This makes me wonder how open source is supposed to work on macOS. People seem to become more and more aware of it and even enterprises that insisted on support contracts can see that they can't get around open source completely anymore. Meanwhile Apple is removing the ability for me to have a pet project without paying an Apple tax.
If the message were completely transparent, something like "The developer didn't pay $99 for us to do a cursory check on them (or whatever it is that Apple does with that money), are you sure you want to run their software? [Move to trash] [No] [?]", then that would give the user the relevant information to make this decision, but as it is, virtually no mac user will understand what is really going on.
I also can't imagine $100 is easy to come up with in countries below level 4[1]. The OpenStreetMap Foundation recently introduced a way to waive the yearly £15 fee for OSMF membership if you have a certain number of map edits or otherwise contributed to the project. The OSM community seems to be quite diverse, but I can't imagine that Apple computers are less widespread than OpenStreetMap.
It is still convenient enough for me to run software I want that isn't signed, but sufficiently obtuse that neither of my parents have figured it out. Given they are both prone to running any executable that any website tells them to download and run, this feature has probably save me several dozen hours of fixing their computers.
The fact that the standard model of computing is that applications are opaque machine code blobs that can access everything in your user permission space is the core problem in privacy and malware. Applications should see nothing but their executable jail, and whatever was intentionally allowed to them by the user (eg, Open file dialog giving the application an opaque file handle, etc, not carte blanche access to the entire filesystem). Ideally, the notion of machine code blobs should be done away with as well.
Mobile OSes got to rethink everything in an era of constant adversarial connectivity and started off on a better foot in this regard.
This works for some type of software, but not all type of software. For example a file server or a file manager wont work. A VCS client wont work. A game engine that needs to keep track of imported resources (especially when you want automatic imports when the file is saved via a 3rd party tool - e.g. saving a model on Blender or a texture on Krita causes an automatic reimport/convert to the engine's format). Basically any sort of content management software that doesn't provide everything itself but relies on 3rd party tools already installed on the user's machine wont work.
Software like clipboard managers also wont work. Screen sharing and remote desktop software similarly wont work. Screencast software wont work. Hotkeys software wont work. Most desktop automation software wont work.
I could go on and start looking at what i have installed to extend this list (i'm sure most of the software i have on my PC wont work), but i guess you get the idea. Almost everything that doesn't fit in the media consumption model that you'll often find on a phone or a tablet wont work (and amusingly enough, at least on my Android, stuff like a file server does work, though i've heard Google wants to remove that functionality).
macOS ships with a quite strong and granular capability-based security model with its sandboxing mechanism (at least, when it works and is applied correctly). The feature is there, advanced applications already make use of it, but it is difficult to get arbitrary applications to adopt it (its inner workings are declared SPI after all) and it is not really exposed to the user at all except via App Sandbox, which is fairly limiting.
The average user would be terribly confused by all this and would hardly bother to even analyze requirements that are asked by any app. They will simply allow everything.
More importantly, if they see something like a permissions screen, they will have a false sense of security.
And severe restrictions on the app, would hamper user experience. Code signing and developer ID are the most practical means to ensure quality software.
That should probably be an option, but I'll take ownership of my hardware and data not you or Apple. I don't mind having the checks in there as long as I can overrule them. Otherwise you just get the Epic treatment and you don't really own your hardware, you're just loaning it from Apple and you can only do what they let you do. That, to me, is a losing proposition in the long haul.
It's hard to believe that this would be a cash grab. Even if there are 1M developers in the world, that's only $100M, which should not be worth the friction and cost to implement and maintain this scheme. Consider that Apple's most recent quarterly revenue was just under $60B. Apple made $260B in all of 2019; $100M is not even four hundredths of a percent.
Developer time to build out the signing and notarization features is not free, and running the notarization servers in a highly-available manner is also not free. As much as we all like to call out Apple sometimes for how they don't take good care of their developers, adding hoops for your developers to jump through is not a great idea.
So I think in some ways Apple really does it for the security aspects, and also probably just because Apple likes to maintain rigid control over their experience.
It's not the $100/yr that benefits Apple the most, in my judgement. It's the ability for Apple to control what software its users can use, e.g. to promote App Store sales. If they don't like your company, they can switch off your software remotely on all your end users' computers. If you have a competing product, they can just switch it off and there's nothing you can do about it except develop for Windows and Linux.
