Distributing Mac software is increasing my cortisol levels(blog.kronis.dev)

140 pointsby LorenDB8 hours ago25 comments

Wowfunhappy4 hours ago
Any user who does not like Gatekeeper can turn it off on their machine in ten seconds by running this in a Terminal:
```
    sudo spctl —-master-disable
```
People will say, no, that’s too big a hammer, it’s not safe… but then, like, what do you actually want? Either you keep Gatekeeper because you like the friction it introduces, or you don’t like that friction and you should go turn it off. Pick one, you obviously can’t have both!
Of course, you as the developer can’t make this choice for your users… but isn’t that as it should be? The user decides what code is allowed to run on their machines. And the default setting is restrictive because anyone who knows what they’re doing can easily change it.
P.S. Meanwhile, on iOS there’s no way to install unsigned software at all, and on Android (starting soon) the process takes 24 hours instead of ten seconds. That is actually ridiculous because it’s taking away user choice.
P.P.S. To be clear, modern macOS has plenty of other restrictions which can’t really be turned off and which I find super annoying. Gatekeeper just isn’t one of them.
Edit: I’ve just learned that as of Sequoia, you have to also tick a box in Settings after running the Terminal command. So maybe it takes 30 seconds instead of ten seconds. That’s mildly more annoying, but still doesn’t really seem like a big deal to me.
- kqp2 minutes ago
  > what do you actually want?
  Give me the ability to choose what I trust. “You can either trust Apple and nobody else, even yourself, or you can trust literally everybody” is obviously not a good faith implementation of this. Apple excels at steering the narrative with false conflation and false dichotomy, I’d also remind you of the came-and-went secure boot debate, which Apple successfully steered into Apple owns the encryption keys vs no encryption, and people just kind of forgot to ask, wait, why can’t I have the keys to my device?
- novafunc3 hours ago
  Rather than just having the options "Done" and "Move to Bin", give me an option to actually run it without having to manually go into System Settings each and every time without disabling security features?
  The added friction feels more like a way to force developers to pay Apple an annual fee for distributing rather than for my safety. Not saying it doesn't help with safety, just that it's more weighed to the former.
  - plufz3 hours ago
    I also have things I want to change in gatekeeper, but that feature is not one of them. Just gut feeling but I would say 110% of all users, would just click ”start” on every unsigned app if it was that easy.
    weaksauce6 minutes ago
    they could do it like they do it for accessibility settings. you have to opt in for an app and you need to know damn well if it is a reputable app before giving those controls over. there's enough friction in that that it is not done by many apps but not hard enough that it's a huge ask to whitelist the app.
    Affric17 minutes ago
    Bingo. I know I would.
    I am the king of knowing immediately when I have fucked up.
    “Undo” has made us far too comfortable with mistakes.
  - ProllyInfamous2 hours ago
    >give me an option to actually run it without having to manually go into System Settings
    I've run several PiHoles for several years, primarily on latest versions (up to v5; current is v6.4.x) – recently updating to v6 has been extremely frustrating [0], e.g: realizing that even when you tell the pi's/en0 ("internet") interface to use a specific DNS server (in GUI/network settings), it still uses the DNS-server recommended by your local DHCP server [1].
    [0] I am aware that this is a joint-issue between RaspbianOS and Pi-Hole teams
    [1] which requires TWO sudo nmcli which newbs have no business configuring – what happened to -simple- ?
    ----
    If you ever want to consider how crazy DNS-capture is getting, realize that Firefox/&c are all dark-patterning the abilities to turn off "secure"-DNS. The latest Raspian/Pi-Hole defaults are terrifying... [2]
    [2] another example: why doesn't v6 enable HTTPS localhost web-access, by default (like all previous versions?!)? Do the developers really expect us commoners to know how to generate localhost certificates – this is obviously behavior due to how the pihole useraccount behaves differently then the previously-root-blessed v5-behavior
    ----
    Thankfully, I've kept a local copy of my favorite distro of Pihole v5, and it is readily-cloneable.
