Resolved Gatekeeper will be useless if adobe/microsoft/blizzard do not sign their apps

Discussion in 'OS X Mountain Lion (10.8)' started by Processor, Jul 16, 2012.

  1. Processor, Jul 16, 2012
    Last edited: Jul 16, 2012

    Processor macrumors member

    Feb 10, 2012
    Hamilton, New Zealand
    I think I should enable gatekeeper for security now

    If microsoft/blizzard/adobe/vmware etc do not sign their applications, many of ML users will need to disable the gatekeeper. There should be a feature like a exception list but I didn't see that on GM.
    Should I install bootcamp for those software or just disable gatekeeper?

  2. Krazy Bill macrumors 68030

    Krazy Bill

    Dec 21, 2011

    When I upgrade to ML... here's my checklist:

    1.) Turn on Mac
    2.) Disable Gatekeeper
  3. Death-T macrumors regular


    May 18, 2012
    Savannah, Georgia
    I find Gatekeeper to be useless in my opinion. I can judge for myself whether an app is safe to download or not, and when in doubt I can always enter in a quick Google search to see what's up. To my knowledge I don't often download apps that Gatekeeper would have a problem with anyway, but if one comes up than it would just get in my way. I understand why it may be a useful feature to some people. Perhaps a parent whose Mac is often used by their family and kids and wants some control over what's happening on their PC while they're not using it will like what Gatekeeper has to offer. But if you have common sense and other people rarely if ever even use your PC (and then when they do, only surf the web for a minute or whatever) then it's pretty silly to even bother with Gatekeeper. You're ultimately the one who decides what is and what isn't downloaded on your PC anyway.
  4. lunarworks macrumors 6502a

    Jun 17, 2003
    Toronto, Canada
    Right-click on the app, choose "Open", it will ask you if you really wanna do that, allow, and for that app it will never ask you again.

    Plus, pretty much every dev that hasn't abandoned their software is going to sign sooner or later.
  5. roadbloc macrumors G3


    Aug 24, 2009
    They should have added an exception list for apps that you know are safe, but are unsigned. It is a shame that Apple have made such a botched job on added security.
  6. lunarworks macrumors 6502a

    Jun 17, 2003
    Toronto, Canada

    Right-click on the app, choose "Open", it will ask you if you really wanna do that, allow, and for that app it will never ask you again.
  7. westonm macrumors member

    Jun 19, 2007
    I'd place the odds of most developers signing their apps as, high.
  8. jasomill macrumors newbie

    Nov 13, 2011
    jtm@socrates ~ $ codesign -dvv /Applications/Adobe\ Photoshop\ CS6/Adobe\ Photoshop\ /Applications/Microsoft\ Office\ 2011/Microsoft\ /Applications/VMware\
    Executable=/Applications/Adobe Photoshop CS6/Adobe Photoshop Photoshop CS6
    Format=bundle with Mach-O thin (x86_64)
    CodeDirectory v=20100 size=282388 flags=0x0(none) hashes=14113+3 location=embedded
    Signature size=4232
    Authority=Developer ID Application: Adobe Systems, Inc.
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Signed Time=Mar 15, 2012 6:03:05
    Info.plist entries=28
    Sealed Resources rules=15 files=357
    Internal requirements count=1 size=260
    Executable=/Applications/Microsoft Office 2011/Microsoft Excel
    Format=bundle with Mach-O thin (i386)
    CodeDirectory v=20100 size=128048 flags=0x0(none) hashes=6396+3 location=embedded
    Signature size=3686
    Authority=Microsoft Corporation
    Authority=VeriSign Class 3 Code Signing 2009-2 CA
    Signed Time=Jun 16, 2012 5:07:26
    Info.plist entries=34
    Sealed Resources rules=2 files=0
    Internal requirements count=1 size=188
    Executable=/Applications/VMware Fusion
    Format=bundle with Mach-O thin (x86_64)
    CodeDirectory v=20100 size=30866 flags=0x0(none) hashes=1537+3 location=embedded
    Signature size=4218
    Authority=Developer ID Application: VMware, Inc.
    Authority=Developer ID Certification Authority
    Authority=Apple Root CA
    Signed Time=May 27, 2012 16:31:39
    Info.plist entries=24
    Sealed Resources rules=7 files=3915
    Internal requirements count=1 size=380
  9. Processor thread starter macrumors member

