Read what Gruber writes about that Gatekeep feature:
My favorite Mountain Lion feature, though, is one that hardly even has a visible interface. Apple is calling it “Gatekeeper”. It’s a system whereby developers can sign up for free-of-charge Apple developer IDs which they can then use to cryptographically sign their applications. If an app is found to be malware, Apple can revoke that developer’s certificate, rendering the app (along with any others from the same developer) inert on any Mac where it’s been installed. In effect, it offers all the security benefits of the App Store, except for the process of approving apps by Apple. Users have three choices which type of apps can run on Mountain Lion:
* Only those from the App Store
* Only those from the App Store or which are signed by a developer ID
* Any app, whether signed or unsigned
The default for this setting is, I say, exactly right: the one in the middle, disallowing only unsigned apps. This default setting benefits users by increasing practical security, and also benefits developers, preserving the freedom to ship whatever software they want for the Mac, with no approval process.
Gruber was telling that the Apple ID was going to be free. It isn't. It requires a Mac Developer account as far as I could understand it.
When I was 15 I wrote a Taskbar dialer for Windows 9x and later NT (this was in the modem days. Of course I haven't updated it in ages and the only reason my old webpage is still there is because I found it by accident in an old backup, but here is a google search for it: https://www.google.com/search?ie=UTF-8&q=RasInTask).
I published that on the various download pages and it was good enough to even be featured in dead-tree publications.
Back then I had no permission to use a computer ("they make you stupid" was my parents argument) and certainly no credit card to pay anybody to do development - and even then, as a minor I would probably never have gotten that certificate.
With this rule in place I would never have been able to publish that dialer. I would never have felt how it is to make something that others can use and find useful. I would never have ended up where I am today.
Does this stop malware? Does this stop fraudulent call centers? Does this stop malicious people from telling people to turn it off and then still installing the malware? No.
Does it stop people like me from ever getting to their career of their dreams? Likely.
I might be an old fart, but this is far from acceptable.
Hold on, XCode is free (without a developer login) you could install that and write the app.
You can then publish it on websites exactly as you did and those who choose the appropriate security setting can run it. You have a smaller audience yes, but you can still do what you did.
And while this doesn't stop Malware, it does raise the bar a little higher.
Out of interest how would you feel about it if developer licenses were free for students?
>"You can then publish it on websites exactly as you did and those who choose the appropriate security setting can run it."
The need for a non-default security setting in order to run the software is a pretty big difference.
Requiring a developer license to work with the default security settings - thereby allowing Apple to unilaterally delete your application from your customer's computers without recourse - may only raise the bar a bit.
However, it is an entirely different development ecosystem from the one described. Microsoft couldn't delete your application or block customer's access to it arbitrarily back in the 90's.
If iOS is a precedent, the probability of Apple changing the terms of service in regards to their developer agreement in ways which have adverse effects on the saleability and distribution of existing applications is significant.
Out of interest how would you feel about it if developer licenses were free for students?
I would be much happier (to the effect of actually seeing more good than bad in this restriction) if getting that ID was a matter of filling out a form an passing a turing test - so, for example, if any apple ID could be used to get a signing certificate, that would be much better.
(edit: this is not about the money. It's about they way of payment (minors don't have credit cards) and the required paperwork that, among other things, require you to be an adult)
That's interesting. My feeling is that the problem her is with the Apple Developer network rather than the functionality - I think the functionality just highlights the problem.
Personally I'd like to see the price on Developer licenses dropped and made free for full time or part time students. I think it would make commercial and PR sense for Apple too - show that they are developer friendly and make the Mac attractive as the machine of choice for the next generation of programmers (who will then also be a shoe in on coding iOS apps).
Historically, Apple has rarely provided free software, hardware or services to the education market. It appears to me that their strategy since the Apple II days has generally been to monetize the education industry to the highest level the market will allow. They may offer small student discounts off of list price on college campus bookstores, but I suspect it increases sales more than enough to raise profits.
I'm willing to bet that Apple is going to allow free certificates without having to pay a cent when Mountain Lion launches; Apple already did this for Safari Extensions, for example. (Safari Extensions must be signed, but anyone can request for a cert.)
It's also interesting that Apple is using the word "the _new_ Developer ID" in their developer site[1].
A license is $99. If you can afford a Mac to develop on your can certainly afford a $99 license.