    When I attempted to pass a --version tag during a freshinstall (requesting v5 from remote installer), it went ahead and installed latest v6 (so why even.?!).
  - ceejayoz3 hours ago
    > give me an option to actually run it without having to manually go into System Settings each and every time without disabling security features?
    People reflexively hit yes to these things.
    mrbombastic31 minutes ago
    Just make it a semi-hidden multistep option like browsers when you visit a site with a bad cert, just annoying to leave what you are doing go to system settings and fiddle.
  - Wowfunhappy3 hours ago
    > without disabling security features?
    With Gatekeeper turned off, you’ll still get a warning on first launch which you can easily click through. (Unless Apple changed something in the last few versions—let me know if that’s the case—but it would be out of character for them to remove a warning...)
    The “security feature” you don’t want to disable is precisely the thing you are complaining about, so I don’t understand why you’d keep it around.
    > The added friction feels more like a way to force developers to pay Apple an annual fee for distributing rather than for my safety.
    I don’t imagine Apple makes a substantial amount of money from $99/year developer subscriptions. The App Store is another story of course.
  - Barbing2 hours ago
    Posit it saves a decent number of folks who are unable to follow the scammer’s necessary instructions:
    “Press command space, no no hold down the command key - gosh it’s in the bottom left - okay, now type “privacy”, now scroll, no you scrolled too far …”
- ryandrake3 hours ago
  10 seconds or 30 seconds, it's just too much friction to ask end users to do. I actually develop on a Mac, but I've written off Apple as a target system for hobby/open source projects. Between quarantine, code signing, and notarizing (which requires $99 a year), it's just not worth it. Good for Apple users if they like this shit--I'm just not going to bother with distributing to the platform anymore.
  macOS is slowly getting like Windows, where, on a fresh install you have to go through and turn off all sorts of unwanted software just to have a sane environment where you, the user, are actually controlling your computer.
  - seam_carver2 hours ago
    Isn't code signing even harder/more expensive on Windows?
    GeekyBearan hour ago
    The extended validation code signing certificate you need to avoid having your installer blocked by Windows SmartScreen is quite a bit more expensive.
    https://stackoverflow.com/questions/48946680/how-to-avoid-th...
    hermitcrab41 minutes ago
    IIRC it also doesn't stop the Smartscreen warning appearing.
    hermitcrab41 minutes ago
    Signing on Windows is a pain in the arse and gets more expensive every year. I dread having to renew my certificate. Also they keep reducing the maximum certificate length, so you can't just do it once every 5 years, like you used to be able to.
    I can't remember how difficult it was to set up my initial Apple developer account (trauma related memory loss, perhaps) but it is dead simple to renew. Just pay the $99. I did it yesterday. Took about a minute.
    kivle2 hours ago
    Well, you can still run unsigned software (by clicking through to a bit of a hidden option in the popup dialog), and they also even remove that through "reputation" if enough people approve said binary (exact bitwise binary, so every new version released will go through the same issue).
    ryandrakean hour ago
    Yes, Windows is terrible, too. The entire desktop software world has lost its collective mind and the platforms are turning themselves into locked down game consoles just so that grandma doesn't accidentally install malware.
    snackbroken34 minutes ago
    > just so that grandma doesn't accidentally install malware
    That's the stated reason. The actual reason is that they are salivating at the sight of how much money the app store and play store are making. They just don't want to move too quickly for fear of customers revolting.
- wetpaws4 hours ago
  [dead]
- user39393822 hours ago
  > The user decides what code is allowed to run on their machines.
  Apparently Apple disagrees, Apple decides. Typical users aren’t going to find their hidden 5 step process to enable non-blessed apps and obviously they know that. Gatekeeper is an appropriate name considering the user themselves are on the outside of the gate. It’s the culimination of everything Stallman and the FSF warned everyone about for decades. By its logic we should install police officers in our living rooms for safety.
