macOS 10.12 Gatekeeper discussion

Discussion in 'macOS Sierra (10.12)' started by maflynn, Jun 17, 2016.

  1. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #1
    I've not installed the beta of macos Sierra, but I do have some questions on the new Gatekeeper function.

    I'm hoping those who have more knowledge on this can chime in.

    From the keynote, it seems that Apple tightened up Gatekeper, and in some cases not allowing a given app to run.
    How will this prevent apps downloaded from outside of the MAS running?
    What circumstances will cause it to prevent those apps from running?
    Can I disable it, or at least lower its level of control (like have it behave under 10.11).

    Thoughts on the new Gatekeeper - is a good thing what apple did? To intrusive? or on the opposite side of things, not enough?
     
  2. treichert macrumors 6502

    Joined:
    Nov 7, 2007
    Location:
    Aachen, Germany
    #2

    Not, it does not.


    Not at all.


    The same as from Mountain Lion to El Capitan.



    It's a good thing. Most people don't change the setting anyway as it reset itself within 30 days. Also now you can just click "run anyway" right from the error message.
     
  3. maflynn thread starter Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #3
    Here's what 9to5Mac has to say
    As you can see the anywhere option is gone
    Capto_Capture 2016-06-17_06-44-35_AM.png
     
  4. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #4
    9to5Mac is wrong. This has been misreported widely. The only thing that changes is that the option disappears from System Preferences. The underlying functionality does not change, neither is the blanket disable gone. The latter can still be turned off through other means, for instance:
    Code:
    sudo spctl --master-disable
    It has always been possible to override Gatekeeper in individual cases by right-clicking on the app, then selecting ‘Open’, then selecting ‘Open’ once more, or by going to System Preferences > Security after the first failed attempt to open it.
     
  5. TETENAL macrumors member

    Joined:
    Nov 29, 2014
    #5
    Signed application from outside the Mac AppStore can be launched as always.

    Unsigned applications can only be launched when the user explicitly expresses the intent to do so. But they can be launched.

    The only thing that changed is that you can no longer turn off gatekeeper completely – so that it never checks the signature in the first place.

    Unsigned applications are probably a rare exception by now so the loss in convenience is minimal for the user. But the security is higher, because unsigned software can no longer run unnoticed.
     
  6. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #6
    That is not true (see above). Apple specifically said at one of the WWDC security sessions that the command line and managed configurations (e.g. for deployment) would still be able to turn it off completely.
     
  7. BenStamp macrumors newbie

    Joined:
    Jun 17, 2016
    #7
    Well, there are some very important new changes to Gatekeeper and it is called "Gatekeeper Path Randomisation"
    This means any app you launched is launched at a virtual random path (the user will not see/feel/know this).
    This introduces al sort of restrictions.

    For example cracked AppStore apps will not work anymore (a good thing imo).
    Downloading an app inside a zip archive can have problems when unzipped.
    You cannot launch an app directly in DMG 'disk'.
    It also seems every time an application is launched, macOS verifies the code signing again. Previous OSX versions it was only on first launch.

    A good read:
    http://lapcatsoftware.com/articles/zero-day.html
    http://lapcatsoftware.com/articles/app-translocation.html
    http://lapcatsoftware.com/articles/undo.html
     
  8. Feenician Suspended

    Feenician

    Joined:
    Jun 13, 2016
    #8
    Ah ha! I did this by accident (I do know better) yesterday and I was wondering why it didn't run. I assumed it was the application checking the way some apps check to see if they're in the Applications folder but it makes sense that this is system wide.

    To answer the op succinctly. Nothing has been taken away in Sierra is the GUI method of completely disabling Gatekeeper. You can still right/option/secondary click and run from there.
     
  9. BenStamp macrumors newbie

    Joined:
    Jun 17, 2016
    #9
    Correct. But some Apple documentation is pointing to another direction: namely completely eliminate the possibility to run Non-CodeSigned-Apps. Maybe not in macOS 10.12, but probably in 10.13
    Its something Apple wants to force sooner or later. And again, this is a good thing imo
    Piracy isn't good for both devs and customers.
     
  10. Feenician Suspended

    Feenician

    Joined:
    Jun 13, 2016
    #10
    I agree. It's not like it's a huge barrier to entry. If you really want to write/distribute malware code signing does nothing to stop you - anyone can acquire a cert and sign their code, good, bad or ugly. (Obviously they cannot put their malware in the App Store. At least I hope they can't ;))
     
  11. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #11
    Even if they remove the anywhere option from all interfaces, Gatekeeper can be avoided really, really (ridiculously) easily, completely without administrative privileges. The new features in Sierra seem to build on Gatekeeper, but do not change the way in which it works.
     
  12. BenStamp macrumors newbie

    Joined:
    Jun 17, 2016
    #12
    Sorry to break the bubble your in. The new gatekeeper is a completely different beast now.
    And Apple will for sure nail the coffin in future macOS versions with no possibility to disabled in any way. As said, a good think really.
     
  13. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #13
    In what way? The articles you linked support what I said. The user that wants to get rid of Gatekeeper will have ample options to avoid it.
     
  14. redheeler macrumors 603

    redheeler

    Joined:
    Oct 17, 2014
    #14
    Right, anyone can pay the $99/year developer fee to Apple to sign their app, malicious or not, and if they don't... The user will get an obnoxious warning message before they can even try the app for the first time.

