Tuesday, November 26, 2019

Gatekeeper Override for Indirect Launching

Chuq Von Rospach:

The first time I tried to publish new images to Flickr, Lightroom aborted and the OS put up a dialog warning me that the app “magick” isn’t signed and so it might be dangerous, so the OS wouldn’t let it launch. “magick” is part of the ImageMagick graphics tool suite, a commonly used set of image manipulation tools; as of today the developers haven’t signed it with a developer certificate from Apple, so Apple’s Gatekeeper will reject it.

You can tell the OS to let the app run, but it’s not obvious where to do that. Here’s how:

Try to export some images and get the warning dialog. Then open up the System Preferences app and navigate to the “Security and Privacy” section and the “General” tab. At the bottom of that tab, you should see some text similar to the warning you got in the dialog. There’s an “Allow” button there. If you click it, you’re approving that app as something that’s okay to be launched.

When launching an app directly, the workaround is easier: you can Control-click and choose Open from the contextual menu.

In both cases, why doesn’t the alert tell you how to resolve the problem (if you do, in fact, trust the software)? In my view, this is poor design and essentially security through obscurity. Apple decided that they don’t want you to run unsigned software, but they don’t want to (or realistically can’t) completely forbid it, so they provide an escape hatch but keep it hidden. macOS doesn’t trust the user to make the right decision, so it acts as though there’s no choice.

It could have explained the situation, from Apple’s point of view, and perhaps required a few extra clicks to confirm. But instead it makes it look like an unsolvable problem. Most customers will probably give up. Some will enter the text into Google and find who-knows-what. In other words, Apple is delegating the explanation to an unknown third party.

Walt Mossberg:

Today I upgraded both of my fairly new Macs to the Catalina OS. Then I tried to run Skype. On my MacBook Pro, it wouldn’t load. On my MacBook Air, it launched fine, but wouldn’t work. Had to use an iPad. Is this Apple’s way of forcing a switch to the iPad from the Mac? WTF?

Note: Skype was up to date. Even so, on one of the Macs, I tried downloading it again from the Web and was told my Mac couldn’t run it because Apple couldn’t check it for malware. I saw no opt out from this warning box. Again, WTF?

Again, the alert presents it as if something is broken. The app certainly could be checked for malware. It’s just that Apple has decided to only do the check in a particular way. The app certainly could be launched without the check, but Apple has decided not to tell you that.

Previously:

Update (2019-11-27): Rosyna Keller:

There’s no need to google or anything. The dialog that comes up has a help button that can be clicked and discusses the options…

I should have mentioned that, but I don’t think it’s a good solution:

Mike Hay:

I mean, I understand Apple building the UX for the 90% of consumers who buy a mac, but I would prefer a different user type in the Users & Groups to having to constantly affirm that I want to go against recommended practice.

Update (2020-02-04): Rosyna Keller:

The button now works in macOS 10.15.3. Thanks for reporting the issue!!

13 Comments RSS · Twitter

Remember the days when Apple used to be celebrated for excellent UX?

Just Works.

I remember Just Works. You know for graphic designers, and writers, who are smart, but don't want to jump through a whole lot of hoops. They could just buy a mac. And it would just...work.

So, one question if you're an App developer:

Why don't you notarize your Cocoa App ? It does not need you to sandbox it or submit it to Mac App Store.

I don't think it's a execuse that **I don't want to pay 99$ just to code sign**. Because if you're deploy commercial App, this is not a pain. If you're a in-dependent App developer, you already have the way to workaround it, right ?

That exchange with Keller trying to run interference for Apple's dark patterns is great.

“You hadn’t exactly gone out of your way to call attention to them had you? I mean like actually telling anybody or anything.”
“But the plans were on display...”
“On display? I eventually had to go down to the cellar to find them.”
“That’s the display department.”
“With a torch.”
“Ah, well the lights had probably gone.”
“So had the stairs.”
“But look, you found the notice didn’t you?”
“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying Beware of the Leopard.”

Speaking of Leopards, remember when that nondescript grey button (which may or may not do anything) used to be an attention-calling purple?

@DreamPiggy It’s a pain because the notarization infrastructure is sometimes slow or doesn’t work, but, yes, everyone should be doing it. The main issue for users is that some apps haven’t been updated yet or won’t be because they are no longer maintained.

Damiano Galassi

@Michael Tsai that's not how it works. There are two different behaviours:

Unsigned app: right-click -> open will show a button to run the app
Signed app (after the notarization deadline) but not notarized: right-click -> open or normal open will not show the button to run the app.

If the app had been signed before the deadline, it would have worked. It means Microsoft updated Skype recently, and forgot to notarise it.

@Damiano I’m not sure what you are disputing here. I was discussing the alerts that you get when you don’t Control-click. Those don’t have Open buttons. Not sure what’s going on with Skype; it could have been notarized but not stapled and there was an error talking to the server, or some other bug.

I'm just one guy, but I've been a Mac user since 1991 and I have never noticed that the round question mark is actually a button that will lead to a Help file. Maybe I'm dumb. But if was a button that said Help next to the OK button, I might be inclined to click it to see if I could find a solution. To me, the current dialog box as-is seems to be more of a "Sorry, nothing can be done. Click OK to confirm you're screwed." alert.

The UX for bypassing security is horribly broken. It started with kernel extensions, and that same UX was put for notarization. It is just utterly user hostile.

I don’t understand why they would design it like this.

I don't envy Apple's position here. They know about the dancing bunnies problem more than anyone except maybe Microsoft, so I understand some of their reluctance against providing too direct a path towards "do it anyway", but given the myriad of scenarios where a Gatekeeper situation may arise, it may not be justified to be so cautious for all of them.

Oh, and years and years of beyond unhelpful "help" buttons have trained users to disregard them entirely. Clicking them is reserved for cases of utter and complete user despair.

Sören Nils Kuklau

The dancing bunnies problem is real, but so is training users to click confirm. So much so that Apple made an app correctly mocking Windows Vista about it.

Leaving aside the big and difficult philosophical questions, there are a lot of little things they could’ve done to make this less painful (and therefore users less likely to annoyedly dismiss dialogs).

Just a few things off the top of my head:

“Accessibility” is, and always has been, mislabeled (all kinds of apps are in there, including Apple’s own Mail and Safari and even Script Editor. The reasons have nothing to do with “accessibility”; it just so happens that the APIs they want to use are also often used for accessibility purposes, but that’s an implementation detail the user shouldn’t need to understand). The same goes for the new “Screen Recording”. Giving the categories misleading names really isn’t helping.
The editing UI is scary and cramped (not to mention buggy). System Services for Location Services are inside System Preferences inside Security & Privacy inside a section inside a sheet underneath a “Details…” button. The items above that item with the Details… button only have room for four in a row. It’s hard to find anything there.
I also question the wisdom, unlike on iOS, to only offer these per category. Part of the scenario is a malevolent app, no? So why isn’t there a “per app” radio button that shows me all permissions an app has? (I’m guessing this will come, as iOS does have it. But it should have happened before they went all-in with Catalina.)
There are presumably technical reasons for this, but the sequential manner in which dialogs appear is not great. It’d be much nicer to have a single centralized dialog on first launch, the way OAuth prompts work. Terminal would like to [ ] Use Developer Tools [ ] Access the [ ] Downloads [ ] Documents [ ] Desktop folders [ ] Access the entire disk [ ] Access Photos [ ] Access Calendars (Why does my Terminal want all that access? Because I made the mistake of hitting tab in my home directory.)

You want to get this compromise as right as possible. Windows Vista didn’t succeed (and Windows 7 corrected much of it, but the PR damage was done), and perhaps neither did macOS Catalina.

@DreamPiggy
People are quick to offer payment of other people's money. If Apple wants people to sign their apps, maybe they should foot the bill instead of requiring $100.

[…] Gatekeeper’s Security Through Obscurity […]

Leave a Comment