s also disturbing that Apple have chosen to concentrate on PR via selected developer/journalist/analyst/blogger briefings, rather than be up-front with developers.

BTW, Panic, you have awesome web design for this form. As in everything you do. Well done.

David: It doesn’t really make logical sense, though. If their goal is to be Mac App Store only, why spend any amount of time on this interim solution? Why not just wait, then one day say Mac App Store only? I know it’s hard not to conspiracy theorize, and I don’t blame you, but it doesn’t add up for me. (As for the PR, we only knew one week before you did — that, to me, is pretty up-front.) Thanks for the kind words!

Cabel, I think you’ve hit the nail on the head: this is an _interim_ solution.

The final solution is to wall off the OS completely. Total Apple control.

The reason it’s an interim solution is because, as you say, some developers wouldn’t take it. Most notably, Adobe and Microsoft, but also others.

But, over time, consumers will expect to get all their software through the AppStore, particularly when only AppStore apps provide niceties like iCloud saving, GameCenter connections, Notifications, etc. And Apple, of course, is in the box seat; they will push these advantages, and extend them. They will promote the hell out of the AppStore from within the OS. And even the most recalcitrant developers will have to play along. Or leave the platform.

Apple are now effectively saying that developers need their certification to exist on the platform. (Sure, you can choose not to play along, but the great rank and file of Mac users won’t run your app.) They’ve already created a two-tiered market, one where they gain 30% of all revenue.

We’re very close now. The next few steps are pretty obvious, IMO.

I’m sorry if I sound cynical, but I’ve been developing for Apple products for a couple of decades now, and the writing has been on the wall for years. Apple wants total control of their platforms.

David: It’s totally possible. I’ll hold out hope that it’s not where things go — like we noted, they told me they really value the thriving scene of independent apps and open source and don’t want to ruin that. I don’t think they were lying. But, of course, I can’t say with certainty they’ll feel that way forever. It’ll be interesting to see where things go! For now, I can only take Developer ID as a sign of encouragement for independent apps, until they do something that tells me otherwise.

Alastair in Melbourne

2/17/2012 6:26 PM

Apple taking their 30% is great if you don’t have a name and an established sales platform. Or if you don’t want to build that for yourself. But 30% of companies revenue is A LOT.

Funny that code signed iOS apps and exclusive App Store distribution was readily accepted because (a) devs were gagging to get on the iPhone/iPod Touch and (b) as Jobs said this is my phone, I don’t want viruses, I don’t flakey apps killing my call with a crash or memory leak etc… Yet I was sure those two caveats as reasons for locking up the iOS platform would be forgotten by the time Apple locked up the OS X platform inside their moat.

> I think it’s un-Apple-like to chase the money at the expense of user experience in that manner.

Oh we both know it’s not about money but winning. Original Mac lost to Windows, new Apple is never going to let that happen again. They need to have an upper hand.

Musterknabe

2/18/2012 2:39 AM

If this system is in place it will be abused. One way or another. It might be Apple deciding a piece of software harms their revenue stream or a competitor is doing too good and revoking it’s apps. Or a government forcing Apple to revoke software which harms certain lobbying groups or worldviews, etc. It happend before and it will happen again. I don’t think you have to be paranoid to see it. It makes me sad that people applaud this move of power into a single hand. This never yielded good results in the history of mankind.

iCloud and notification centre cost apple to run. How else will they make up for the cost if they allow every other app to use it freely.

Perhaps another way would be for apple to charge the company a monthly/yearly subscription fee per user and based on usage, but then again a 30% one-time fee might end up being less of a hassle.

Miniature Dinosaur

2/18/2012 6:33 AM

Is it perhaps possible to avert some of the App Store-only issues, albeit clunkily, by splitting the app in two? [Awaken][1] does this in reverse: the app is sold via the App Store, and forbidden functions are done in a separately downloadable helper app.

I have a vision of, say, a Save dialog with a “Save to iCloud…” button. This button asks you to type a name, then saves it to a library folder. An App Store app is then launched, which deals with the syncing: it reads the files in the library folder, then “saves” them to iCloud. Whenever the main application saves a change, it notifies the sync application, which then “saves” the changes to iCloud.

Clunky, not least because it requires having the sync application in the Dock all the time (unless it’s possible to have the sync app contain a tool that is run as a task by the main application?), and the button will have to prompt the user to download the sync application the first time it’s launched. On the other hand, I imagine just one sync application could be used to manage multiple applications, even from different vendors.

But maybe I’m just dreaming here. I’m still using Snow Leopard :)

[1]: http://www.embraceware.com/awaken/

Could you please expand on APIs that are only available through MAS-sold apps? The example of iCloud was made. Can you please explain how that limitation works?

Pete Austin

2/19/2012 1:17 AM

Will Gatekeeper be configurable on a developer-by-developer, or app-by-app basis? I’d like the most secure setting for most programs, but e.g. the least secure setting for programs that need patching or that have DLC.

Pete Austin

2/19/2012 1:17 AM

Will Gatekeeper be configurable on a developer-by-developer, or app-by-app basis? I’d like the most secure setting for most programs, but e.g. the least secure setting for programs that need patching or that have DLC.

Apple for sure kills 2 tasks at once – making some action against growing malware base and (the most important) doing the first step to monopolise the software distribution for Mac. That step is enough to push many developers to think twice do they need AppStore. And yes, eventually they want to make Mac OS X an iOS-like closed system, because iOs already generates billions for Apple. At least they will try to make an AppStore to be used for 90% of software downloads, that will be enough for them.
But I will not be really happy if they will really ban any non-signed apps by default in 10.8
Hopefully users and developers will give them a strong feedback they don’t want a closed Mac os X.

anyway, macs are just about 20% of their revenue now and they may just not bother about any feedback. Until court cases. Greed rules the world.

Notification Center is available. Push notifications are for MAS only – it’s a difference and (like access to iCloud) it needs you to be verified – so it has sense that they’re MAS only

for all the same reasons DRM-digned media stinks rotten eggs, so will DRM-signed software.

secure or not, it’s already proven to be a bad thing

Nice! Did I see a hint to a new feature of Coda 2? iCloud say what? =D

One of my major concerns with this is that by default you would not be able to run any self signed open source projects. We need an exception list. What if I want to run some NIX stuff under Macports? Or even a custom version of Apache?

Currently we can add trusted self signed certificates to our Keychain, would that still be possible? Because.. Sooner or later.. They’re gonna plug that “security hole” that is “un-/selfsigned software” (read missed revenue because it’s not in the appstore..).

Sidenote: Don’t expect any commercial company to allow you to use their resources (iCloud/APNS) if you’re not gonna pay for it, not even Apple.. If you sell your stuff outside of the Mac App Store there is no way to make money on it for them, they would be losing money in fact. Besides that.. I wouldn’t want any app to start sending me APNS SPAM any time soon, so some strictness is justified in my opinion.

Regarding the transfer from a personal store to the App Store. If they allowed this surely most devs would ask all customers to buy from their store and then transfer to app store to cut out Apples 30%.
Apple could charge the devs the 30% they would have made had the purchase been made via the app store… this could get very messy, Apple won’t want to chase people for money “623 people transfered you app, you owe us $$$).
Another option might be for devs to refund the customer if they repurchase in the app store (I assume it’s easier to refund than Apple ask for money).

InRussetShadows

2/21/2012 7:21 PM

Remember when SJ told you guys back in the Audion days that you were about to be run over by a tank? This isn’t the same, but it’s close. The balance of power has shifted from Apple trusting developers and independent software houses to ‘every developer must be licensed’. The early steps of a dictatorship always involve licensing of the those that the dictator fears. So what gets licensed? In the physical world, it’s guns. In the software world, it’s apps. And after the licensing always comes the ban.

jb510 (Jon)

2/23/2012 2:41 PM

Really well written… long… but well written, thanks for sharing it. Personally I completely agree with just about every detail of what you wrote.

Gatekeeper is Good.

Restricting features to MAS only is BAD (one would think they’d have learned this from MobileMe’s pitiful existence)

One issue not well discussed however is what qualifies for revocation of a dev’s signing key. Most of us would think we should generally trust apps from the Google’s, FaceBook’s, Path’s, of the software world, but recently ALL of them have violated user privacy in what could fairly easily be construed as MalWare. Are their signing keys really going to be revoked when someone discovers their apps are behaving badly?

For some reason I doubt that’ll happen to them, whereas I fully expect some independent developer trying to provide a feature that’s clearly articulated to the end user but that Apple doesn’t like is going to be screwed without much recourse.

I for one avoid buying anything in the Mac App Store that I can buy outside the MAS. It’s not that I hate the MAS, it’s just software distribution outside it is BETTER because software updates come faster and at least the potential availability of discounted update pricing.

People have described a scenario where a small helper app might be available from the MAS providing iCloud and notification support. Frankly I wish ALL MAS apps already worked this way. If you want the visibility of the MAS, then sell a “book cover” app that really was nothing than a software updater that downloads/installs/updates the actual code.

Now get back to work on Coda 2!

Great Article. Thanks.
Why would/should Apple make iCloud available to non Mac App Store purchases?
iCloud is surely an expensive venture to run and they intend to make money from it.
It seems like iCloud is where that 30% cut has value beyond just lining Apple’s pockets more.

