 |
 |
Sierra: Gatekeeper removes automatic ability to launch unsigned apps
|
|
|
|
|
MacNN Staff
Join Date: Jul 2012
Status:
Offline
|
|
Starting with macOS Sierra, Apple is making it more difficult for unsigned apps to be launched. The option, present in OS X 10.11 to always allow unsigned apps to open has been stricken from Gatekeeper, limiting users by default to App Store and App Store plus identified developers. The ability by users to launch unsigned apps remains in the operating system in a different form, however.
Double clicks will no longer work to open an unsigned app. Users must control-click, or right-click, and select open, and then authenticate user credentials. Additionally, while there is a pointer to the app wherever the user has installed the app, the app itself is stored elsewhere in the drive in a "random" fashion, effectively preventing the Gatekeeper Bypass vector of attack from functioning.
When discovered in September of 2015, a signed application was not checked following initial installation thoroughly for any modifications. Apple's application sandboxing limited any malicious behavior to the app itself, but within the app's functions any modified code or mischievous functionality could run, provided it does not call on or write to other applications, or protected system functions. Additionally, a previously-checked application binary could be subsituted for something else entirely. A similar vector was used to create modified Xcode version, which was seen to be planting malware in legitimate applications in China.
It is not yet known how widely Apple will disseminate the information on how to open an unsigned app to users. Initially, it may cause some problems for driver developers, and independent coders.
(
Last edited by NewsPoster; Jun 15, 2016 at 11:32 AM.
)
|
|
|
| |
|
|
|
|
|
|
|
Junior Member
Join Date: Jun 2011
Location: Grande Prairie, Alberta
Status:
Offline
|
|
I guess a few apps that I use will go the way of the dodo bird, namely XtraFinder.app and TotalFinder.app.
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status:
Offline
|
|
No, they will continue to work as long as they are supported. We're merely talking about a (slight) change in the way you *first* launch them. Once authenticated, the apps will thereafter launch normally.
|
|
Charles Martin
MacNN Editor
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Jun 2008
Status:
Offline
|
|
Yep, this just sounds like Apple's removing the ability to automatically bypass that initial authorization.
Previously, you could launch unsigned apps without so much as a peep from the OS by clicking a checkbox in the System Preferences ("Allow unsigned apps to launch" or some such thing). So, you could download an unsigned app, and if you had enabled that preference, you could double-click the app and it would immediately launch just like a signed app would.
Now, you can't enable that preference anymore, meaning if you download an unsigned app, you will have to right-click or control-click it, select "Open," authenticate with admin credentials and confirm a warning, and then the app would launch. Subsequent launches of that app wouldn't prompt for admin credentials, though, so after the first launch, the unsigned app would behave just like a signed app.
Not a big deal, but I'm sure some will complain loudly.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Dec 2014
Status:
Offline
|
|
Geez, I use a lot of unsigned apps. Right off the bat this would be a deal breaker for me to upgrade to Sierra.
|
|
|
| |
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Jun 2008
Status:
Offline
|
|
Why? It's a one-time thing for each, never to be bothered about it again.
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top