- Zetaphoran hour ago
  This is not the developer choosing what software can run on their computer, this is Apple choosing for you and then you having to go disable protections (with what implications?) to then be able to choose what software you run.
  This has more to do with putting up a scary dialog for normies than it does protecting anyone. A non-technical user isn't going to go bypass this in the terminal, they're going to run back to the App Store where Apple can collect that sweet 30% and analytics.
hermitcrab3 hours ago
I have been developing software for Macs and PCs as an Indie for 20 years now. I sympathize with the author of the post. You get the feeling that Apple thinks you should be grateful that they allow you to develop apps for their platform.
The author didn't mention Apple's contempt for backward compatibility. Apple like to regularly nuke their entire developer system from orbit. Try running an app developed 10 years ago on the latest version of macOS. It probably won't run.
Microsoft are much better at backward compatibility and they don't force you to join a developer program. But you get totally reamed every time you have to update your authenticode digital certificate for Windows. Just the digital certificate will cost you more than $99 per year. It is a total racket.
ofek2 hours ago
I shared the author's frustration when figuring out how to ship such binaries to end users so I wrote a guide [0] detailing exactly how to do it. Apple's documentation is surprisingly poor and I couldn't find any blog posts so I ended up reverse engineering what works via trial and error as well as popular OSS projects on GitHub.
[0]: https://ofek.dev/words/guides/2025-05-13-distributing-comman...
- hermitcrab37 minutes ago
  I have also written some notes. They are a bit out of date, but might still be useful:
  https://successfulsoftware.net/2018/11/16/how-to-notarize-yo...
  https://successfulsoftware.net/2023/04/28/moving-from-altool...
Zetaphor2 hours ago
How does anyone who cares about open source or even development more generally see this and go "Yeah that's the OS I want to use"?
I genuinely don't understand why so many developers are willing to compromise so much for a thin laptop.
- 1over13712 minutes ago
  It's not the thinness, it's the amazing battery life.
KronisLV2 hours ago
Author here, just pushed a quick update to the article.
To be fair, compared to the prices of Certum and other providers if you ever want to sign something for Windows, perhaps Apple isn't uniquely overpriced (they all seem to be that way): https://www.certum.eu/en/code-signing-certificates/
Looking more into the Windows side of things, I also found Azure Artifact Signing which is supposedly affordable at 8.54 EUR per month, but unfortunately they don't actually support individual users in the EU (only in US & Canada, meanwhile EU only gets support for organizations). I'd probably have to set up a SIA (equivalent of Ltd.) here first - it was in the plans for later, but this is a bit of a roadblock for using Azure too: https://azure.microsoft.com/en-us/products/artifact-signing
My tone might have been frustrated, but I will absolutely say that the code signing industry needs to have a Let's Encrypt moment of some description - at least commoditize it like Azure Artifact Signing was trying to do, but also for individual developers, across all platforms! Sadly, that doesn't seem to be possible when the platforms are intentionally walled gardens. I don't hate the idea of code signing, though - if done right, it's a good idea, same as TLS for (many) websites.
- GeekyBear44 minutes ago
  To avoid having your application blocked by Windows SmartScreen, you need to pay extra for an extended validation code signing certificate. A normal code signing certificate is not sufficient.
  Here's an eight year old Stack Overflow discussion of the issue:
  > A guaranteed way to immediately and permanently get rid of the Microsoft SmartScreen warnings is to buy an "Extended Validation" (EV) code signing certificate from one of the Microsoft-approved certificate authorities (CA's), and to sign your app with that EV certificate.
  Such an EV certificate will typically cost you somewhere between 300 and 700 USD per year (you better compare prices), and will only be issued to registered businesses. If you're a single developer, you must be a sole proprietor and have an active business license.
  https://stackoverflow.com/questions/48946680/how-to-avoid-th...
  - hermitcrab21 minutes ago
    I have an OV cert for Windows, which is expensive enough. I just make sure to do a snapshot release using the new certificate to existing customers (through my newsletter and forum) a while before using it for new customers. That way there is time for the scary warnings to go away before any new customers see them.
