macOS Sequoia Makes It Harder to Override Gatekeeper Security

[bzgnyc2]

Apple is eliminating the option to Control-click to open Mac software that is not correctly signed or notarized in macOS Sequoia. To install apps that Gatekeeper blocks, users will need to open up System Settings and go to the Privacy and Security section to "review security information" before being able to run the software.

On one hand as long as I can continue to opt to Allow Apps downloaded from App Store and identified developers, access spctl, and disable SIP, I am fine.

On the other hand, what exactly is the enhanced security of this? Was there even one instance of a malware that got through because a user Control-clicked to open bad/hacked software but wouldn't have gotten through had that user had to go to the Privacy and Security section of System Settings first?

 

[russell_314]

So what if I don’t want to accept the terms of license - say macOS EULA?

I go into a store and buy a Mac, without having been provided a copy of the OS license.
After the seller demonstrating it to me, with seller mentionig my being required to agree to a licence.
I mean… which low-level sales clerk would? They probably never read it either.

I unbox the computer at home, plug it in, turn it on and inevitably get presented a license “agreement” to agree to on screen.
Upon reading the license, I decide I do not want to agree to the license.

Well, I can’t use my computer as advertised then, can I?
Can’t even install an alternative operating system.
It’s literally a dead paperweight without “agreeing” to the license.

👉🏻 So what now?

Do I take it back to the store and demand full refund of the product price for not telling me that I’d have to agree to licensing terms? Well, bad news: the seller, it could be another million dollar corporation with highly paid lawyers, could just as well tell me “sorry - no open box returns”. Or no returns at all. Particularly not for a full refund. And it’s not like there is a legal right to return a product.

Actually, yes, you return it and Apple will take it back. I’m not sure if that’s a requirement, but Apple does. What do you think happens when you buy a video game and open it then refuse to accept the EULA? Not only you can’t return it, but you can’t play the game.

 

[bzgnyc2]

Registered non-profits and FOSS developers should get exemptions to the fee. For everyone else the $99/year is reasonable.

Right now FOSS projects typically need to ask for donations or sponsors if they want to release on MacOS. That shouldn't be necessary and only dissuades developers from porting open software to MacOS, especially for smaller projects that don't have sufficient reach to get sponsored. It's an unnecessary financial burden to one of the richest companies in the world.

I'm good with waiving any and all fees for FOSS projects but I'm over giving non-profits blanket exemptions. There are many mult-billion dollar non-profits and meanwhile many hobbyists and SMB with limited revenue/assets.

 

[Nermal]

At least this'll get rid of that weird inconsistency where "Open Anyway" only shows up the second time you attempt to launch the app.

"The definition of insanity is doing the same thing over and over again, but expecting different results, unless you're using a Mac." - Einstein, if he were around today.

 

[mansplains]

Pay to develop software... omg...

Awesome gross misrepresentation. You're not paying to develop software, you're paying for the resources Apple makes available, as well as the distribution platform. As mentioned in my post, Xcode is free to use.

 

[Iwavvns]

So what if I don’t want to accept the terms of license - say macOS EULA?

I go into a store and buy a Mac, without having been provided a copy of the OS license.
After the seller demonstrating it to me, with seller mentionig my being required to agree to a licence.
I mean… which low-level sales clerk would? They probably never read it either.

I unbox the computer at home, plug it in, turn it on and inevitably get presented a license “agreement” to agree to on screen.
Upon reading the license, I decide I do not want to agree to the license.

Well, I can’t use my computer as advertised then, can I?
Can’t even install an alternative operating system.
It’s literally a dead paperweight without “agreeing” to the license.

👉🏻 So what now?

Do I take it back to the store and demand full refund of the product price for not telling me that I’d have to agree to licensing terms? Well, bad news: the seller, it could be another million dollar corporation with highly paid lawyers, could just as well tell me “sorry - no open box returns”. Or no returns at all. Particularly not for a full refund. And it’s not like there is a legal right to return a product.