They reason the have the fee is to keep out people who aren't serious about development. If they didn't have it for example the forums would be overrun with people who just signed up to get the latest OS beta complaining about bugs (this is already a problem at $99).
People can still develop and distribute apps without ever signing up with Apple. This restriction is a good protection step for users imo.
You shouldn't have to prove that you're "serious about development" by paying money to write and distribute software. How many developers started as hobbyists?
Charging $100 just to be capricious is not a good move and is certainly not a good omen for OS 10.9 "Tabby" wherein you can be almost certain they will remove the option to run unsigned software (for your own protection, of course! You don't want to pay Apple $100? What are you, poor? The computer cost $1000! $generic_strawman_argument!)
You don't need to pay ANY money to write software for the Mac. Xcode is free. You don't need to pay any money to distribute software for the Mac. Distribute it through your own website. You need to pay to sell through the Mac App Store. I also presume you need to pay if you want it signed. Well that's a privilege. It helps you prove to potential customers your app is safe. You benefit from it so you should have to pay for it.
If you develop an app with the purpose of selling it on the Mac App Store for profit $100 should not be a problem for you.
If you want to distribute it yourself, go ahead. Apple is not charging you.
Yes, but Apple doesn't want to allow people to pay to get into a Beta. They want only devs taking part. A fee to enter the dev program seems like the best solution to me. Honestly they should increase it to $199 to help weed out the app spammers.
There's enough money in app spamming that it would have to be a lot higher than that to put them off.
As a rule the people who act like arseholes have at least as much money as those who don't, I don't think it's going to put them off.
I agree a nominal fee is reasonable as it puts another barrier in their way (you can check for duplicate memberships off the same card for instance so they have to get multiple cards) but the actual financial amount isn't a major barrier I don't think.
That's a good point. It would help get the beta testers out of the forums though :) Every time a new iOS version starts testing the forums are overrun with people who have x bug and don't understand what beta means. I wish there was a way for Apple to prevent a lot of the App Store spam. I wouldn't be against them becoming more curated (i.e. only apps they deem useful and quality get it). Or have a special section in the store labeled 'crap'.
I'm not sure that charging more is the solution, there's no shortage of people with more money than sense!
I don't see why Apple don't invite the developers of high-ranking iOS apps to an early-access program in order to keep their best apps up to date, and not invite anybody else to the beta.
I don't see why Apple don't invite the developers of high-ranking iOS apps to an early-access program in order to keep their best apps up to date, and not invite anybody else to the beta.
Because every publisher, not just the "blessed" ones, has software in the store that could be negatively impacted by a new iOS release's changed APIs. And every publisher has potential use cases for new features Apple adds in a new iOS revision.
Apple ships major iOS releases at the same time as shipping the newest iOS device. They want a customer to unwrap their new device and have free roam of the store to download/buy as much as they can. They want the software to use the new features in iOS and they don't want their customers downloading crap that is broken.
And as a developer who isn't even close to "high-ranking" (My one paid iOS app maybe pulls in $50 on a good month) it's still not fair to me for someone to one-star my app and say "doesn't work on iOS 6" even when I've had no chance to test it before general release.
An Apple ID is indeed free. I've had an Apple ID for downloading Xcode for years now. At the moment the only way to get an app signing key is by purchasing a $99 license (which also gets you publishing privileges in the App Store) but it is extremely likely that in the future getting a signing key will be completely free and will not require a $99 license fee. It won't get you App Store submittal and won't get you publishing on the App Store, but I think that is fair.
Back then I had no permission to use a computer ("they make you stupid" was my parents argument) and certainly no credit card to pay anybody to do development - and even then, as a minor I would probably never have gotten that certificate.
The computer isn't free either. And you can always build and distribute without the ID or the certificate. This is just for distribution through the App Store or to users that have it set to only allow signed apps.
Does this stop malware? Does this stop fraudulent call centers? Does this stop malicious people from telling people to turn it off and then still installing the malware? No.
"No" to the last question, maybe. On the other hand, it stops tons of malware. Signed binaries is considered one of the most successful anti-malware strategies by security experts. Are you saying otherwise?
Does it stop people like me from ever getting to their career of their dreams? Likely.
Well, if you are that easily discouraged, then maybe that career wasn't really for you, anyway.
You present an edge case ("I need to build and distribute my software to OS X users AND I want those users to not only allow signed apps BECAUSE I can't fork $100 dollars for a developer certificate").