It absolutely is a cash grab, and part of a series of unethical behaviour from Apple.
Since the latest awful hardware products (terrible keyboard, control strip thing that breaks, no escape key) with MacBooks and a great improvement with using Linux via Purism and System76 I've managed to move away from Apple.
I deal with this every day, because we only notarize our electron app in CI if we're building the master branch or an RC branch. I don't see it mentioned in the article, but what gets me every time is that the "right-click" trick only works the second time you try to launch the app. The first time, right-click or not, MacOS won't let you launch the app.
I do wish Apple had a free tier for open source projects, just like many other tools on the web.
As an alternative, I wish there was an easy way to "sponsor" open source projects for this sort of thing. (I guess there is in some cases, but it's pretty hit or miss)
On Windows, although it's pretty easy to run unsigned applications, it's a huge pain to install unsigned 64 bit drivers, even if it's just the inf file that's custom. I've ended up signing open-source drivers several times with my own code signing certificate (a few hundred bucks every few years) although I haven't distributed the result. Drivers for things like USB SDRs.
> I don't see it mentioned in the article, but what gets me every time is that the "right-click" trick only works the second time you try to launch the app. The first time, right-click or not, MacOS won't let you launch the app.
Thanks for the comment! I've referenced this in a new addendum to the article.
I thought that a developer status will autosave me either from malware or from being babysitted, but then [1] happened. No matter how hard I tried to start that binary, OSX didn't allow me to do that. Damn OS which knows better, who do yo think you are? Did you see checksums, site certs, my competence, my willpower? I thought that it must be something with a build process that transmission uses, some signature didn't get into the bundle, etc, and went to their forum for help, while trying to self-sign that app and to reduce the system protection level in a console. As I found out later, that was yet another snafu that happens with transmission every few years, and it's not that it is a particularly small or inactive project.
Moral of the story is, if you want to protect your users, you have to bring some level of inconvenience and frustration to them. Or be sure that I will run that malware no matter what you say.
Hold on a minute -- MacOS phones home every single time you launch an application? As a non-user of MacOS, this strikes me as utterly bonkers. You'd have to place a massive level of trust in the developers of your OS to accept this. And furthermore, surely the constant attempts to phone home have a negative effect on the user experience when the computer's network connection is missing or slow!
Perhaps the fine article has mischaracterized this behavior?
A couple other ways to deal with it (at least for some instances--not sure this applies to every kind of executable).
1.1 Hit "Cancel" in the warning dialog.
1.2 Open "System Preferences" / "Security & Privacy" and select the "General" tab.
1.3 It should have a notice about the unverified app being blocked, and offer the chance to approve it. Do so.
1.4 Try to launch the app again. You'll get the dialog again, but this time it should have a button to tell it to go ahead and launch it. That will also remember that you have approved the app so you should be OK from them on (or at least until the app updates, and you will have to redo this).
Another way is to fix it from the command line.
2.1 Locate the executable.
2.2 Do "xattr -d com.apple.quarantine /path/to/executable"
I just hit this today when doing some web testing with Selenium, and it could not use chromedriver because the developer was not verified. My chromedriver is installed via Homebrew and evidently it had been updated since I last used it. A search for how to deal with that turned up both of the above solutions as part of this Stackoverflow question [1].
I have to look up this fucking procedure every time I update our internal executable tools. And for whatever reason the security setting loads up some sub tab for me and I always forget you have to go back to general to find the little thing at the bottom to allow the app.
This is so far beyond reasonable from a ux standpoint and they have no reason to improve because what am I going to do? Not use macos to work on iOS stuff? It pisses me off so much
Homebrew Cask specifically opts into Quarantine, interestingly; I believe this behavior was to match the general behavior of the system to add this at most places where you could download an app. Very few other third parties opt into this.
> There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker. This new behavior doesn’t change the long-established policy that our users and developers can run arbitrary code on their Macs
So, the sky isn't falling yet, but it is reasonable to be concerned.
I know exactly why this requirement exists (parts of the OS have entirely different code paths depending on whether a binary is signed or not) but it is still annoying to have to ad-hoc sign everything.
The power that tech companies accumulate with tactics like this, and the justifications for that power, are strangely reminiscent of autocratic governments: we decide which programs you can develop and run, and we can levy an arbitrary 30% income tax (on top of regular VAT). But don't worry, it's all for your safety and security!
