Lack of Communication

September 23, 2014

As I noted in a previous article, Mac OS X 10.9.5 included the biggest change to Gatekeeper since the introduction of Gatekeeper. This was documented, for developers, in a technical note. Unfortunately, it doesn't appear to be documented at all for users. There's nothing mentioned about Gatekeeper on the download page, or the details page, or even on the security content page. But at least we developers knew it was coming. And to some extent, the Mac media helped to publicize it to users in a way that Apple did not.

We also knew, via the technical note, that the Gatekeeper change was included with the Mac OS X 10.10 Developer Preview. What nobody was expecting, and as far as I can tell, what nobody but me has noticed yet, is that the Gatekeeper change, or a significant subset thereof, was included with the 2014-004 Security Update for Mac OS X 10.8.5. There is no mention of this at all by Apple, anywhere, certainly not in the release notes.

I discovered this hidden fact by complete accident. Until a few days ago, I had somehow managed to avoid installing Adobe Flash Player on my Mac running OS X 10.8. Probably because I use Google Chrome as my default web browser, which embeds its own special version of Flash Player, unlike Safari, which uses the system-wide version of Flash Player if installed. For work purposes, I needed to test Safari running Flash Player, so I was forced to install it soon after installing the 2014-004 security update. Needless to say, if you're familiar with it, the Flash Player installer is one of the work pieces of junk ever written. Not surprisingly, Adobe had failed to update the code signature on the Flash Player installer for the new 10.9.5 Gatekeeper requirements. To my great surprise, though, Gatekeeper rejected the Flash Player installer … on OS X 10.8.5!

In order to confirm the behavior, I tested with other apps. For example, I tried older, archived versions of my company's apps that used custom resource rules. Again, rejected by Gatekeeper on 10.8.5, just like on 10.9.5. I know that this was not the case prior to Security Update 2014-004, because when we were modifying our apps to remove custom resource rules and meet Apple's new requirements, I had specifically tested everything on 10.8, 10.9, and 10.10. It's also quite clear looking inside the security update installer package (pkgutil --expand is your friend) that both Gatekeeper and codesign have been modified. (I should note that Security Update 2014-004 for 10.7.5 did not include the new Gatekeeper changes.)

It's shameful that Apple failed to inform anyone, either developers or users, either before or after the fact, that this significant overhaul of Gatekeeper shipped in the security update to 10.8.5. And since it was a security update, we have to wonder, what was the security vulnerability? Why wasn't it listed in the security content for 10.8.5 or 10.9.5? According to the hype, Apple is supposedly entering into a new era of openness. According to the reality, however, I see the same old lack of communication.