So sue Apple, using this line of thought, and have the entire industry overturned. But that requires too much work, doesn’t it. Complaining is far easier.

 

[joeblough]

I'm a power user who is highly tech literate and I didn't know about Control-Click (or at least forgot about it). I don't know every last keyboard shortcut that's available in macOS.

It's not a problem to pull up settings unless you need to do it dozens of times per day.

same here, i have been using macs since the original macintosh and had no idea about that shortcut. apple has a habit of putting all kinds of keyboard shortcuts in that, while documented, they never really tell anyone about them.

for instance i am a longtime emacs user, and all the emacs cursor keyboard commands work in osx (control-p, control-n, control-b, control-f.) probably no one knows about those either unless they were already part of their keyboard muscle memory.

 

[QuarterSwede]

so in other words, Apple wants everyone who writes free software for Mac to have to pay the $99+ yearly to make it just expensive for anyone wanting to write free stuff as a hobby or for the good of the community. If Apple really wanted to make a difference then it would have a free level of developer that allows for a small number of apps to be released for free. Like 10-15 free before you need to pay the $99

Or just not charge for development but make money by charging some sort of fee per paid download … not sure how that would work though /s.

 

[firewood]

Obviously - but you spoke of “distribute” above.
That means “giving” software away to others (whether for free or paid) - not compiling/building on your own Mac and only use yourself.

No. You give them the source code, and let them compile/build it on their own Macs. Buildable source code is a perfectly good form of distribution. And Xcode to do the build is free to Mac users, not just developers.

 

[AlexJaye]

macOS has fallen so far from what it used to be. Probably because Apple spends more time trying to make it more iOS-like, instead of trying to make iOS and iPadOS more macOS-like.

The freedom of macOS should not be diminished in any way, even in ways like this which make it more difficult for the user to do what they need to do with the OS.

Another step backward, but people will defend Apple regardless.

 

[davide_eu]

I’m not a lawyer. If you want information about this I would advise you to talk to one that specializes in this type of law. I doubt anyone here on the forums is qualified to answer.

Don't worry, neither I am

 

[davide_eu]

You're not considering the entire context of the discussion at hand. Yes, I mean a binary that was maliciously created and was then submitted for signing by Apple so that it can run without interference from the Gatekeeper protections in macOS.

You claimed that this signature provides no benefit beyond proving that the attacker spent $99. That's not correct because the signature does allow Apple to revoke that signature and prevent the binary from continuing to spread or do damage. It also ties the binary to a developer on record with their payment information. These are all benefits your post upthread overlooked in your rush to be snarky and contrary.

No, please don't mix two posts.

The original discussion was about the concept of "signing", nothing new than an antivirus... somebody didn't agree with me, and I explained that if a binary is compromised, to detect there is no match with the digital certificate associated, you must calc some "hash", the same activity done by an antivirus when you click to execute the binary.

 

[tennisproha]

this is good. i wish mac apps were available on the app store though

 

[Oestreich Dieter]

There are better solutions for your "parents problem". Buy them an iPad with a keyboard or lock down the Mac with MDM or a disable administration rights for the user account. Problem solved.

I'm now convinced, that Apple's actual goal is to slowly kill software distribution outside of the Apple controlled App Store.

iPad is too small for them. They need a big screen.

 

[Nugget]

No, please don't mix two posts.

The original discussion was about the concept of "signing", nothing new than an antivirus... somebody didn't agree with me, and I explained that if a binary is compromised, to detect there is no match with the digital certificate associated, you must calc some "hash", the same activity done by an antivirus when you click to execute the binary.

I was that "somebody" and we were continuing the same conversation.

 

[Ethosik]

Welp....I guess MakeMKV will be dropping mac support in a future update.

 

[redheeler]

macOS has fallen so far from what it used to be. Probably because Apple spends more time trying to make it more iOS-like, instead of trying to make iOS and iPadOS more macOS-like.

The freedom of macOS should not be diminished in any way, even in ways like this which make it more difficult for the user to do what they need to do with the OS.

