macOS 10.12 Gatekeeper discussion

[maflynn]

I've not installed the beta of macos Sierra, but I do have some questions on the new Gatekeeper function.

I'm hoping those who have more knowledge on this can chime in.

From the keynote, it seems that Apple tightened up Gatekeper, and in some cases not allowing a given app to run.
How will this prevent apps downloaded from outside of the MAS running?
What circumstances will cause it to prevent those apps from running?
Can I disable it, or at least lower its level of control (like have it behave under 10.11).

Thoughts on the new Gatekeeper - is a good thing what apple did? To intrusive? or on the opposite side of things, not enough?

 

[treichert]

From the keynote, it seems that Apple tightened up Gatekeper, and in some cases not allowing a given app to run.

Not, it does not.

How will this prevent apps downloaded from outside of the MAS running?

Not at all.

What circumstances will cause it to prevent those apps from running?

The same as from Mountain Lion to El Capitan.

Thoughts on the new Gatekeeper - is a good thing what apple did? To intrusive?

It's a good thing. Most people don't change the setting anyway as it reset itself within 30 days. Also now you can just click "run anyway" right from the error message.

 

[maflynn]

Not, it does not.

Here's what 9to5Mac has to say

During Apple’s WWDC 2016 session What’s New in Security, the company shared two interesting changes to the way Gatekeeper works in macOS Sierra – one visible, one not.


The visible one, seen above, is that there’s no longer an immediately obvious way to allow unsigned apps to open. The System Preferences pane now limits you to two options, App Store and App store plus identified developers.

This doesn’t mean that you’re left out in the cold if you really need to open an unsigned app, though. There is still an option to open it anyway – you just can’t allow it universally any more. To open an unsigned app, just right-click the app and select Open.

The second change is invisible to users, but limits the damage that can be done by a rogue app. Although unsigned apps will still appear to be stored in the Applications folder, macOS 10.12 actually stores them in a randomized location on your drive. This prevents repackaging attacks, where one app pretends to be another one, because the rogue app won’t be able to access the resources belonging to the real one.

As you can see the anywhere option is gone

 

[KALLT]

9to5Mac is wrong. This has been misreported widely. The only thing that changes is that the option disappears from System Preferences. The underlying functionality does not change, neither is the blanket disable gone. The latter can still be turned off through other means, for instance:

sudo spctl --master-disable

It has always been possible to override Gatekeeper in individual cases by right-clicking on the app, then selecting ‘Open’, then selecting ‘Open’ once more, or by going to System Preferences > Security after the first failed attempt to open it.

 

[TETENAL]

Signed application from outside the Mac AppStore can be launched as always.

Unsigned applications can only be launched when the user explicitly expresses the intent to do so. But they can be launched.

The only thing that changed is that you can no longer turn off gatekeeper completely – so that it never checks the signature in the first place.

Unsigned applications are probably a rare exception by now so the loss in convenience is minimal for the user. But the security is higher, because unsigned software can no longer run unnoticed.

 

[KALLT]

The only thing that changed is that you can no longer turn off gatekeeper completely

That is not true (see above). Apple specifically said at one of the WWDC security sessions that the command line and managed configurations (e.g. for deployment) would still be able to turn it off completely.

 

[BenStamp]

Well, there are some very important new changes to Gatekeeper and it is called "Gatekeeper Path Randomisation"
This means any app you launched is launched at a virtual random path (the user will not see/feel/know this).
This introduces al sort of restrictions.

For example cracked AppStore apps will not work anymore (a good thing imo).
Downloading an app inside a zip archive can have problems when unzipped.
You cannot launch an app directly in DMG 'disk'.
It also seems every time an application is launched, macOS verifies the code signing again. Previous OSX versions it was only on first launch.

A good read:
http://lapcatsoftware.com/articles/zero-day.html
http://lapcatsoftware.com/articles/app-translocation.html
http://lapcatsoftware.com/articles/undo.html

 

[Feenician]

You cannot launch an app directly in DMG 'disk'.

Ah ha! I did this by accident (I do know better) yesterday and I was wondering why it didn't run. I assumed it was the application checking the way some apps check to see if they're in the Applications folder but it makes sense that this is system wide.

To answer the op succinctly. Nothing has been taken away in Sierra is the GUI method of completely disabling Gatekeeper. You can still right/option/secondary click and run from there.

 

[BenStamp]

To answer the op succinctly. Nothing has been taken away in Sierra is the GUI method of completely disabling Gatekeeper. You can still right/option/secondary click and run from there.

Correct. But some Apple documentation is pointing to another direction: namely completely eliminate the possibility to run Non-CodeSigned-Apps. Maybe not in macOS 10.12, but probably in 10.13
Its something Apple wants to force sooner or later. And again, this is a good thing imo
Piracy isn't good for both devs and customers.

