Don't get the pitchforks yet, Apple devs: macOS third-party application clampdown probably not as bad as rumored

The v10.15 will bring tighter security, the escape hatch should remain open for now

Apple HQ

Analysis Imagine for a moment the possibility that macOS 10.15, due to arrive later this year, will run only apps signed with a valid Apple developer certificate, with no option to white-list unsigned apps via the company's Gatekeeper security mechanism.

That would mean the only application code you could run on macOS 10.15 would be software created and signed by registered third-party developers, who right now have to pay $99 a year for said status.

Unsigned code you build yourself wouldn't, therefore, run on your own hardware, with that OS installed. The aim, we presume, would be to stop unsigned malware running accidentally, primarily. Right now, the latest version of macOS can be told to run software only from the Mac app store, the app store and certified devs, or from anywhere with no restrictions.

It's been suggested that Apple is planning to ban all unsigned programs in macOS 10.15 and onwards, and a Register reader within the industry has insisted to us he's heard this on good authority.

It's equally plausible the scenario has been fabricated or overblown to encourage Apple to tip its hand. We've asked around about this, and have been unable to confirm it.

We asked Apple, but the company seldom answers our inquiries.

The last time this reporter got an immediate, unequivocal response from Apple was in 2006 when, after asking about the health of then CEO Steve Jobs (visibly frail at the time and two years after Jobs disclosed his cancer diagnosis), the company's comms chief herself sent an email insisting, "Steve’s health is robust and we have no idea where these rumors are coming from."

Apple, of course, has no obligation to its customers, developers or the general public to address speculation. But it's refusal to do so makes the claim at least worth discussing, given that it's not very far from changes delivered in macOS Mojave (10.14).

The Mojave update introduced the concept of app notarization, a pre-distribution code-scanning service performed by Apple that looks for malicious content and signing problems in developer-signed apps. Successfully vetted apps get appended with a ticket that provides extra information to Gatekeeper, for more streamlined installation prompt and signing key audits. Basically, a green light to macOS to smoothly install the software seeing as it's been screened by Apple and determined to be safe.

Apple has said app notarization is optional under Mojave but will be mandatory in the future: "Note that in an upcoming release of macOS, Gatekeeper will require Developer ID signed software to be notarized by Apple," the company explains on its developer website.

We suspect that those whispering the supposed looming changes have mistaken the foretold notarization requirement with a slightly broader restriction affecting not just developer-signed apps but all apps.

Skepticism

When we asked Cabel Sasser, co-founder of macOS and iOS app biz Panic, about this, he suggested as much.

Steve Troughton-Smith, who develops apps for High Caffeine Content, expressed skepticism that Apple would go so far as to ban unsigned code entirely.

"Seems at odds with how Apple is positioning the Mac right now as a workstation for professionals; they already have a consumer OS that goes to those lengths, iOS. Plus, on the Mac, all the security can be turned off anyway," he said.

At the same time, the distance between what Apple has said it will do with mandatory notarization and what it could do by closing Gatekeeper to any unsigned code is small. With macOS Sierra, Apple began hiding the option to install apps from unidentified developers.

Currently, the company provides a way to whitelist unidentified apps in Gatekeeper by control-clicking on the app in Finder, selecting the Open menu and then authenticating with your username and password. But it clearly wants to discourage reliance on unsigned apps due to the potential security and privacy risks.

Getting rid of this mechanism would make macOS more like iOS, where all apps must be signed. And given that Apple is working on a common framework (Marzipan) to make it easier to write iOS apps that work on macOS (and vice versa), there's a certain logic to harmonizing security policies across Apple's desktop and mobile platforms.

Asked about the possibility that Apple might require code signing for all macOS apps, Felix Schwarz, who runs iOS and macOS app biz IOSPIRIT, said he hadn't heard that and suggested it would be a "bittersweet solution" if true.

"If Apple wants to really require signing for all apps with 10.15, I really hope that Apple has thought about these issues and put viable, working solutions for them in place," he said.

"I fear, however, that it could be a continuation of the kind of platform security changes macOS has seen in more recent history: well intentioned, but not well made."

Schwarz said he believes one of the reasons these cumbersome changes have proliferated is that Apple has different requirements for its own apps and for those of third-party developers. "Special code signatures that are only available to Apple often effectively save Apple from their own dog food – and it shows," he said.

Potential problems, he said, would be that unsigned legacy software might not run and any open source software currently distributed without being signed would have to pay the annual fee for an Apple developer account, take on the legal responsibility for signed code and deal with the secure maintenance of private keys.

Tengen's Pac Man

Level up Mac security, and say game over to malware? System alerts plus Apple game engine equals antivirus package

READ MORE

Simeon Saëns, co-founder of development biz Two Lives Left, told The Register, he had no specific knowledge of a plan to require signing for macOS apps and wondered whether the rumor might just be about notarized apps, which wouldn't be a big deal. If Apple required all macOS apps to be signed, he said, it would make Mac developers very angry, but he'd be okay with it.

"As a developer I don’t trust developers with the right to run arbitrary code on their users’ devices without restriction," he said. "The number of developers that will throw in an analytics framework without thinking or asking the user to opt-in is disgusting. And developers very rarely respect user privacy."

Saëns said many developers believe they have the right to distribute executable code without restrictions. "I believe that for your own personal device, you should be allowed to run whatever code you want," he said.

"But as soon as your code touches another user’s device it should be locked down, sandboxed and reviewed. Your right as a developer to run arbitrary code ends outside of your machine." ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019