Gatekeeper: Using FUD to get Developers to Pony Up

Posted August 29, 2012

A new user comes to your site and downloads your installer. They extract the disk image and fire up the PKG file. They're greeted with this message.

Corrupt

"Hmm," they think to themselves, "maybe something went wrong with the download." So they download it again, extract the disk image and run the PKG file again. Same error. The file is damaged. Now running late to pick up their kids from school, your new users leaves, likely never to come back.

This is their first introduction to Gatekeeper, a new feature of OS X 10.8, a.k.a. Mountain Lion. Intended as an anti-malware feature, Gatekeeper prevents downloaded applications from running, depending on their source. Similar to the SmartScreen in Windows, Gatekeeper presents the user with a warning when they are trying to run unsigned applications.

However, there are two important differences between Gatekeeper and SmartScreen.

First, with SmartScreen, the user has the option to continue running the application, despite not being signed. However, the default option for Gatekeeper provides no option to continue.

Gatekeeper dialog

(Note, for applications, unlike PKG files, the warning dialog is somewhat more helpful, though it still does not allow the user to actually run anything.)

This causes problems for any developers who have not paid Apple $100 for the Mac Developer Program, as the users are not left with any obvious way of continuing past the warning. This includes many developers who have chosen not to release via the App Store. Jeff and I have run into this problem already with users of both Snaposit and Blurity.

The second, and possibly more troubling , is that Apple is the only source for developer certificates. With SmartScreen, there are a wide variety of certificate authorities and brokers to choose from, each of which offers different pricing options, so the developer has a chance to comparison shop, which yields prices on the order of a third of the cost of the Mac Developer Program. But for Mac developers, Apple has created an artificial barrier instead of using existing and well established signing practices in order to make themselves a monopoly for developer certificates.

Is there any way around it?

Yes, but you're going to have to educate your users. Each and every one of them.

There are two options:

The first, and easiest, is to instruct your users to Control-Click (or right-click) the application once they've downloaded and installed it. From the context menu, the'll need to choose "Open".

Context menu

When they start the application this way, they'll be presented with a slightly different warning dialog, which allows them to continue.

Gatekeeper dialog

The next time they launch the application, they shouldn't see any warnings.

The other option is to have them disable Gatekeeper entirely. To do this, have them go to System Preferences and choose Security & Privacy.

System preferences

Once there, they'll need to click the lock in order to make changes. Once they've unlocked the preferences, they'll need to choose "Anywhere" from the list of options under "Allow applications downloaded from:"

Security preferences

This will essentially disable Gatekeeper, reverting their computer's security to a state similar to OS X Lion. Obviously, this isn't ideal, but if it's something they might run into often, it might be the best choice.