While there is some truth to the security argument - security after all is sometimes at odds with freedom - good computer security can certainly be achieved without this degree of centralization of power. Maybe you can't protect a determined user from hurting themselves, but that seems like an acceptable price for freedom.
"Y'know, it sure would be a shame if our OS went around telling users your software's a virus. Now we c'n make sure this little problem doesn't happen to you, all you gotta do is fork over the $300 (yearly of course) to join our developer program."
Nothing like a good old protection racket. No wonder Apple's worth trillions of dollars.
This behavior frustrates me, as a seasoned (=old) Mac user, but I am simultaneously quite grateful for it existing on my parents Macs.
It would be nice if there was a Sys Prefs option to add a "run anyway" button to the initial prompt. It wouldn't even need to be on by default. Just give me the option.
If you want your computer back, use this to disable the protections. In the system preferences, a new option is enabled under the security section, "Allow apps downloaded from: Anywhere"
But then you’ll have websites that walk you through changing the setting. At least this way you have to make a decision every time, even if it costs you a few clicks each time you do it.
It would be a command-line option. They used to have a system preference to disable signing, but a lot of software (including Minecraft, for a while) walked users through disabling gatekeeper security for the whole system rather than sign their individual software or try and explain right-clicking.
I was surprised to find out the something even worse is happening on default installations of Windows 10: you cannot install non-Microsoft software at all unless you go to the system settings and disable "S mode".
It's impossible for someone who's not technically oriented to know how to disable S mode or even what it is, and trying to get my mum to install Google Chrome on her new computer was harder than it has any right to be.
When did the ability to run software get this bad?
Fellow devs, I have to take the minority view here. How is $99/yr a number that any business should even care about? Even for OSS.
The reality is that the HN audience are complete outliers. Just look at the junk your friends and family install on their machines.
On a related note, the equivalent in Windows is SmartScreen. It prompts similarly to Mac for unsigned downloads as well as signed ones where there isn't yet sufficient reputation on the signing key. That last part is frustrating - we have a downloadable software component for our SaaS. It's not that frequently used and every time we renew the cert (third party BTW, not with MS), it takes a few weeks for SmartScreen to start trusting it.
I dont see any problem with this. If you don't feel comfortable doing this then you definitely shouldn't be running random code from the internet. I would take it a step further and force it to be run from the command line.
Also, what kind of "viable software business" has trouble paying $100 a year?
The actual java binary (JVM) can be (is?) signed and used for many different apps/programs. But the .jar file that is executed probably can't be signed.
(Note: I have never done any "native" Mac programming)
As a data point: I am indeed a new Mac user, and I would never have guessed how to override gatekeeper and run the app if it weren't for (I think) stackexchange or a similar site providing detailed step-by-step instructions on how to do it. I'm a Linux power user so googling is no strange thing to me, but still, macOS really goes out of the way to hide this choice!
In my opinion, it's simply not possible to learn how to override it by following macOS UI "hints". Every step of the way seems designed to hide this possibility, instead of giving users a warning and a clear choice.
Disabling Gatekeeper
From the Apple menu, open the "System Preferences" application.
Click on Security & Privacy > General tab.
If the lock in the left-hand corner is locked, click on it, then enter your Mac's username and password. This may not be required.
Click "Anywhere" under "Allow applications downloaded from:".
If you followed Step 3, please click the lock in the left-hand corner to return it to its locked state.
Close "System Preferences".
Since MacOS Sierra the “Anywhere” option is not visible per default in the System preferences. To set Gatekeeper to “Anywhere” you‘ll need to do it via terminal:
$ sudo spctl --master-disable
Then the “Anywhere” option is visible in the System Preferences UI. But only while active.
Sounds like a security disaster for non-technical users. It is much better to trust a specific app from now on than to trust the entire internet from now on.
[+] [-] lucb1e|5 years ago|reply
If the message were completely transparent, something like "The developer didn't pay $99 for us to do a cursory check on them (or whatever it is that Apple does with that money), are you sure you want to run their software? [Move to trash] [No] [?]", then that would give the user the relevant information to make this decision, but as it is, virtually no mac user will understand what is really going on.
I also can't imagine $100 is easy to come up with in countries below level 4[1]. The OpenStreetMap Foundation recently introduced a way to waive the yearly £15 fee for OSMF membership if you have a certain number of map edits or otherwise contributed to the project. The OSM community seems to be quite diverse, but I can't imagine that Apple computers are less widespread than OpenStreetMap.
