OS X 10.8 App Installation and Gatekeeper

OS X 10.8 Mountain Lion is here with us and so is a new security feature called Gatekeeper, which allows a user to only install applications that came from Mac App Store or from sources that have a certificate from Apple.

Gatekeeper options can be displayed by heading over to Settings > Security and Privacy

App Store is great but not so much for Enterprise as it is not realistic to expect in-house developed code to go through Apple every time. So, Developers who signed up with Apple get a Developer ID Certificate that can be used to sign the installation packages. Details of this process are explained here on the Official Apple pages and also here on 'unreleased notes' in layman terms.

If an application is not signed and is not available in the App Store, then Gatekeeper 'may' get in the way in its default form (Mac App Store + identified developers) but there are 'gotchas'.

Should I disable Gatekeeper?
You may be tempted to select 'Anywhere' option in Gatekeeper to avoid the hassle but consider this
Gatekeeper will "only" block the installation of applications downloaded from web.

You will still be allowed the installation of unsigned, non-flat packages:

  • if you already have a package repository on a network or USB etc. and copying from there
  • if you use tools like curl that does not set 'quarantine' flag (see below)
  • if you control click and choose open in Finder.
  • If you launch Installer App (`sudo /System/Library/CoreServices/`) and browse to the downloaded application
  • If you use command line as in `sudo installer -pkg /path/to/package -target /`
So, there are plenty of ways to let Gatekeeper work for you without disabling it.

Quarantine attribute on Downloaded Applications:
When you download any install package from Web with, let's say, Safari, a hidden '' attribute will be added to it.  You can use `ls -l@` to display those attributes. When you try to install such files, Gatekeeper will block the application!

You can use the following command to remove the quarantine attribute:
'xattr -d -r /path/to/downloaded/package'

This will stop the prompts that tells you what you may already know: "ApplicationName" is from an unidentified developer. Are you sure you want to open it?

No comments: