Unreleased Notes: OS X 10.8

Installation - The Lost Scrolls > Unreleased Notes > OS X 10.8

100 - Gatekeeper

What is Gatekeeper?

Gatekeeper is a new mechanism introduced by Apple with OS X 10.8 to protect against malware.

What you need to know is that Gatekeeper, when it's enabled, will "block" installation packages if they are not signed with a Developer ID certificate.

You can find more information about the goal and protection levels of Gatekeeper on the dedicated safety page for OS X Mountain Lion.

How do I make my installation packages comply with Gatekeeper?

Here is what you have to do to make your installation packages compatible with Gatekeeper:

You have to build flat installation packages or distributions:
Bundle packages or metapackages built with PackageMaker (Mac OS X 10.3/10.4 targets) or Iceberg can not be signed.

To build a flat package or distribution, can use one of the following solutions:
- Packages
- PackageMaker (Mac OS X 10.5 target)
- pkgbuild(1) and/or productbuild(1) command lines tools
You have to get a Developer ID Installer certificate:
You have to be a paying memberMac Developer Program to be able to get a Developer ID Installer certificate (and the required intermediate certificates).
You have to sign your flat packages or distributions with productsign(1):
PackageMaker does not "correctly" sign flat packages and distributions for Gatekeeper. Neither does Packages at the time of this writing.
Signing a flat package or distribution with productsign is easy and can be integrated in an automatic build process:

/usr/bin/productsign --sign "Developer ID Installer: xxxxx" your_unsigned_package_or_distribution.pkg your_newly_signed_package_or_distribution.pkg

To check the signing process was successful:
- You can use the pkgutil(1) tool:
  
  /usr/sbin/pkgutil --check-signature your_signed_package_or_distribution.pkg
- You can check by opening the signed package/distribution on a Mac without the intermediate certificates installed.
Please, remember to:
- Use productsign(1) to sign your installation packages. Do not use codesign(1).
- Use the Developer ID Installer certificate to sign your installation packages. Do not use the Developer ID Application certificate.

Do I need to sign my Installer plugins?

According to the security recommendations from Apple, every single executable is supposed to be signed on Mac OS X. So it would make sense to also sign your Installer plugins, wouldn't it?

DO NOT SIGN Installer plugins included in flat distributions.

When you codesign an Installer plugin, Installer.app will crash when you open the flat distribution.

Does Gatekeeper mean I can not install a non-signed installation packkage/metapackage/distribution anymore on OS X 10.8?

No, you can still install non-signed installation packages, metapackages or distributions:

Gatekeeper only "filters" downloaded items:
- If an item is copied from the local network via AppleShare or is copied from a USB key, it will not be detected by Gatekeeper.
- If you download an item using a solution that does not set the Quarantine flag (for instance curl), it will not be detected by Gatekeeper.
Gatekeeper only detects items when they are opened from the Finder:
- If you open the Installer application (located in /System/Library/CoreServices/) and then select the package through the standard open panel, Gatekeeper will not detect it.
Gatekeeper can be worked around via the Finder contextual menu:
1. Select the item you want to open in the Finder.
2. Control-click (or right-click) it.
3. Choose Open.
4. Click Open.

Last Updated: 2012-08-08