If that kind of thing discourages you from "getting to the career of your dreams" what to say about the hundreds of thousands of dollars and years of toil needed to become a doctor, a lawyer, not to mention the hard learning needed to become a professional programmer.
> On the other hand, it stops tons of malware. Signed binaries is considered one of the most successful anti-malware strategies by security experts. Are you saying otherwise?
As you've decided to pick anonymous security experts, I thought I'd chip in. I don't know if I'd call myself an expert but I've over a decade in industry breaking systems, fixing software and booting out bad guys, I'm speaking at BlackHat EU next month and I co-founded a security conference so I guess that means I'm not a complete security chump. I can categorically tell you that signed binaries are only part of a strategy, and not necessarily the best one at that. If your goal is to increase the cost of exploitation then signing can help, but so can a decent access control model (into which signing becomes a part thereof).
To put it another way, it's possible to defeat applocker (windows binary signing), iOS code signing on iOS 5.0.1, the XBox and Xbox 360's code signing restrictions, the PS3's code signing restrictions, and more recently, an analysis of RSA keys showed that between 2 and 4 out of every thousand keys are insecure due to weak randomness[1].
The bottom line is that code signing, like placebos only work if you believe them to unless they're backed up by something more solid to augment them and they form a stronger coherent strategy.
At this stage all code signing settings will do is encourage developers to get Apple IDs and for customers to use the App store as they know "it's safe". Even though we know it doesn't mean anything[2] to the end user in reality. The real thing that Apple will do is further on the line when they decide to make it so that you can only run signed apps (and this is at least the direction apple are taking) through their app store.
Your edge case point applies to countless open source developers, including those that worked on the original FreeBSD code that went into Darwin. Apple are of course, under the licences they've inheritied allowed to implement code signing, but please don't think this is an anti-malware measure, it isn't. It's about control of distribution. Anyone that wants to bypass code signing on an Apple product will find a way to do it.
"code signing […] only work if […] they're backed up by something more solid to augment them and they form a stronger coherent strategy."
You mean things like sandboxing and blacklisting? Or do you think this is not (an attempt at) a coherent strategy?
"At this stage all code signing settings will do is encourage developers to get Apple IDs and for customers to use the App store"
It also (even if ever so slightly) decreases the attack surface. It is harder to infect executables if the OS checks the hash of the code every time it is run. Finally, it gives Apple a handle for disabling malware, once it has detected it. That will not prevent malware from infecting systems, but it can make it less likely that machines will keep getting infected for years after the time.
The computer isn't free either. And you can always build and distribute without the ID or the certificate. This is just for distribution through the App Store or to users that have it set to only allow signed apps.
The latter is the default. So for other people to use this application I wrote as a minor, my users would have to change the setting.
Well, if you are that easily discouraged, then maybe that career wasn't really for you, anyway.
This would not have stopped me, but imagine what kind of an ego-boost it is for a 15 years old sufferer of heavy bullying due to overall geekyness to see his home-grown application not just be used by other people but actually getting mentioned in paper publications.
Nowadays I couldn't even get /permission/ to try because these various developer programs require you to be an adult due to various organizational issues.
Honestly, without that ego boost when it happened, I don't know where I would stand today, if at all.
But this is my story. I have a feeling that I'm losing objectivity here due to heavy emotional involvement. I'll be quiet in this topic from now on and just turn that switch off for myself, hoping that there will be a switch to turn off in the future.
The latter is the default. So for other people to use this application I wrote as a minor, my users would have to change the setting.
Yeah, but should users configure their systems to the distribution convenience of some developers?
Or should Apple keep signed apps forever away from OS X for the same reason?
Or should they introduce them, but make unsafe apps the default, and thus render them useless for non security minded people?
All of those options seem a little strange to me.
Nowadays I couldn't even get /permission/ to try because these various developer programs require you to be an adult due to various organizational issues.
Yes, but consider some other things:
a) nowadays computers are a dime a dozen and more kids have access to them than ever.
b) nowadays there are tons of compilers, programming environments, most of them given away for free and/or open sourced.
c) nowadays a kid can make a web app and reach millions of people worldwide. There are tons of ways to put it up even for free.
d) nowadays there are even kids making iPhone/iPad/Android apps, and some have reached hundreds of thousands of users.
e) the sound/graphics/processing capabilities of modern machines were unheard of in those times.
f) High Level languages like Python/Ruby/Javascript trump anything available at the old times for kids (mostly stuff like Basic, Logo, etc). Especially in the libraries department.
