Wednesday, August 6, 2014

Upcoming Changes In Apple's Gatekeeper Security


Apple started providing 'Gatekeeper' with OS X 10.7.x. You can see its settings in the Security & Privacy preference pane, under the General tab.

It's a bad idea to have it set to allow applications from 'Anywhere'. Don't do that! But I find it too restrictive to only download from the Mac App Store. I continue to use many wonderful apps that are never going to be available directly from Apple. Therefore, I personally prefer to leave Gatekeeper set to allow apps from the "Mac App Store and identified developers."

What's changing in the OS X Mavericks 10.9.5 update as well as 10.10 Yosemite is further scrutiny of the "identified developers." The GUI for Gatekeeper will remain the same. But developers are going to have to take an extra step with their applications in order to allow their security certificates to get past the 'Gatekeeper'. Users may well find that many previously 'identified' application security certificates won't pass muster and will cause OS X to reject them.

You can read the gory details in Apple's Technical Note TN2206: OS X Code Signing In Depth. Skip ahead through the document to the section heading Changes in OS X 10.9.5 and Yosemite Developer Preview 5.
If your team is using an older version of OS X to build your code, re-sign your app using OS X version 10.9 or later using the codesign tool to create version 2 signatures. Apps signed with version 2 signatures will work on older versions of OS X….  
Important: To ensure your current and upcoming releases work properly with Gatekeeper, test on OS X version 10.10 (Seed 5 or later) and OS X version 10.9.5.
There are several articles discussing this change. Here is one, cited over at MacDailyNews, from Richard Mallion at the AmSys blog in the UK:

Gatekeeper changes coming


No comments:

Post a Comment