How to Secure Your Mac With OS X Gatekeeper

OS X Mountain Lion was the first version to introduce the Gatekeeper security mechanism. (It was also retrofitted into Lion 10.7.5.) This how-to article, with an FAQ slant, explains how to use it to make your Mac more secure from malware.

______________________

1. What is it? Gatekeeper is a part of OS X that checks an app for the presence of a digital signature, applied by Apple or the developer. A preference can be set such that if the app is not signed by a registered Apple developer or by Apple, the app cannot launch. That could be instrumental in protecting your Mac from an app you downloaded that does malicious things.

2. What is a Digital Signature? A developer of an app for the Mac applies to Apple for a digital certificate derived from a trusted authority. In the certificate is a long string of digits, the developers public key. That certificate is used in the development/provisioning process to "code sign," that is encrypt a mathematical representation of the code, called a hash, and embed it in the app.

When the app is launched, OS X mathematically decrypts the hash of the app and compares it to its own hash of the app. If they match, OS X authenticates that the code has not been altered since the developer signed, and it and knows that the certificate is from a registered Apple developer.

3. Where is Gatekeeper? The management of Gatekeeper is found in OS X System Preferences > Security & Privacy > General. Unfortunately, Apple doesn't label the bottom of that window as I did in red.

4. What do those options Mean? From Apple's Knowledge Base # HT5290, selecting one the options means:

  1. Mac App Store – Only apps that came from the Mac App Store can open.
  2. Mac App Store and identified developers (default in OS X Mountain Lion) – Only allow apps that came from the Mac App Store and developers using Gatekeeper can open.
  3. Anywhere – Allow applications to run regardless of their source on the Internet (default in OS X Lion v10.7.5); Gatekeeper is effectively turned off. Note: Developer ID-signed apps that have been inappropriately altered will not open, even with this option selected.

5. What is a good setting? The middle option, #2, is the default and is the best choice for most users.

6. How can I bypass Gatekeeper? First, you could select option #3 "Anywhere," but that's a bad idea. You might forget reset it to a stronger option. Better is to right-click the app, if it's not signed, but you still trust it. Our Melissa Holt described how to do that in 2012: "Mountain Lion: Temporarily Override Gatekeeper" Nothing has changed in OS X Mavericks or Yosemite, so that article still applies.

This override process was also discussed in the article on the Python 3 installer — which isn't code signed. "How to Upgrade Your Mac to Python 3."

7. What if a developer distributes an app that turns out to be malicious? If Apple discovers that a malicious app has been distributed, it can revoke the developer's certificate. When OS X checks the digitally signed app, it will discover that the certificate has become invalid, and the app will no longer launch. That's a good reason to have your Mac connected to the Internet if you're suspicious of an app's behavior.

8. What if Apple changes the way apps are signed? Apple appears to be doing exactly that. See, for example, "OS X Gatekeeper Update Holds Headaches for Developers, Users." Apple has updated its code signing method from method v1 to a better method, v2.

  • Apps signed by v2 will launch on older versions of OS X.
  • Apps signed by v1 won't launch in OS X starting with 10.9.5 Mavericks.

If a developer is not able to update (resign) their app by the time you upgrade to Mavericks 10.9.5, and you trust the app, you can use the method in item #6 above to open it. Then check to see when the developer has an updated version.

Gatekeeper is a powerful tool to make sure that your apps are both unaltered and built by Apple or legitimate developers. You should double-check your OS X preference to be sure it's what you want. Of course, this security measure doesn't guarantee that the app will be bug free or always operate as intended.