OS X Mountain Lion Limits Apps to Mac App Store, Signed Apps by Default

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 16, 2012.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    One of the significant new features in OS X Mountain Lion is Gatekeeper, a new security system to help keep users from installing nefarious applications on their machines.

    The new system relies not only on Mac App Store distribution as means of vetting apps, but also on a new "identified developer" program under which developers distributing their applications outside of the Mac App Store can register with Apple and receive a personalized certificate they can use to sign their applications. Apple can then use that system to track developers and disable their certificates if malicious activity is detected.

    [​IMG]


    As Macworld notes in its review of Gatekeeper, OS X Mountain Lion's default setting will be to only allow initial launching of apps either downloaded from the Mac App Store or which are digitally signed under Apple's identified developer program. Users will be able to access Gatekeeper's settings in the Security & Privacy section of System Preferences, where they will also be able to choose from an even stricter setting that will allow for installation of Mac App Store apps only or a looser setting that will allow all applications to be installed and launched.
    For users on the default setting, they can bypass the initial Gatekeeper check the first time they launch an unsigned third-party app by right clicking on the app itself and choosing the "Open" command. Once the application has been opened one time, Gatekeeper no longer has any control over it.

    As for apps that are signed by an identified developer, Macworld notes that OS X Mountain Lion will perform a daily check with Apple's servers for blacklisted developer signatures, and if an app from a blacklisted developer is installed on the user's system it will not open.

    Importantly, Apple's identified developer program does not involve any sort of vetting on Apple's part, as certificates are automatically issued upon request and can be freely used by the developers. But what the program does do is provide a way for Apple to link specific developers to specific apps and use Gatekeeper to revoke application functionality should a developer be discovered to be distributing malware.

    Article Link: OS X Mountain Lion Limits Apps to Mac App Store, Signed Apps by Default
     
  2. 0dev macrumors 68040

    0dev

    Joined:
    Dec 22, 2009
    Location:
    127.0.0.1
    #2
    Well we all knew this was coming. After Mountain Lion we'll have to jailbreak to run apps from outside the App Store.
     
  3. Middling macrumors regular

    Joined:
    Jan 25, 2009
    #3
    No option to prevent apps from the Mac App Store from launching then? :rolleyes:
     
  4. GenesisST macrumors 68000

    GenesisST

    Joined:
    Jan 23, 2006
    Location:
    Where I live
    #4
    No we won't. You just need to turn down the setting to allow all apps.
     
  5. 0dev macrumors 68040

    0dev

    Joined:
    Dec 22, 2009
    Location:
    127.0.0.1
    #6
    Yes, in Mountain Lion. But I was saying that Apple will silently phase that out in the next release.
     
  6. q64ceo macrumors regular

    Joined:
    Aug 13, 2010
  7. tmroper macrumors regular

    Joined:
    Dec 4, 2008
    Location:
    Palo Alto
    #8
    And how long will it be before Apple starts checking for apps the government doesn't want you to have?
     
  8. KingJosh macrumors 6502

    KingJosh

    Joined:
    Jan 11, 2012
    Location:
    Australia
    #9
    Why do some people take half the facts and cry?
     
  9. KingJosh macrumors 6502

    KingJosh

    Joined:
    Jan 11, 2012
    Location:
    Australia
    #10
    WHy would it be apple's responsibility that you have adobe photoshop pirated? Apple couldn't care less unless it is on the app store.
     
  10. Can't Stop macrumors 6502

    Joined:
    Dec 22, 2011
  11. dethmaShine, Feb 16, 2012
    Last edited: Feb 16, 2012

    dethmaShine macrumors 68000

    Joined:
    Apr 13, 2010
    Location:
    Into the lungs of Hell
    #12
    ********.

    You may wanna go and check the Gatekeeper developer meaning again.

    As much as a geek I am, I am probably gonna run the OS in Mac App Store only Gatekeeper mode and revert to Anywhere when I need to install some stuff on the web.

    This is the best Apple can do for the very vast number of users. Caters to us geeks, caters to normal people and caters to those who don't know the **** they are doing.

    This is unbelievably awesome.


    On the contrary, this is evidence that Apple is NOT going to close the Mac. Things cannot be much more obvious for those who really wish to see without bias and hatred.

    Short story for those interested:
    Just a couple of days back, one of my friends referred to this concept in general and I was so blown away (shame I couldn't figure out myself). This also prevented Apple from changing the underlying UNIX system to an extent where they would revoke installation permissions from the user or admin or even the super-user. Maybe an additional private kernel model only used for app installations.

    This is absolutely surreal. Best ****in feature ever. People don't realise this but this makes me believe that Apple is running for the geeks too. Long live Apple.
     
  12. tomkeddie macrumors newbie

    Joined:
    May 9, 2011
    #13
    Technical details?

    I'd be interested at what level the restrictions are implemented. Are command line and daemons affected too? Will certain bloat simple utilities (macports?) if they have to carry certificates.
     
  13. KingJosh macrumors 6502

    KingJosh

    Joined:
    Jan 11, 2012
    Location:
    Australia
    #14
    This is just a security measure for non professional users like old people not a hostile takeover geez. People need to get their eyes checked

    ----------

    spot on. If only other people could see properly eh
     
  14. 0dev macrumors 68040

    0dev

    Joined:
    Dec 22, 2009
    Location:
    127.0.0.1
    #15
    It's so sad everyone is seeing this as a good thing and is downvoting those who say otherwise. I guess that's why Apple can get away with locking down Macs so much.
     
  15. AriX, Feb 16, 2012
    Last edited: Feb 16, 2012

    AriX macrumors 6502

    AriX

    Joined:
    Jan 8, 2007
    #16
    Interestingly, this appears to be a Finder-level restriction - where Finder will not open apps that are unsigned unless you tell it to - as opposed to a system-level restriction, as on iOS, where unsigned code will not be run no matter what. Unsigned programs run from the Terminal, for example, would be unaffected.

    Theoretically it would be easy for someone to write a signed application that launches unsigned applications with no problem - i.e. if someone with signing capability wrote a simple "shell" app that encapsulated an unsigned app, rogue developers, hackers, or anyone could use it to distribute their unsigned apps as signed apps.

    Also, I don't believe the "identified developer" program is new - it just refers to anyone who has signed up for Apple's $99 Mac Developer Program; these developers are already issued certificates for signing Mac code.

    NOTE: I could be wrong - I haven't gotten my hands on the OS quite yet.
     
  16. deputy_doofy macrumors 65816

    deputy_doofy

    Joined:
    Sep 11, 2002
    #17
    I will remain an optimist for now. In some respects, I like the GateKeeper concept. However, if Apple removes (or hides) the "anywhere" feature in 10.9 or higher, I will re-think my OS of choice (but *still* won't consider Windows). When malware can get onto my machine and install like machine-gun fire (this is on a corporate network with "enterprise-level" anti-malware software) when I don't even have admin access myself to install anything, MS will never have my business. I guess I'll revisit (and learn) Linux at that point.
     
  17. 840quadra Moderator

    840quadra

    Staff Member

    Joined:
    Feb 1, 2005
    Location:
    Twin Cities Minnesota
    #18
    Well until Apple actually does implement such practices, you are essentially guessing ?
     
  18. realmike15 macrumors member

    Joined:
    Feb 1, 2010
    #19
    I got worried reading this, but as long as there's an option to disable this I'm fine with it. However the day they start limiting apps to Apple Approved Digitally Signed applications only... is the day I sell off my Apple products. I run Windows, Linux, and OS X daily and have no problem doing it, if push comes to shove.

    :cool:

    For the record I'm not complaining. I think someone like my grandmother would benefit greatly from having the applications she installs on her computer monitored. As long as there's an opt out feature for people who know what they're doing, that's all I ask for as a customer.
     
  19. GenesisST macrumors 68000

    GenesisST

    Joined:
    Jan 23, 2006
    Location:
    Where I live
    #20
    Complaining is fun! :D
     
  20. jayducharme macrumors 68040

    jayducharme

    Joined:
    Jun 22, 2006
    Location:
    The thick of it
    #21
    As long as I don't have to deal with the continual pop-up warnings that Windows is famous for, I'm fine. I'll set the system for "Anywhere" and keep on using my Mac like I always have.
     
  21. swordfish5736 macrumors 68000

    swordfish5736

    Joined:
    Jun 29, 2007
    Location:
    Cesspool
    #22
    i highly doubt apple will completely lock down OS X from non mac app store app's. They are simply making the machine more secure to the average user. It's not hard to allow other apps and im sure if you try and open one downloaded elsewhere it will tell you exactly how to allow it. This just pretty much makes it so any malware would have to be signed for it to open on a mac with the default setting, imo better for the average user
     
  22. ppilone macrumors 6502

    Joined:
    Jan 20, 2008
    #23
    I knew I shouldn't have looked at this thread... immediately full of "Goodbye OS X" posts.

    Gatekeeper really does seem like an intelligent approach to security in OS X. If anything, I think it re-affirms that OS X will not be Mac App Store only for the foreseeable future. Apple is giving developers an opportunity to play nice, without all the headache and restrictions placed on distributing through the Mac App Store.

    Gatekeeper, IMHO, feels like a "we get it - it's not iOS" from Apple. In fact, I'm hoping for Gatekeeper to show up in iOS 6.
     
  23. calderone macrumors 68040

    calderone

    Joined:
    Aug 28, 2009
    Location:
    Seattle
    #24
    Apple has been pushing signing for some time now (since Leopard). Most developers should be AT LEAST signing their apps by 10.9.
     
  24. swarmster macrumors 6502a

    swarmster

    Joined:
    Jun 1, 2004
    #25
    This is great. Taking the "this file was downloaded from the internet, are you sure you want to run it?" dialog box one step further should help a lot of people. And really, that's all we're talking about here, since even ignoring the free licenses and non-default settings, you can still launch any app with a one-time right click.
     

Share This Page