Thank you Cabel, Steve, et al for continuing not to make MAS-only apps. I am a bit sickened by this trend, as more and more developers seem to be drinking the Apple kool-aid.

I refuse to use the MAS (as do many others), because I find its restrictions quite… Orwellian. That, unfortunately, prevents me from supporting some developers, but that’s their loss, not mine.

+1 for using Monkey Island image.

To me Gatekeeper is about total control. So they don’t “force” you into the Mac App Store, fine, but the fact that they are effectively forcing all developers to having a Developer ID is in effect giving Apple a kill-switch to your software. If in the end they decide that you are doing something they don’t want, or maybe they say you are infringing on one of their patents or software products… zap! problem solved, your application can’t run on an Mac.

That’s something to be worried about. If Apple themselves got out of the software business, that might be one thing, but Apple has a long history of “taking” ideas from other developers and claiming them as their own.

Personally, I think Snow Leopard is looking better every day. You get the App Store, but you don’t get the Gatekeeper.

P.S. I would much rather and still continue to buy directly from developers rather than the Mac App Store if it is available.

Reading the conspiracy theories and people up in arms about something that I find to be a great feature kind of blows me away a bit. I think Gatekeeper is just going to ensure that the “it just works” mantra continues to be the case in the future, especially given the recent java vulnerability making such big news lately. Apple wanting a little more power to revoke developer IDs for bad software is expected. It’s nice that they allow users the freedom to decide for themselves beyond that, too. I think some users mistakenly believe they’re on Linux. Apple’s control over every aspect of their products is partially why we love them, but I appreciate their desire to keep 3rd party developers happy by not requiring them to enroll in the App Store. That said, I do believe the App Store cut is quite a bit (I’d say too much), but it makes sense for small developers that would rather not self-distribute and build out infrastructure for iCloud/Notification Center capabilities. Software companies like Adobe and Microsoft are certainly not going to sign off on giving up 30% of the revenue on their top software and Apple knows that kicking them off would be REALLY REALLY bad for business, not just for their users losing out on quality software, but from a PR standpoint.

People can predict the end all they want, but I really don’t see that in this scenario. Is Apple jockeying for more control? Certainly. Is that what your average everyday users want? I would say yes. If I’m putting my (fairly computer illiterate and prone to viruses) father on Mac, I’d like more rigidness on what can be run because he doesn’t know better and I’d rather not babysit. I WANT Apple to revoke programs he installs that turn out infected with malware. I see a positive for the users, for Apple, and 3rd party devs so long as Apple keeps their commitment to them :)

This is really just a Trojan horse (no pun intended) created by Apple to shut down software piracy on the Mac and iOS platforms. But the teams that crack and release software are pretty resourceful. They will just figure out a way to run their own server for verifying signed apps, or release a way to set one up locally, like a proxy, so that apps will think their transmission to the mothership came back with a green light. The “open” infrastructure of the internet makes this an inherent possibility.

Marc Vos

5/7/2012 2:02 AM

Great explanation – thanks!

What “David” said, and what “Musterknabe” said, are almost exactly, word for word, the two points and I was going to post, and the biggest problems I have with this. Plus, I think the author should take quite a few steps back, considering he was invited to a talk about Gatekeeper with Apple. I mean no disrespect, but that could have seriously fogged what your normal judgement might have been. I’m not claiming this to be the case, but my instinct says it’s more possible than not. Not that I believe you have some collusion going on, but just merely that you might not be able to look at this clearly, considering your recent connection to it.

But what “David” and “MusterKnabe” said are just completely spot on. Especially “Musterknabe”, because I see that as being a glaring issue. Wanting to back up my legally purchased DVDs and Blu-rays with an app that rips protection, and allows me to make a backup of my legal purchase and make a mobile version of it for my computer and phone? Well, I don’t think it’s hard to see how somehow there would be a reason for these types of software not being allowed eventually. Same as what was said about perfectly legal things like Bittorrent clients, they will also be nonexistent, at least in any normal form, on this new Mac Gatekeeper environment, at least that is absolutely how I see it’s going to be.

I just personally think this is seriously akin to other recent things that were either implemented, or were tried to be put in place, but user protest stopped them. I think a lot of the time stuff that everyone can identify with, like wanting to stop piracy and wanting to keep your computer safe. Is being used as a fear inducing guise, for these freedom removing systems and policies to get put in place. And I guess it makes some people comfortable to just label those of us who view it this way as being paranoid, fear-mongering, conspiracy theory-laden, etc. But I simply don’t view it that way at all. Certainly that stuff exists, but in cases like these there are just too many past and present signs pointing to underlying themes that these things like Gatekeeper are really going to stand for, or are being used to lubricate the process, and make it a lot easier to implement want they really want like making Mac’s, Mac App Store-only, and removing apps they consider undesirable or competing, from user’s computers. I see you’ve posed the question many times that if that was the case “Well why would they waste the time with all of this and spend time and resources, and not just simply all of sudden one day say hey it’s closed off now and it’s just Mac App Store apps only, or only apps we Apple approve?”. Of course that’s not verbatim what you said, but that is the gist of it.