    Digital certificates providers are basically checking your id (mostly automted) and multiplying 2 prime numbers together. Then charging you several hundred dollars. A 1 year Sectigo certificate EV with USB key is $431.99. Nice work if you can get it.
    I wrote this back in 2008:
    https://successfulsoftware.net/2008/02/27/the-great-digital-...
    But it has got much worse since then.
- tclancyan hour ago
  Don't be fair. I finally signed up for an Apple Developer Account and it took weeks and I think it took weeks because I finally decided the system wasn't accepting my Driver's License uploads on my (Apple) phone because the camera's light was hitting the hologram which was reflecting back so I moved my application process to my (Apple) laptop and tried there and that's where I fell into a gully, as best I can tell: I somehow, in spite of using the same document throughout with my literal government-supplied ID on it that doesn't change, wound up in two competing applications. One of them seemed to succeed, the other one seemed to fail. On the plus side, they took my cash. On the downside, they did not give me what I bought and it took a couple weeks of re-uploading my PII, which in no way will ever bite me in the ass, to sort it out. All so I could get some vibe-coded slop I created onto my phone.
codedokode2 hours ago
It's interesting that sanctioned Russian banks still find the ways to push their apps into Apple repository by disguising them as a different app. They get removed several months later, but I assume it is done only because someone complains.
TrajansRow3 hours ago
So, Linux gets a free pass for requiring chmod +x to run his tool, but needing to run xattr on MacOS is somehow worthy of an entire blog post to complain about it?
Serious question - Is it really true that Windows 11 will run an untrusted .exe without a warning?
- kingforaday3 hours ago
  By default Windows 11 will not run an untrusted .exe/PE file - it's governed by Microsoft Defender SmartScreen that will present a pop-up scaring people away and it actually isn't intuitive to click-through to run the program unless you've done it before.
  - pie_flavor2 hours ago
    But after enough people run it, that disappears. They implement crowdsourced trust, because it isn't a rent extraction exercise but actual concern about malware.
    ronsoran hour ago
    True.
    But also most malware delivery now doesn't trigger it because malware developers have gotten craftier. If you're unscrupulous, it's not a concern.
- MrGilbert3 hours ago
  You can configure it in a way that it won't allow you to run it at all, but out of the box, you will receive a message which forces you through three clicks. Enough to scare off people with no deep knowledge.
  And yes, you can turn all of that off.
  - TrajansRow3 hours ago
    Why isn't the author getting that warning then? Is it because he's only testing the tool on the same machine that it was built on?
    pjmlp2 hours ago
    Yes, downloaded files have a specific attribute, and unless you explicitly unblock the file, it will give a warning.
- 2 hours ago
  undefined
hmokiguess3 hours ago
Tangential but this made me appreciate how Gatekeeper is perhaps a notorious example of a great naming choice for a piece of software.
JanisErdmanis2 hours ago
Sometimes I wonder why we don't just treat an installation script like curl https://alx.sh | sh as a universal option for distributing applications. The provenance is there via the HTTPS certificate, and if you're already about to trust an application that can compromise your system, why not trust the installation script as well?
- layer82 hours ago
  The most important argument is phishing. People aren’t good at recognizing when a web site is legitimate. One reason that app certification is a shitshow is that recognizing bad players while minimizing false negatives and false positives is a difficult problem. Domain names fundamentally don’t solve that problem.
  - realusername2 hours ago
    > Domain names fundamentally don’t solve that problem.
    App certification doesn't solve that problem either.
- pjmlp2 hours ago
  Because even with HTTPS that script might not do what you expect and then is too late, xz style attack.
jedberg2 hours ago
As a user I actually like Gatekeeper. 95% of the time it's not a problem. the other 5% of the time I have to click a button in my settings to allow unsigned code. But at least it gives me pause to think about the source and if I really trust it (which is mostly offloaded to Apple the other 95% of the time).