Another step backward, but people will defend Apple regardless.

You should look into the different Linux distributions if you value freedom and an open ecosystem. My next desktop will most likely be a Linux box rather than a Mac. I can do everything I need to do on my Mac on a modern Linux distribution.

 

[JosephAW]

You do realize that dropping Intel and Rosetta are next.

 

[redheeler]

Welp....I guess MakeMKV will be dropping mac support in a future update.

Macs haven't shopped with optical drives for a decade now, I wonder who's still using MakeMKV on MacOS. I have an old Mac Pro 5,1 fitted with a Blu-Ray drive, one of the few models that could read the 4K UHD discs in MakeMKV since that was the only way I could actually watch the movies I purchased in 4K.

 

[Nugget]

I run MakeMKV on macOS (ripping 4K UHD discs for my Jellyfin server) and since this change doesn't prevent MakeMKV from running in macOS I can't see how it would impact their continued support of macOS as a platform.

 

[swamprock]

The descent of macOS towards iOS-ification continues apace... When these laptops eventually become glorified iPads + keyboards, as seems likely, I'll just move back to Linux.

Yes, I'm fully aware I'm a sample size of exactly one.

Or two...

EDIT: three, rather...

 

[God of Biscuits]

I'm completely unbothered by this change and I use this feature fairly often. It's only a slight additional inconvenience for experienced users and it's a huge barrier for scammers.

This doesn’t make sense. user intervention is required to override and install such software now. Makijg it more cumbersome is just Apple‘s way of pitting the users against the developers.

 

[Shirasaki]

One step closer to permanently locking down MacOS, just slowly ease people into the change. A worrying development to be sure, but a fairly obvious one.

I told people back in Big Sur that Apple Silicon transition was meant to turn macOS into iOS. Nobody cared about that. Now, here we are, removing more and more options to easily run unsigned apps. Next time there will be no option to run system under reduced security whatsoever, eliminating old programs which were not updated for a while.

Apple can say whatever they want, their action will gradually make macOS and iOS infinitely closer between each other without crossing the line, this move being the next big one Towards that direction.

 

[Shirasaki]

The malwares nowadays ship with a "Control-click to run" text, so the tech illiterates unfortunately know.

Nothing stops them from shipping a “tutorial to bypass notarisation through settings app” text with malware After this change.

 

[Shirasaki]

I find Apple's major audience with computers is the complete opposite of what it is with iPhones, so I don't get why they treat us like iPhone users. Like 99% I know who have Macs got them because they are power users and very tech literate - developers, designers and such. This is only making it more annoying for us to install all the weird silly stuff from Github that was last updated in 2011 but is needed for some niche reason.

I can't be bothered with the App Store and the more they push it to people like us in industries where nobody can wait for their app review stuff or cares for following their design or whatever guidelines, the more they piss me off. A lot of the stuff we use isn't an end consumer app - it's a tool to do a technical job. Other part of it was written by another team member to do something specific and nobody cares about notarizing it because it's for internal use. Having to go to settings and tell the computer that I want to open the app that I already told it I want to open is annoying.

It’s just one of many things Apple middle finger true power users. From the utter lack of tools to self-supervise your iOS devices for more customisation to now this, making it harder for power users to run apps and reduce their efficiency, and then wonder why musicians often have to continue to use Catalina, Mojave etc old version of macOS to work despite all the glaring “SECURITY RISK” warnings from the uninitiated. It’s a total and utter detach from macOS community reality and to me an ongoing disrespect to people who can truly utilise macOS enough to make it even more powerful.

I said it before and I will say this again: the transition of Apple Silicon for Mac means macOS will eventually turn into iOS, whether you like it or not, and regardless of what Apple says in public. I’m still waiting for them to remove terminal app, disk utility (apparently formatting drive is ”too advanced”), and a slew of other utilities, while intentionally break all non Mac App Store apps so they can’t be used on macOS, forcing everyone to use Mac App Store.

It’s just a step too far.