    Feb 10, 2012
    Hamilton, New Zealand
    Awesome, I learned to use this good tool to check my applications :D
  10. waitingallday, Jul 16, 2012
    Last edited: Jul 18, 2012

    waitingallday macrumors member

    Jun 6, 2007
  11. superriku11, Jul 17, 2012
    Last edited: Jul 17, 2012

    superriku11 macrumors member


    Jun 16, 2012
    United States
    Not necessarily. Signing costs money. You have to be part of the Mac Developer Program which costs $99 per year. If you develop free software, to pay $100 per year for no good reason is pretty stupid. If you're a huge company like Adobe and you make $100 per 2 seconds, yeah sure, then it's okay. But for freeware developers, no.

    If Apple insists on pushing Gatekeeper, which I suspect they will in future releases, making it more difficult to disable, then they need to make it so that anyone can sign software for free, and only publishing to the Mac App Store costs money. That would be fair if you ask me.

    This Gatekeeper thing is either going to not make much impact on anything, or it's going to make negative impact on freeware developers. More likely the latter. Most basic computer users will download a freeware application, try to open it, can't open it, and not know what's wrong.

    I personally think it's a stupid feature. It should be off by default and turned on if the user sets it that way, not the other way around.

    The whole concern about malware is completely blown out of proportion. So some script kiddies who develop Flashback to make advertising money get half a million installs? There are large botnets with over a million installs on Windows PCs. Do we hear about those in the same way we heard about Flashback? No.

    As I said, blown out of proportion.

    Any decent malware is spread by non-user-interaction. Malware developers like using exploited Java vulnerabilities to initiate payloads without requiring any sort of confirmation from the user. Because the chances of getting a user to execute a shady program decrease with every step the user must do.

    If the user has to download, unpack, run, and authorize a piece of "malware" for Mac, that is not only pathetic for the user's stupidity, but for the fact that the developer couldn't figure out how to use a better attack vector.

    Gatekeeper still will not stop vulnerabilities in Java (for those who've installed it) or other plugins, nor will it stop buffer exploits in services, or any other potential threat. It will only stop downloaded programs, which haven't proven to be a large threat like Flashback has anyways.

    They are creating an artificial "need" for this Gatekeeper "protection". You did not need it before, you do not need it now. Not having it before didn't allow any major attacks in particular, and having it won't likely prevent any either. They are making people think they need things they don't need. Truth is, Apple has an ulterior motive. They want to push all software distribution to the Mac App Store so as to generate more profit for themselves. So they can grab that 30% cut of every paid app downloaded. This Gatekeeper thing is only the first step. Just watch. In future releases, it will get harder or even impossible to turn it off. In the future, OS X may require a "jailbreak" to run 3rd party software, but it would be pretty useless since any developer would rather distribute on the MAS. And the MAS's restrictions don't allow for freedom of software.

    If things continue going in this direction, to the point I predicted, and I sure hope they don't, but if they do, I'll have to switch to a GNU/Linux OS that does respect my freedom.

    As I said, it is a useless feature. It will not protect against any professional form of attack, and it will only hamper development of freeware. Bad idea, Apple.
  12. stisdal macrumors 6502


    Feb 28, 2010

    In my case, I like Gatekeeper, on my wife's MacBook! She has no idea what to install, update or anything else. I have to grab her Mac once a week or so and check for / install updates or programs.

    With Gatekeeper, I at least have that extra caution step to turn her back before installing anything malicious. Now she can get things when needed as long as Gatekeeper allows with less concern. (I travel for work, so I'm not always there if she wants an app or program)
  13. bob616 macrumors 6502

    Jul 12, 2008
    Apple said in there keynote address that developers would be able to sign there apps without being a part of the $100 Mac Dev Program.
  14. heisenberg123 macrumors 603


    Oct 31, 2010
    Hamilton, Ontario
    lol maybe if you say it 3 times people will understand


    as said you can sign without a dev program account, and no features like this need to be on by default, people that dont need the feature know enough to turn it off, the people that are at risk to malware are not the type that know enough to turn it on.
  15. superriku11 macrumors member


    Jun 16, 2012
    United States
    This is one of those cases where it would be better to turn it on as needed. Not on by default.

