Neil Turner's Blog

Blogging about technology and randomness since 2002

Getting ready for Gatekeeper

Rowntrees Park

Some time later this year – possibly as early as this summer – Apple will unleash the latest version of Mac OS X: version 10.8, or Mountain Lion as it will also be known. One of the new features in Mountain Lion is Gatekeeper, which is a security feature primarily designed from preventing malware from running.

It works by checking for the presence of a digital signature on the application – in particular, one that has been signed using a Developer ID from Apple. Developers can register with Apple for $99 a year, and this allows them to both publish the apps using its Mac App Store and also release signed apps through other channels. If no signature is present, or the file has been tampered with, then the application won’t run.

There are three levels of Gatekeeper protection. The highest will only permit apps that either came with the Mac and were provided by Apple, and those acquired from the Mac App Store. The middle, and default, setting, will run those apps mentioned previously, plus any app that has been signed using a Developer ID. Finally, you can disable Gatekeeper entirely, and run any app regardless of whether it has been signed or not, which is the situation now.

This means that, with the advent of Mountain Lion, any app that hasn’t been signed or downloaded from the Mac App Store probably won’t run, unless Gatekeeper is disabled. Anyone who has a had a Mac for some time may find that they have to do this, thus making themselves more at risk at inadvertently running malware if they’re not careful. But how much of a problem will this be?

To investigate, I downloaded RB App Checker Lite (from the Mac App Store, natch) which can be used to identify those apps that have not been signed, and will therefore probably not work when Mountain Lion comes out, unless a signed update is released. I went through all 131 applications in my /Applications/ folder, made sure that they were all up-to-date using AppFresh (which, um, isn’t a signed app), and here’s what I found:Firstly, there were 30 apps that came with my Mac, so we can discount those as we know they will work. Next, 23 apps were from the Mac App Store – again, these will all work without problems when Mountain Lion comes along. But of the 78 remaining apps, only 5 were signed using Developer ID. Oh dear.

I should, at this stage, point out that 22 apps did have a digital signature, but these were from the developers themselves and not Apple (this is similar to how most Windows apps are digitially signed). But even then, 51 of my apps had no signature whatsoever. This is actually quite concerning because without a digital signature it would be hard to verify that these apps are in fact genuine, and have not been tampered with.

A number of these unsigned apps are in active development, and by organisations like Google (Picasa, Google Drive), Mozilla (Firefox) and Microsoft (Messenger, SkyDrive) who perhaps should know better. But many of these are old apps, where the developers have abandoned them long ago; there’s probably little chance of them being updated in time for Mountain Lion’s release.

And so, on the basis, it’s regrettable that I’ll probably have to disable Gatekeeper just to keep all of my apps running. Otherwise, 73 out of my 131 apps – more than 50% – will stop working, if nothing changes before that time.


  1. Hmm. I’m kind of encouraged that uptake hasn’t been greater. I prefer to decide for myself whether to trust software, rather than a self-appointed ‘gatekeeper’.

    If I trust, say, Mozilla, that’s between me and Mozilla; I don’t remotely care whether Apple agree, and don’t see why Mozilla should have to pay for Apple’s approval in the form of an ‘official’ signature – Mozilla’s signature is more than adequate.

    I’m not sure whether it’s so much a case of certain developers not “knowing better”, Neil, as of those developers sharing my indifference to Apple as gatekeeper.

  2. Very much agree NRT, one gets the idea in the non far distant future, you will have to download everything from the app store so Apple will have a monopoly on software designed for its computers. I like using freeware, open-software, nightly builds and so on, which on many occasions don’t have certificates sometimes you have to actually put it together yourself which I really like. Apple to many times treat its customers as an after thought do we really need this gatekeeper.

    I imagine they are looking at the future when virus, malware, etc will be a actual threat just don’t go to dodgy sites and download crapware.