[1] https://www.gatesnotes.com/Books/Factfulness#incomegroups
[+] [-] cuddlybacon|5 years ago|reply
It is still convenient enough for me to run software I want that isn't signed, but sufficiently obtuse that neither of my parents have figured it out. Given they are both prone to running any executable that any website tells them to download and run, this feature has probably save me several dozen hours of fixing their computers.
[+] [-] white-flame|5 years ago|reply
Mobile OSes got to rethink everything in an era of constant adversarial connectivity and started off on a better foot in this regard.
[+] [-] badsectoracula|5 years ago|reply
Software like clipboard managers also wont work. Screen sharing and remote desktop software similarly wont work. Screencast software wont work. Hotkeys software wont work. Most desktop automation software wont work.
I could go on and start looking at what i have installed to extend this list (i'm sure most of the software i have on my PC wont work), but i guess you get the idea. Almost everything that doesn't fit in the media consumption model that you'll often find on a phone or a tablet wont work (and amusingly enough, at least on my Android, stuff like a file server does work, though i've heard Google wants to remove that functionality).
[+] [-] saagarjha|5 years ago|reply
[+] [-] shakna|5 years ago|reply
Whilst this works for some programs, it gets... Difficult... When dealing with others.
What permissions should sh get, for example? And do the programs it will call inherit the same, or do they get their own permissions, or a hybrid?
[+] [-] kumarvvr|5 years ago|reply
More importantly, if they see something like a permissions screen, they will have a false sense of security.
And severe restrictions on the app, would hamper user experience. Code signing and developer ID are the most practical means to ensure quality software.
[+] [-] stjohnswarts|5 years ago|reply
[+] [-] bagacrap|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] necovek|5 years ago|reply
[+] [-] FreakyT|5 years ago|reply
$100/year to avoid a scary warning about how your app is definitely a virus? It's like a protection racket.
[+] [-] kelnos|5 years ago|reply
Developer time to build out the signing and notarization features is not free, and running the notarization servers in a highly-available manner is also not free. As much as we all like to call out Apple sometimes for how they don't take good care of their developers, adding hoops for your developers to jump through is not a great idea.
So I think in some ways Apple really does it for the security aspects, and also probably just because Apple likes to maintain rigid control over their experience.
[+] [-] vortico|5 years ago|reply
[+] [-] turblety|5 years ago|reply
Since the latest awful hardware products (terrible keyboard, control strip thing that breaks, no escape key) with MacBooks and a great improvement with using Linux via Purism and System76 I've managed to move away from Apple.
[+] [-] Marcus10110|5 years ago|reply
I do wish Apple had a free tier for open source projects, just like many other tools on the web.
As an alternative, I wish there was an easy way to "sponsor" open source projects for this sort of thing. (I guess there is in some cases, but it's pretty hit or miss)
On Windows, although it's pretty easy to run unsigned applications, it's a huge pain to install unsigned 64 bit drivers, even if it's just the inf file that's custom. I've ended up signing open-source drivers several times with my own code signing certificate (a few hundred bucks every few years) although I haven't distributed the result. Drivers for things like USB SDRs.
[+] [-] _qulr|5 years ago|reply
Thanks for the comment! I've referenced this in a new addendum to the article.
[+] [-] wruza|5 years ago|reply
Moral of the story is, if you want to protect your users, you have to bring some level of inconvenience and frustration to them. Or be sure that I will run that malware no matter what you say.
[1] https://forum.transmissionbt.com/viewtopic.php?f=4&t=17834
[+] [-] sevensor|5 years ago|reply
Perhaps the fine article has mischaracterized this behavior?
[+] [-] tzs|5 years ago|reply
1.1 Hit "Cancel" in the warning dialog.
1.2 Open "System Preferences" / "Security & Privacy" and select the "General" tab.
1.3 It should have a notice about the unverified app being blocked, and offer the chance to approve it. Do so.
1.4 Try to launch the app again. You'll get the dialog again, but this time it should have a button to tell it to go ahead and launch it. That will also remember that you have approved the app so you should be OK from them on (or at least until the app updates, and you will have to redo this).
Another way is to fix it from the command line.
