[mikeash]

No, everything is not black and white, but in this particular case, there doesn't seem to be any middle ground. If it's easy to bypass then it's easy to trick the user into performing the bypass. If it's hard to trick the user, it's hard for the user to bypass it intentionally. Am I wrong?

[taligent]

Of course you are wrong.

Firstly, most users aren't going to actively try and bypass the restrictions. Secondly, most users aren't going to know that they need to right click, open "Show package contents", understand the .app file structure, browse to the binary and open it from there.

[wmf]

That's not how it works. "If you right-click on an app in the Finder and then choose Open, you’re prompted with a different dialog box—one that also offers to open the offending app. If you choose Open, the app launches normally, and that’s it." http://www.macworld.com/article/1165408/mountain_lion_hands_...

As little protection as that is, I think it could make a dent against trojans. If there were enough trojans to measure, that is.

[mikeash]

All of that applies equally to legitimate, unsigned apps. So again, either Gatekeeper is good against trojans but also good at locking out legitimate apps, or Gatekeeper doesn't lock out legitimate apps but is bad against trojans. I don't see any middle ground where both get satisfied.

[quonn]

The fact is that most apps already have been signed and the remaining few will be signed in a couple of months.

Let's assume Apple will only very rarely abuse their power (In fact I guess they won't abuse it at all, but for the sake of the argument let's assume they do.)Then running unsigned apps with a right-click is still possible, but the user will be much more aware as this is almost never required. He will therefore actually read what the dialog says and not be trained to ignore it.

In fact, that is what makes this approach different to UAC in Windows and likely to succeed: UAC came up too often and users learned to ignore it. It is already very clear to me that Gatekeeper is rapidly adopted by developers. (By the way I also think Apple has whitelisted many sufficiently outdated applications since I get the "Open" button for some of them even if they are unsigned. But maybe this is also just a bug.)

[mikeash]

If Apple rarely abuses their power and makes it easy for literally everyone who isn't making malware to obtain developer ID certificates, including people who build BitTorrent clients and Tor proxies and iOS jailbreak apps, then I agree.

However, I see no reason to give Apple the benefit of the doubt here. They have been abusive since the moment they first had the idea of restricting what their users could run on their own hardware. Given that history, I'll assume abuse until proven otherwise.

[quonn]

Transmission - a BitTorrent client - is already signed with a (free) Developer ID certificate and passes Gatekeeper just fine.

I will fil a Tor bug report, right now, requesting Gatekeeper support.

Let's see ... :)

[mikeash]

I'll be especially interested if jailbreak apps make the cut. I think that will be the real iron test of this system. Will Apple allow through a non-malware app that goes directly against them? I'm not going to bet either way on this one, but I hope someone makes them choose.

[wmf]

I wouldn't be surprised if Apple even issues certs to malware authors — and then uses the resulting signatures to more reliably target their blacklist (which is now updated every day).