 

[Feenician]

Correct. But some Apple documentation is pointing to another direction: namely completely eliminate the possibility to run Non-CodeSigned-Apps. Maybe not in macOS 10.12, but probably in 10.13
Its something Apple wants to force sooner or later. And again, this is a good thing imo

I agree. It's not like it's a huge barrier to entry. If you really want to write/distribute malware code signing does nothing to stop you - anyone can acquire a cert and sign their code, good, bad or ugly. (Obviously they cannot put their malware in the App Store. At least I hope they can't )

 

[KALLT]

Correct. But some Apple documentation is pointing to another direction: namely completely eliminate the possibility to run Non-CodeSigned-Apps. Maybe not in macOS 10.12, but probably in 10.13
Its something Apple wants to force sooner or later. And again, this is a good thing imo
Piracy isn't good for both devs and customers.

Even if they remove the anywhere option from all interfaces, Gatekeeper can be avoided really, really (ridiculously) easily, completely without administrative privileges. The new features in Sierra seem to build on Gatekeeper, but do not change the way in which it works.

 

[BenStamp]

Even if they remove the anywhere option from all interfaces, Gatekeeper can be avoided really, really (ridiculously) easily, completely without administrative privileges. The new features in Sierra seem to build on Gatekeeper, but do not change the way in which it works.

Sorry to break the bubble your in. The new gatekeeper is a completely different beast now.
And Apple will for sure nail the coffin in future macOS versions with no possibility to disabled in any way. As said, a good think really.

 

[KALLT]

Sorry to break the bubble your in. The new gatekeeper is a completely different beast now.

In what way? The articles you linked support what I said. The user that wants to get rid of Gatekeeper will have ample options to avoid it.

 

[redheeler]

I agree. It's not like it's a huge barrier to entry. If you really want to write/distribute malware code signing does nothing to stop you - anyone can acquire a cert and sign their code, good, bad or ugly. (Obviously they cannot put their malware in the App Store. At least I hope they can't )

Right, anyone can pay the $99/year developer fee to Apple to sign their app, malicious or not, and if they don't... The user will get an obnoxious warning message before they can even try the app for the first time.

As much as the feature improves security, it is also intended to encourage developers to pay up. I always keep it disabled as I would rather choose which apps to run on my own basis.

 

[Feenician]

Right, anyone can pay the $99/year developer fee to Apple to sign their app, malicious or not, and if they don't... The user will get an obnoxious warning message before they can even try the app for the first time.

As much as the feature improves security, it is also intended to encourage developers to pay up. I always keep it disabled as I would rather choose which apps to run on my own basis.

I doubt it moves the needle in Apple's revenue much but who knows. What it does is raise the barrier to malware in two ways 1) The type of user who would install software from an untrustworthy source sees a scary message and b) Johnny Malware writer needs to pay for a dev account before they can start. If they're not careful that account or payment method may be traced back to them (I'm guessing most people who do this professionally have thought of that though)

 

[redheeler]

I doubt it moves the needle in Apple's revenue much but who knows. What it does is raise the barrier to malware in two ways 1) The type of user who would install software from an untrustworthy source sees a scary message and b) Johnny Malware writer needs to pay for a dev account before they can start. If they're not careful that account or payment method may be traced back to them (I'm guessing most people who do this professionally have thought of that though)

The smarter malware writers will figure out a way to infect an already existing and signed application which people trust, like the Transmission ransomware incident a few months back. But there are plenty of lesser-known unsigned apps which are perfectly legitimate, they generate that scary warning message and undoubtedly lose some users as a result.

 

[Feenician]

The smarter malware writers will figure out a way to infect an already existing and signed application which people trust, like the Transmission ransomware incident a few months back. But there are plenty of lesser-known unsigned apps which are perfectly legitimate, they generate that scary warning message and undoubtedly lose some users as a result.

I agree with both your points here.

 

[beebarb]

You cannot launch an app directly in DMG 'disk'.

BAD.

Several apps that use installers (Parallels Desktop, Digital versions of Adobe Creative Suite, etc.) depend on you being able to run the installer from the disk image.

 

[allan.nyholm]

BAD.

Several apps that use installers (Parallels Desktop, Digital versions of Adobe Creative Suite, etc.) depend on you being able to run the installer from the disk image.

Which is the worst - Nothing worse than having a DMG of an application or installer. I wish developers would stop putting apps inside DMG archives. Provide something else that has a validity check(I'm looking at you Adobe Flash, Google Chrome, Opera, Silverlight + other stuff that doesn't have to be packaged that way)

I'm perfectly happy with just a ZIP of the same installer for instance. (not much security in those though)

Sorry for the off-topic

 

[BenStamp]

In what way? The articles you linked support what I said. The user that wants to get rid of Gatekeeper will have ample options to avoid it.