2.1 Locate the executable.
2.2 Do "xattr -d com.apple.quarantine /path/to/executable"
I just hit this today when doing some web testing with Selenium, and it could not use chromedriver because the developer was not verified. My chromedriver is installed via Homebrew and evidently it had been updated since I last used it. A search for how to deal with that turned up both of the above solutions as part of this Stackoverflow question [1].
[1] https://stackoverflow.com/questions/60362018/macos-catalinav...
[+] [-] onemiketwelve|5 years ago|reply
This is so far beyond reasonable from a ux standpoint and they have no reason to improve because what am I going to do? Not use macos to work on iOS stuff? It pisses me off so much
[+] [-] saagarjha|5 years ago|reply
[+] [-] dingaling|5 years ago|reply
[+] [-] bangonkeyboard|5 years ago|reply
[+] [-] wtracy|5 years ago|reply
> There isn’t a specific identity requirement for this signature: a simple ad-hoc signature issued locally is sufficient, which includes signatures which are now generated automatically by the linker. This new behavior doesn’t change the long-established policy that our users and developers can run arbitrary code on their Macs
So, the sky isn't falling yet, but it is reasonable to be concerned.
[+] [-] saagarjha|5 years ago|reply
[+] [-] mpartel|5 years ago|reply
We are fast becoming corporate citizens, for better and for worse: https://www.youtube.com/watch?v=l3pkkSNRug4
While there is some truth to the security argument - security after all is sometimes at odds with freedom - good computer security can certainly be achieved without this degree of centralization of power. Maybe you can't protect a determined user from hurting themselves, but that seems like an acceptable price for freedom.
[+] [-] csense|5 years ago|reply
Nothing like a good old protection racket. No wonder Apple's worth trillions of dollars.
[+] [-] saagarjha|5 years ago|reply
[+] [-] LeoPanthera|5 years ago|reply
It would be nice if there was a Sys Prefs option to add a "run anyway" button to the initial prompt. It wouldn't even need to be on by default. Just give me the option.
[+] [-] ttys000|5 years ago|reply
> sudo spctl --master-disable
> sudo defaults write /Library/Preferences/com.apple.security GKAutoRearm -bool false
> :> ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
> sudo chflags simmutable ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2
You may need to disable system integrity protection to do this
> csrutil disable
If you know what you're doing, like probably everyone here, you don't need any of this junk. I didn't need it in 1998, and I don't need it now either.
[+] [-] lstamour|5 years ago|reply
[+] [-] dwaite|5 years ago|reply
[+] [-] mFixman|5 years ago|reply
It's impossible for someone who's not technically oriented to know how to disable S mode or even what it is, and trying to get my mum to install Google Chrome on her new computer was harder than it has any right to be.
When did the ability to run software get this bad?
[+] [-] benhurmarcel|5 years ago|reply
[+] [-] danjc|5 years ago|reply
The reality is that the HN audience are complete outliers. Just look at the junk your friends and family install on their machines.
On a related note, the equivalent in Windows is SmartScreen. It prompts similarly to Mac for unsigned downloads as well as signed ones where there isn't yet sufficient reputation on the signing key. That last part is frustrating - we have a downloadable software component for our SaaS. It's not that frequently used and every time we renew the cert (third party BTW, not with MS), it takes a few weeks for SmartScreen to start trusting it.
[+] [-] habosa|5 years ago|reply
They just confirm the developer has $100? Does Apple actually make sure signed binaries don't do anything bad?
[+] [-] dec0dedab0de|5 years ago|reply
Also, what kind of "viable software business" has trouble paying $100 a year?
[+] [-] hans_castorp|5 years ago|reply
The actual java binary (JVM) can be (is?) signed and used for many different apps/programs. But the .jar file that is executed probably can't be signed.
(Note: I have never done any "native" Mac programming)
[+] [-] the_af|5 years ago|reply
In my opinion, it's simply not possible to learn how to override it by following macOS UI "hints". Every step of the way seems designed to hide this possibility, instead of giving users a warning and a clear choice.
[+] [-] catmistake|5 years ago|reply
[+] [-] ttepasse|5 years ago|reply
[+] [-] jbergens|5 years ago|reply
[+] [-] cryptica|5 years ago|reply
I have a similar idea about services like Amazon Lambda; why would developers build apps tightly integrated with a product that they don't own.
Most millennials these days own nothing because they keep perpetually accepting their position as 'renters' through every decision they make.