>Back then I had no permission to use a computer ("they make you stupid" was my parents argument) and certainly no credit card to pay anybody to do development - and even then, as a minor I would probably never have gotten that certificate.
Yes but things change. Old fart or not, you're into technology, we all have to realize things change!
$100 does not stop anyone from realizing their dreams. Teenagers know how to make extra cash. $100 is less than 2 days work at a minimum wage job.
I would much rather have teenagers work to be able to pay $100 to distribute signed applications than make it free for anyone (malware makers) to distribute signed apps.
The trade off isn't even close here. It's free to develop the app, and even distribute it outside of the app store. If you want to go into the app store, you'll need $100, which helps keep software more secure for millions of people.
Malware writers will just get free ids and sign their malware.
Will all of these OSX devices be regularly polling Apple to get a list of revoked certs?
I guess this would be useful to prevent malware being installed, but it's not going to be massively useful to remove already installed malware. Especially if that malware can interrupt the polling.
I wonder how difficult it will be to get developer IDs. Might be a market for them.
Will be fun to uninstall a developers software from every machine by stealing his cert, releasing some malware signed with it, and then waiting for Apple to push out a revocation cert.
Neither of these will work, because (a) the signing key is per-developer and (b) the entire point is that when your malware is found to be signed with key X, key X is revoked and your software no longer runs. That's the purpose of the system...
He's referring to the master key, which will be used to sign the per developer signing keys. If that is stolen, then it will be possible to sign arbitrary signing keys and issue arbitrary revocation certificates.
And is, again, instantly revokable. It'll be annoying if it's stolen, but you just revoke it, give the company the new one, and update the app in the app store (or your download, if you're not in the store). This is arguably far better than being unknowingly hit by malware.
Malware writers will just get free ids and sign their malware. Will all of these OSX devices be regularly polling Apple to get a list of revoked certs?
Yes, the first problem will be to create some malware from OS X first. You know, the biggest success so far had been that Mac Defender, that was:
Depending what you call malware - some people feel that an application which silently uploads your address book is functionally equivalent, and there have been plenty of these available on all platforms.
"I guess this would be useful to prevent malware being installed, but it's not going to be massively useful to remove already installed malware. Especially if that malware can interrupt the polling."
You mistakenly read that as if I wasn't talking about malware that exists today. No. There are two situations:
1.) revocation cert issued before malware installed
2.) malware installed before revocation cert issued
I was talking about situation 2 occurring in N years time. You can tell this by the way I wrote "Especially if that malware can interrupt the polling." Which of course, isn't a feature of any malware that exists today, because the polling method doesn't exist yet.
If malware on OSX is as small a problem as you're suggesting, why is Apple bothering with any of this? Is it to wrestle further control of the app eco-system on OSX? Or is it just security theatre? Or both? Something else?
The current app eco-system doesn't allow them to just switch off the ability for people to install arbitrary apps. They need to get themselves into a situation where the vast majority of apps are signed first. Then it will be a lot easier for them to require apps to be signed. For your own protection of course.
EDIT: After all, if developer IDs are so easy and free to get, and will make it easier for people to install your app. Why wouldn't you get it signed?
> If malware on OSX is as small a problem as you're suggesting, why is Apple bothering with any of this?
Presumably, in order to keep the problem small. If OS X grows in marketshare, it will become an increasingly attractive target for malware developers. If the default is that the majority of Apple users only run signed applications (this also means that the certificate wasn't revoked), then the number of possible "users" for your malware is greatly reduced, making OS X a much less attractive target platform for malware developers.
> After all, if developer IDs are so easy and free to get, and will make it easier for people to install your app. Why wouldn't you get it signed?
If you are a legitimate developer, then there's no reason not to (assuming it actually is free and easy, which isn't clear). As a malware developer, there's little point; as soon as the developer ID is being used for malware, Apple will revoke the corresponding certificate, and your malware won't run.
If malware on OSX is as small a problem as you're suggesting, why is Apple bothering with any of this? Is it to wrestle further control of the app eco-system on OSX? Or is it just security theatre? Or both? Something else?
I don't understand the question. Apple has been improving OS X security mechanisms in every OS X update. From "address space layout randomization" to the "first run warning". This is another step in the same direction.
Are you implying that Apple should only do something about OS X security AFTER malware on OS X get's to be a problem? Because, I'd rather they do it BEFORE.