Free business idea: get an Apple developer account and then agree to sign code for other people in exchange for a small piece of their income. I'm surprised that doesn't exist yet (or does it?).
- Zetaphoran hour ago
  If that isn't already a violation of the developer account ToS, it would be in short order. The dialog is about keeping normal non-technical users (Apple's primary market) from straying away from the App Store where they can collect 30% and analytics. They're not protecting you, they're herding you.
arusahni4 hours ago
My favorite is when someone discovers they haven't yet granted Zoom screensharing permission, and that they need to exit the call to re-launch the application with the permission granted.
petra3033 hours ago
> I can use SmartID to verify my ID (and age) in about 20 seconds when buying an energy drink at the local grocery store
Where do you have to show ID for that??
- Aozora74 minutes ago
  Author is from Latvia (and so am I). You do actually get carded for energy drinks if you look under 30.
  However, more relevant to the post, is that when you're ordering groceries online, you need to verify your age at checkout if you're buying stuff like alcohol (or energy drinks). It's trivial, and for a lot of people it uses the same authentication service that they already use to access their bank.
- joenot4433 hours ago
  I was also taken aback by this, but apparently it's a real trend.
  https://en.wikipedia.org/wiki/Age_restrictions_on_energy_dri...
- neoeno3 hours ago
  Under 16s can’t buy energy drinks in the UK
  Edit: currently a voluntary but widespread scheme by retailers, proposed to be law. TIL
  - novok29 minutes ago
    can they also not buy tea, coffee or coca cola then? oh no, they might drink the caffeination amount of... 2 cans of pepsi!
- walthamstow3 hours ago
  Only if you look 12
- puppycodes3 hours ago
  another feature of UK dystopia
  - 2 hours ago
    undefined
  - plufz3 hours ago
    You and I have very different ideas of dystopia.
kwhat4an hour ago
It has been like this forever and periodically someone complains, but then they just go out and buy another mac and keep producing software for macOS. If you want this to change, stop providing financial support.
a2tech4 hours ago
Try to open the file, say ok to the ‘can’t check for malware’ prompt, go to settings, security, approve running the software.
Annoying, but if you’re delivering your app to semi-technical users, not really a problem.
- bloppe4 hours ago
  It's only a problem if you want people to use your software
  - 0123456789ABCDE4 hours ago
    it's really cool when i can fall a sleep in peace knowing this keeps my folks from getting rooted
    bigyabai3 hours ago
    Gatekeeper doesn't fully prevent you from downloading malware. It just replaces one attack vector with another: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...
- tom_2 hours ago
  There's some official documentation for this process: https://support.apple.com/en-gb/guide/mac-help/mh40616/mac (and this works ok for terminal stuff too! Though it looks like the process will always fail to run the very first time, meaning you can't obviously pre-approve its first launch)
bloppe3 hours ago
I don't get the part about Homebrew. If you're using Homebrew, it doesn't make a ton of sense to use Itch.io. Just use Homebrew. Seems like a more appropriate place to distribute a dev tool anyway. You could set up a patreon and print a link to it when appropriate. That's basically what Vim does.
I agree that Apple is dumb of course.
- thayne2 hours ago
  They want to have a way for users to pay them. Itch.io has that, homebrew doesn't.
  - jameshart2 hours ago
    Okay, but then the argument that Apple is charging them to certify their software and that is excluding hobbyists falls away doesn’t it? Now you’re not a hobbyist.
    thaynean hour ago
    1. Having a way for some users to show their appreciation by paying you a few bucks doesn't make it not a hobby
    2. The expected income is way less than the developer fee, much less the expensive hardware required.
    jameshartan hour ago
    Publishing a tip jar link is going to be possible no matter how you distribute. The desire to use itch is about wanting to sell.