If you quote .. please quote everything I wrote.
I said you can disable it in macOS 10.12 but very probably not in a future macOS version.

[doublepost=1466234803][/doublepost]A very important consequence of the new Gatekeeper changes is that features like Sparkle will not work anymore.
Because Sparkle downloads a zipped file (with the update) and unpacks the updated app, it will not run anymore.
This is already confirmed by several sources and you can try this for yourself if you have an app that uses Sparkle.
You will get an error the package cannot be installed.

Not sure if the devs of Sparkle can find a way-around for this. I do hope so though..
[doublepost=1466235007][/doublepost]

Which is the worst - Nothing worse than having a DMG of an application or installer.

What's wrong with a DMG? It is the default way to install apps. Or do you prefer an installer that spreads all sorts of files on your system you cannot track down? Thats how Windows works, I don't want that to happen for OSX for sure.

The only difference is that you will need to drag'n'drop the app inside the DMG into the Application Folder. Which is basically how you did this in the past. You just cannot run it from within the DMG.
Apple also encourage developers to make sure the app is seated in the Application folder. Thats why many apps ask the users to make sure it is.
[doublepost=1466235174][/doublepost]

Which is the worst - Nothing worse than having a DMG of an application or installer. I wish developers would stop putting apps inside DMG archives. Provide something else that has a validity check(I'm looking at you Adobe Flash, Google Chrome, Opera, Silverlight + other stuff that doesn't have to be packaged that way)

I'm perfectly happy with just a ZIP of the same installer for instance. (not much security in those though)

Sorry for the off-topic

Zipped apps will not launch anymore in macOS (by default).

 

[KALLT]

If you quote .. please quote everything I wrote.
I said you can disable it macOS 10.12 but very probably not in a future macOS version.

I know what you wrote, you are ignoring my point. If anything, Sierra is evidence that Apple isn't planning on making Gatekeeper stricter for the user. All Apple did was add a mechanism for preventing apps from accessing their surroundings until moved to another level in the file hierarchy. It isn't even strictly based on Gatekeeper, but on File Quarantine. This can be very easily ignored too. Nothing else changed.

The linked articles demonstrate that the path randomisation is just supplementary. It isn't a game changer.

Gatekeeper is a fairly shallow and limited security feature that doesn't put any insurmountable limitations upon the user. If the user doesn't want it, then there are ways to deal with it regardless whether Apple provides an option to turn it off or not.

 

[BenStamp]

I know what you wrote, you are ignoring my point. If anything, Sierra is evidence that Apple isn't planning on making Gatekeeper stricter for the user. All Apple did was add a mechanism for preventing apps from accessing their surroundings until moved to another level in the file hierarchy. It isn't even strictly based on Gatekeeper, but on File Quarantine. This can be very easily ignored too. Nothing else changed.

The linked articles demonstrate that the path randomisation is just supplementary. It isn't a game changer.

Gatekeeper is a fairly shallow and limited security feature that doesn't put any insurmountable limitations upon the user. If the user doesn't want it, then there are ways to deal with it regardless whether Apple provides an option to turn it off or not.

I know and understand what you are trying to tell. But the point is, Apple will EVENTUALY prevents users to disable it manually (via Terminal commands or any other means). Thats how some Apple docs clearly steering at. Again, the upcoming macOS will not have this restriction. But maybe the next will have. Thats what I wanted to point out.

 

[iBug2]

I know and understand what you are trying to tell. But the point is, Apple will EVENTUALY prevents users to disable it manually (via Terminal commands or any other means). Thats how some Apple docs clearly steering at. Again, the upcoming macOS will not have this restriction. But maybe the next will have. Thats what I wanted to point out.

I don't think this will ever happen. No indicators in that direction.

 

[KALLT]

No indicators in that direction.

Precisely. Path randomisation is basically just a supplement to address a particular flaw of Gatekeeper. Their overall policy for Gatekeeper itself has not changed in any way, except that they removed the GUI option for ‘anywhere’. Even if they were to remove that same option from the command-line, Gatekeeper could still be avoided easily. Everything depends on that extended file attribute still.

 

[beebarb]

Zipped apps will not launch anymore in macOS (by default).

I'm not liking this change, assuming it's true.
Several of the apps I use frequently are distributed as ZIP files.

a) Some applications release the stable version in a DMG, but distribute the nightly builds in a ZIP file.
b) Plenty of open source software or freeware is zipped rather than put in a DMG because it's simpler. Especially if the open source dev cross-compiles on Linux.
c) As stated earlier many update routines use a ZIP to transmit the update, because unpacking a ZIP is more efficient. No need to wait for a virtual disk to validate and mount before extracting the update.