And I fail to see how pro-actively making an OS more secure is "security theater".
Then it will be a lot easier for them to require apps to be signed. For your own protection of course.
Of course. I miss the irony here. Signed applications are touted by security experts as a highly successful security measure. Are you suggesting it is otherwise or are you just confusing the potential of misuse of that feature with that feature being meaningless?
* After all, if developer IDs are so easy and free to get, and will make it easier for people to install your app. Why wouldn't you get it signed?*
Yeah, why? Surely not for the $100 it takes.
SSL certificates cost money too, but I don't see anybody suggesting running your web app in plain HTTP is better, or that paid certificates hamper secure web application development.
For one, most Macs are updated very often, what with Software Update and Mac Store updates. So updating a black list of applications wouldn't be a problem.
Second, they cannot just get a certificate, because they will have to interact with Apple and the developer program. You know many malware writers that want to give their details away?
Third, even if they somehow get through the second caveat above, revocation would just be a step away.
I then asked a rhetorical question about why would they be doing this if not to defend against malware.
No, you said that if they don't do it to defend against ALREADY EXISTING malware then it's either a security theater or a mystery to you why they'd do it.
As if defending against POSSIBLE FUTURE malware is a "security theater" or a strange notion.
I didn't think I would have to point out that I'm not psychic, and that it was only an opinion/prediction. I will try to be more clear in future.
"Second, they cannot just get a certificate, because they will have to interact with Apple and the developer program. You know many malware writers that want to give their details away?"
Sorry. I forgot that identity theft was impossible, and not rampant and easy and used as a matter of course by malware authors.
The last three lines of your comment are complete nonsense. You have failed to parse and understand what I wrote.
The last three lines of your comment are complete nonsense. You have failed to parse and understand what I wrote.
Yeah, because it is so off base, right, you writing:
"If malware on OSX is as small a problem as you're suggesting, why is Apple bothering with any of this? Is it to wrestle further control of the app eco-system on OSX? Or is it just security theatre? Or both? Something else?"
And me translating the above as you saying that if they don't do it to defend against ALREADY EXISTING malware then it's either a security theater or a mystery to you why they'd do it.
I was attempting to prompt you into retracting your ridiculous statement about malware not being a problem. I wish I hadn't bothered now. I'll leave you to it.
I was attempting to prompt you into retracting your ridiculous statement about malware not being a problem.
Ridiculous how?
It's perfectly valid, as in: VERY VERY VERY VERY VERY FEW OS X users ever had problems with malware. Less that what would be statistical noise. On top of it, all the cases of OS X malware, had been trojans. So, 99.9999% got scratch free, despite not even running any antivirus or anything.
You thought I was talking about malware that exists today. I wasn't. That's why your response made no sense. I was talking about in the future, when malware is installed before revocation certificates are pushed out.
This is why it looked like you were the one that was ignoring the future likelihood of malware on OSX, not me.
Go back to your first comment in this thread, and look at my most recent response to it. Then read my original comment. The problem here is that you simply misunderstood my initial comment, and replied to something which I did not say.
>you wont get anything like that out of Cupertino.
You do know the core OS, Darwin[0], is open source? See also http://opensource.apple.com/ You may have even heard of a little rendering engine named WebKit that Apple helped create.
I'm wondering if Apple have described the circumstances, apart from the malware scenario, in which they would revoke a developer ID and the associated signing certificate?
Also, do users get the choice to accept a certificate revocation?
It preserves the freedom for developers to ship whatever they want, though I wouldn't say it benefits them.
But it's within the realm of possibility for Apple to start refusing support to users who disable GateKeeper. I would disable it anyway, but how many other users would?
My favorite Mountain Lion feature, though, is one that hardly even has a visible interface. Apple is calling it “Gatekeeper”. It’s a system whereby developers can sign up for free-of-charge Apple developer IDs which they can then use to cryptographically sign their applications. If an app is found to be malware, Apple can revoke that developer’s certificate, rendering the app (along with any others from the same developer) inert on any Mac where it’s been installed. In effect, it offers all the security benefits of the App Store, except for the process of approving apps by Apple. Users have three choices which type of apps can run on Mountain Lion:
The default for this setting is, I say, exactly right: the one in the middle, disallowing only unsigned apps. This default setting benefits users by increasing practical security, and also benefits developers, preserving the freedom to ship whatever software they want for the Mac, with no approval process.