- novok26 minutes ago
  homebrew voluntarily applies the quarantine flag on casks (ex: apps) so you still need to pay the apple dev tax to distribute your mini app that way, itch.io does not so you don't get the lying scarewall
avhception4 hours ago
> I'm sure that other countries also have plenty of similar services for ID and age verification
laughs in Bundesdruckerei
a_t482 hours ago
Maybe I'm too dumb, but I haven't figured out a good way to sign just a binary (or a tar/zip containing a few binaries). I zipped up the binaries, sent them off to Apple, Apple comes back and says "yup, notarized!", and they still trigger the popup. I'm probably missing a step. I guess I'm not currently stapling the ticket to the binary, but supposedly you don't have to if you are running with a network connection.
- novok28 minutes ago
  you need to pay the tax, they are doing the 'pay money to reduce spam' solution
  - a_t4825 minutes ago
    This was with payment to Apple
- pjc502 hours ago
  You have to distribute a "bundle" in a particular directory layout.
stephc_int133 hours ago
I am not entirely against the whole notarization thing.
If it is good for the end-user, it is usually also good for the ecosystem a a whole, trust is valuable.
But ffs, they are rich enough to make this a lot less painful and hostile for developers.
And this is not a new thing, I used to develop games for iOS, from the very beginning, and while the process somewhat simplified over time, it was a huge cortisol inducing process, not to mention the regular forced OS+SDK updates where the procedures changes almost every time and could fail in not-so-evident ways.
- jameshart2 hours ago
  Making it take some pain for developers is precisely what makes it valuable. If you could automate signing up for a developer account and didn’t have to put up some cash it would lose all value as a trust signal.
  - stephc_int13an hour ago
    The cash part is not even the worst, even if this is obviously ridiculous for free/open source projects.
    The bad UX is really what irks me. Enough that I may entirely opt-out of the Apple ecosystem forever, and I don't think I am the only one feeling that way.
erelong3 hours ago
It's a backwards walled garden which I mostly avoid to avoid problems like this
Rendello2 hours ago
I love when my Mac declares random PDFs malware and deletes them when I try to open them.
On two occasions I've been completely dumbstruck when the software I was using was deleted out from under me. I'm not a fan of the overuse of "gaslight", but it sure felt like that when I had to restart Docker and the OS was like "what do you mean, Docker? You've never had Docker installed! What are you talking about? Are you feeling ok?"
https://news.ycombinator.com/item?id=42649790
- AnonymousPlanet2 hours ago
  In ten years of using Macs, I have never encountered this behaviour. I've never heard this from anyone else either. Is this new in Tahoe? I haven't upgraded yet, but your link seems to be from before Tahoe was released.
- jameshart2 hours ago
  Maybe the PDFs were malware?
- m-s-y44 minutes ago
  Sorry to say but your PDFs were malware. In 20+ years I’ve never seen this on my Macs nor the literal thousands I’ve managed with various MDMs.
syassami4 hours ago
Siri has the same effect.
LoganDark3 hours ago
Apple's ID verification failed for me and I am now banned for life. There is no opportunity to appeal this or to ever participate in the Developer Program for me. Which sucks because I am now permanently locked out of developing seriously for any of the Apple ecosystem, ever.
drcongo3 hours ago
I went through this recently. Got as far as verifying my identity, which Apple happily accepted as verified from my UK driving license. Unfortunately, they then automatically set my first and last name from that identity verification step, and some how managed to use a section of my driving license number as my surname - a string of random uppercase letters and numbers - and it's impossible to edit it. So fuck them, that's $99 they've lost.
iluvcommunism39 minutes ago
[dead]
dcrazy4 hours ago
Notarize the application and staple the receipt to your app bundle. It won’t trigger the Gatekeeper warning.
- gumby2714 hours ago
  Doesn't that still require going though all the hoops that they were struggling with, or is this a different verification flow with Apple?
- fg1373 hours ago
  You talk as if the author doesn't know that.
- phoyd4 hours ago
  That's literally what this post is about.
  - dcrazy3 hours ago
    Sorry, it was meant to be a reply to a comment.