I think I just gave the best answer for that, or I’ll try to now. With what I think there ultimate goal is, as I’ve stated above, at completely controlling what is and isn’t allowed on Mac computers one day, it just makes no sense for them to do what you pose as being the reason why they won’t advance Gatekeeper to something much more nefarious and closed. I mean if they said tomorrow that all Mac computers were now just allowed to run Mac App Store apps only, or only Apple approved apps only, you’d have a tremendous uproar, and people would protest, boycott, stop supporting Apple, developers would stop developing for Apple, people wouldn’t buy new Apple computers and possibly other products. But why cause a sudden image damaging commotion, when you can work slowly, and subversively, and still get to your objective. While I think combating malware is a great thing, I just think it’s side-effect of what they truly are trying to do. If they get people used to the idea of having to have their apps approved by Apple, to have them be allowed to run on their computers, even with giving an “opt-out” option currently. It will make it so much easier to slide right in to their step of what they wanted to accomplish from the beginning. I mean it’s just classic battle tactics and strategy. If you know you can’t accomplish your goal with upfront actions, you can wait it out and slip in the back door. So to me, if you see this for I what I believe it to truly be, well then asking “Why wouldn’t they just up say tomorrow that they are making Mac’s App Store-only, if that’s their ultimate goal”, well it just makes sense that you would take the path of less friction and less negative publicity. Once people are accustomed to seeing Gatekeeper do it’s thing and with the idea of having to have all their apps signed and whatnot. It will be so much easier for Apple to advance that to something, what I would consider, much, much, much worse. And they don’t even have to label in a negative way, it could be shaped in a such a way that you’ll just assume that it’s another step in helping to protect your computer from malware and the like, because like I said, you’ve already accepted and become accustomed to having Gatekeeper. I’m not saying people who are informed and knowledgeable here wouldn’t really see it for what it truly was if they made that nefarious leap. But by then it would be too late is the biggest point I’m trying to make.

I respect lots of opinions on this and I’m huge Apple supporter. But I’m always at the end of the day going to put open systems and more freedoms above my love for Apple. And I just hope everybody who views this as benign or okay enough to sit and watch what happens, will take their current high opinion of Apple, and take a step back and consider what this could mean. I’ve looked at it from as many sides as I can, and this just stinks of another form of DRM in my book. And those letters are worse than any four letter word to me. I mean you can’t find a single DVD/Blu-ray ripping application in the Mac App Store right now. What’s to stop them from not allowing it on your computer completely, if they advance to the level of taking away the ability for users to opt-out of something like Gatekeeper? That’s just one example of many different kinds of software that I could see come under fire.

But thanks for explaining this in more detail author. I appreciate it.

p.s. Sorry in advance for any typos, I’m currently sick and just don’t have the energy to check for them right now.

Only after I bought Coda 2 directly from Panic (since I trusted everything would be fine and didn’t read all the details, never had to do before when buying from Panic), I discovered the iCloud sync wasn’t there. I wanted to use Coda 2 with Diet Coda on the iPad. What a disappointment when I found the reason iCloud couldn’t be activated – I bought from the developer and not MAS. That just sucks incredibly hard.
I’ve been an unpaid Apple evangelist for more than 25 years and guess this is another step in the direction where these days are history.
And Cabel and Steven, one of my most beloved developers since the nineties, do you have put up with this from Apple? Give us alternatives to iCloud. Please let Coda 2 sync with e.g. DropBox as an alternative like other code editors in iOS. Apple is going the wrong way and someone has to show it to them.
Did anyone say 1984?

i’m not a developer but even i can agree with the comments by Andrew J plus others. it’s just another control aspect. But no one will realize it until it’s too late.

“To me Gatekeeper is about total control. So they don’t “force” you into the Mac App Store, fine, but the fact that they are effectively forcing all developers to having a Developer ID is in effect giving Apple a kill-switch to your software. If in the end they decide that you are doing something they don’t want, or maybe they say you are infringing on one of their patents or software products… zap! problem solved, your application can’t run on an Mac.

That’s something to be worried about. If Apple themselves got out of the software business, that might be one thing, but Apple has a long history of “taking” ideas from other developers and claiming them as their own.

Personally, I think Snow Leopard is looking better every day. You get the App Store, but you don’t get the Gatekeeper.

P.S. I would much rather and still continue to buy directly from developers rather than the Mac App Store if it is available.”