    What should be done actually, is during setup of the system, it has a part that asks you. It describes that Enabled mode prevents unsigned programs from running, but if you happen to want an unsigned program, it may be a problem. And that Disabled mode provides software freedom, but will make your computer open to an attack vector that is highly unlikely to be used in the first place.

    Read above where I said it still shouldn't be on by default but you should be prompted to make a choice during setup.

    Well I don't know much about the Apple ecosystem. Mainly because I don't like the idea than anyone, especially a company, can act as the deity of all software and make arbitrary decisions about what programs run and what ones don't. Last I heard you needed an iTunes Connect ($100 developer program fee) account in order to even have a signing certificate.

    If what you said is correct though, this doesn't prevent any threats from this attack vector. Anybody can just get a new ID to sign with if they're free. Pretty much rendering the feature useless against malware. Sure Apple can revoke the ID and make the signature invalid, but what's stopping the developer from just getting a new one and re-signing?

    As I said before, downloaded programs on Mac isn't an attack vector that's frequently used. Even on Windows, anybody who's serious about spreading their malware would not make something where the user has to download a program. What hackers prefer is something that doesn't require user interaction. Maybe a remote exploit, where they can grab lots of IPs and exploit a zero day vulnerability in an OS X internet service. Or maybe an exploit to Flash or Java, both of which many people have installed.

    They look at downloaded programs as their last option I'd say. It's about the worst method of spreading malware that there is.

    So, as to my original point, Gatekeeper will not help in any significant way.
  16. heisenberg123 macrumors 603


    Oct 31, 2010
    Hamilton, Ontario
    im sure all signed apps need a finally approval from apple, i wouldn't imagine its just instantly approved
  17. superriku11 macrumors member


    Jun 16, 2012
    United States
    To my knowledge, apps submitted to the App Store definitely require review before they're distributed. But with the concept behind code signing, it should be possible to make a signature that validates and runs instantly. Meaning, if you sign your application and distribute it outside the App Store, it should run without issue.

    Though Apple does hold the ability to revoke (think "flag") a certificate, rendering a signature invalid, I don't know how they could possibly keep track of applications that aren't distributed through the App Store. Apple also couldn't possibly get the source code, the best they could do is debug/disassemble it in ASM. So it would become exceedingly hard for them to review 3rd party applications.
  18. NATO macrumors 68000


    Feb 14, 2005
    Northern Ireland
    I think Gatekeeper is a fantastic idea for non-techy users. For example, when I set up the Mac at my parent's house I'm going to install whatever they need (MS Office mainly), then turn Gatekeeper up to its highest setting. They won't be installing anything from outside the App store, and if they do, I'll explain how to temporarily turn Gatekeeper off.

    It means everyone is secure in the knowledge that no malware will make it onto their computer.
  19. Puevlo macrumors 6502a

    Oct 21, 2011
    I wish they'd make it so you could leave Gatekeeper on but disable it for certain apps. Pretty lame this isn't included.
  20. maflynn Moderator


    Staff Member

    May 3, 2009
    I have a number of apps from major makers that won't work with gatekeeper. Perhaps that will change but it will mean that I'll have to disable it.
  21. Phil A. Contributor

    Phil A.

    Apr 2, 2006
    Telford, UK
    I don't know how many times the following quote from lunarworks going to have to be said before people read it ;)

  22. Winter Charm macrumors 6502a

    Winter Charm

    Jul 31, 2008
    I think I'd have to disagree. GK isn't useless, and they aren't forcing anyone to the app store. By default GK is set to allow ALL SIGNED APPS. Even ones from outside the app store!

    Now, yes, it's detrimental to developers who want to make free utilities and some really nice tools.

    However, it does give apple a way to keep tabs on developers and shut down apps that are trying to take and sell your personal info.

    GateKeeper isn't some crazy form of anti malware that will stop a determined hacker, but this will discourage developers from trying funny stuff - something they seem all too willing to do on iOS

    The one thing I worry about is GK lulling mac users into a false sense of security... :(


    Actually IT IS.

    Right click on any app that's an exception, and click OPEN.

    You'll get a confirmation asking you if you want to do this. That app will never bother you again, whether you have gatekeeper on its highest setting or not.

Share This Page