    As much as the feature improves security, it is also intended to encourage developers to pay up. I always keep it disabled as I would rather choose which apps to run on my own basis.
     
  15. Feenician Suspended

    Feenician

    Joined:
    Jun 13, 2016
    #15
    I doubt it moves the needle in Apple's revenue much but who knows. What it does is raise the barrier to malware in two ways 1) The type of user who would install software from an untrustworthy source sees a scary message and b) Johnny Malware writer needs to pay for a dev account before they can start. If they're not careful that account or payment method may be traced back to them (I'm guessing most people who do this professionally have thought of that though)
     
  16. redheeler macrumors 603

    redheeler

    Joined:
    Oct 17, 2014
    #16
    The smarter malware writers will figure out a way to infect an already existing and signed application which people trust, like the Transmission ransomware incident a few months back. But there are plenty of lesser-known unsigned apps which are perfectly legitimate, they generate that scary warning message and undoubtedly lose some users as a result.
     
  17. Feenician Suspended

    Feenician

    Joined:
    Jun 13, 2016
    #17
    I agree with both your points here.
     
  18. beebarb macrumors 6502

    beebarb

    Joined:
    Sep 10, 2015
    #18
    BAD.

    Several apps that use installers (Parallels Desktop, Digital versions of Adobe Creative Suite, etc.) depend on you being able to run the installer from the disk image.
     
  19. allan.nyholm macrumors 6502a

    allan.nyholm

    Joined:
    Nov 22, 2007
    Location:
    Aalborg, Denmark
    #19
    Which is the worst - Nothing worse than having a DMG of an application or installer. I wish developers would stop putting apps inside DMG archives. Provide something else that has a validity check(I'm looking at you Adobe Flash, Google Chrome, Opera, Silverlight + other stuff that doesn't have to be packaged that way)

    I'm perfectly happy with just a ZIP of the same installer for instance. (not much security in those though)

    Sorry for the off-topic
     
  20. BenStamp, Jun 18, 2016
    Last edited: Jun 18, 2016

    BenStamp macrumors newbie

    Joined:
    Jun 17, 2016
    #20
    If you quote .. please quote everything I wrote. :)
    I said you can disable it in macOS 10.12 but very probably not in a future macOS version.

    --- Post Merged, Jun 18, 2016 ---
    A very important consequence of the new Gatekeeper changes is that features like Sparkle will not work anymore.
    Because Sparkle downloads a zipped file (with the update) and unpacks the updated app, it will not run anymore.
    This is already confirmed by several sources and you can try this for yourself if you have an app that uses Sparkle.
    You will get an error the package cannot be installed.

    Not sure if the devs of Sparkle can find a way-around for this. I do hope so though..
    --- Post Merged, Jun 18, 2016 ---
    What's wrong with a DMG? It is the default way to install apps. Or do you prefer an installer that spreads all sorts of files on your system you cannot track down? Thats how Windows works, I don't want that to happen for OSX for sure.

    The only difference is that you will need to drag'n'drop the app inside the DMG into the Application Folder. Which is basically how you did this in the past. You just cannot run it from within the DMG.
    Apple also encourage developers to make sure the app is seated in the Application folder. Thats why many apps ask the users to make sure it is.
    --- Post Merged, Jun 18, 2016 ---
    Zipped apps will not launch anymore in macOS (by default).
     
  21. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #21
    I know what you wrote, you are ignoring my point. If anything, Sierra is evidence that Apple isn't planning on making Gatekeeper stricter for the user. All Apple did was add a mechanism for preventing apps from accessing their surroundings until moved to another level in the file hierarchy. It isn't even strictly based on Gatekeeper, but on File Quarantine. This can be very easily ignored too. Nothing else changed.

    The linked articles demonstrate that the path randomisation is just supplementary. It isn't a game changer.

    Gatekeeper is a fairly shallow and limited security feature that doesn't put any insurmountable limitations upon the user. If the user doesn't want it, then there are ways to deal with it regardless whether Apple provides an option to turn it off or not.
     
  22. BenStamp macrumors newbie

    Joined:
    Jun 17, 2016
    #22
    I know and understand what you are trying to tell. But the point is, Apple will EVENTUALY prevents users to disable it manually (via Terminal commands or any other means). Thats how some Apple docs clearly steering at. Again, the upcoming macOS will not have this restriction. But maybe the next will have. Thats what I wanted to point out. :)
     
  23. iBug2 macrumors 68040

    Joined:
    Jun 12, 2005
    #23
    I don't think this will ever happen. No indicators in that direction.
     
  24. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #24
    Precisely. Path randomisation is basically just a supplement to address a particular flaw of Gatekeeper. Their overall policy for Gatekeeper itself has not changed in any way, except that they removed the GUI option for ‘anywhere’. Even if they were to remove that same option from the command-line, Gatekeeper could still be avoided easily. Everything depends on that extended file attribute still.
     
  25. beebarb macrumors 6502

    beebarb

    Joined:
    Sep 10, 2015
    #25
    I'm not liking this change, assuming it's true.
    Several of the apps I use frequently are distributed as ZIP files.

    a) Some applications release the stable version in a DMG, but distribute the nightly builds in a ZIP file.
    b) Plenty of open source software or freeware is zipped rather than put in a DMG because it's simpler. Especially if the open source dev cross-compiles on Linux.
    c) As stated earlier many update routines use a ZIP to transmit the update, because unpacking a ZIP is more efficient. No need to wait for a virtual disk to validate and mount before extracting the update.
     

Share This Page