|Initial release||July 25, 2012|
||It has been suggested that File Quarantine be merged into this article. (Discuss) Proposed since September 2016.|
Gatekeeper is a security feature of the macOS operating system by Apple. It enforces code signing to prevent downloaded applications from running, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard. The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. A graphical user interface was added in OS X Mountain Lion and later also in version 10.7.5 of Lion.
In the security & privacy panel of System Preferences, the user has three options:
- Mac App Store
- Allows only applications downloaded from the Mac App Store to be launched.
- Mac App Store and identified developers
- Allows applications downloaded from the Mac App Store and applications signed by certified Apple developers to be launched. This is the default setting since Mountain Lion.
- Allows all applications to be launched. This effectively turns Gatekeeper off. This is the default setting in Lion. In macOS Sierra, this option is hidden by default.
The command-line utility spctl provides granular controls, such as custom rules and individual or blanket permissions, as well as an option to turn Gatekeeper off.
Upon download of an application, a particular extended file attribute ("quarantine flag") can be added to the downloaded file. This attribute is added by the application that downloads the file, such as a web browser or email client. This behavior is disabled by default for third-party applications and developers need to opt into it. The system can also force this behavior upon individual applications.
When the user attempts to open an application with such an attribute, the system will delay the execution and verify whether it is:
- code-signed by Apple or a certified developer,
- code-signed and the code-signed contents still match the signature.
Since Mac OS X Snow Leopard, the system keeps two blacklists to identify known malware or insecure software, as part of File Quarantine. The blacklists are updated periodically. If the application is blacklisted, then File Quarantine will refuse to open it and recommend to the user to move it to trash.
Gatekeeper will refuse to open the application if the code-signing requirements are not met. Apple can revoke the developer's certificate with which the application was signed and prevent further distribution.
To override Gatekeeper, the user (acting as an administrator) either has to switch to a more lenient policy or authorize a manual override, either by opening the application from the context menu, from the security & privacy panel of System Preferences, or by adding it with spctl.
Developers can sign disk images that can be verified as a unit by the system. In macOS Sierra, this allows developers to guarantee the integrity of all bundled files and prevent attackers from infecting and subsequently redistributing them. In addition, "path randomization" executes application bundles from a random, hidden path and prevents them from accessing external files relative to their location. This feature is turned off if the application bundle originated from a signed installer package or disk image or if the user manually moved the application without any other files to another directory.
The effectiveness and rationale of Gatekeeper in combating malware have been acknowledged, but been met with reservations. Security researcher Chris Miller noted that Gatekeeper will verify the developer certificate and consult the known-malware list only when the application is first opened. Malware that already passed Gatekeeper will not be stopped. In addition, Gatekeeper will only verify applications that have the quarantine flag. As this flag is added by other applications and not by the system, any neglect or failure to do so does not trigger Gatekeeper. According to security blogger Thomas Reed, BitTorrent clients are frequent offenders of this. The flag is also not added if the application came from a different source, like network shares and USB flash drives. Questions have also been raised about the registration process to acquire a developer certificate and the prospect of certificate theft.
- "OS X: About Gatekeeper". Apple. February 13, 2015. Retrieved June 18, 2015.
- Siegler, MG (February 16, 2012). "Surprise! OS X Mountain Lion Roars Into Existence (For Developers Today, Everyone This Summer)". TechCrunch. AOL Inc. Retrieved March 3, 2012.
- Siracusa, John (July 25, 2012). "OS X 10.8 Mountain Lion: the Ars Technica review". Ars Technica. pp. 14–15. Archived from the original on March 14, 2016. Retrieved June 17, 2016.
- Ullrich, Johannes (February 22, 2012). "How to test OS X Mountain Lion's Gatekeeper in Lion". Internet Storm Center. Retrieved July 27, 2012.
- "spctl(8)". Mac Developer Library. Apple. Retrieved July 27, 2012.
- "About the OS X Lion v10.7.5 Update". Apple. February 13, 2015. Retrieved June 18, 2015.
- "What's New in Security". Apple Developer (Video). June 15, 2016. At 21:45. Retrieved June 17, 2016.
- Cunningham, Andrew (June 15, 2016). "Some nerdy changes in macOS and iOS 10: RAW shooting, a harsher Gatekeeper, more". Ars Technica UK. Archived from the original on June 16, 2016. Retrieved June 17, 2016.
- Reed, Thomas (October 6, 2015). "Bypassing Apple's Gatekeeper". Malwarebytes Labs. Retrieved June 17, 2016.
- Moren, Dan (August 26, 2009). "Inside Snow Leopard's hidden malware protection". Macworld. Retrieved September 30, 2016.
- "About the 'Are you sure you want to open it?' alert (File Quarantine / Known Malware Detection) in OS X". Apple Support. March 22, 2016. Archived from the original on June 17, 2016. Retrieved September 30, 2016.
- Foresman, Chris (February 17, 2012). "Mac developers: Gatekeeper is a concern, but still gives power users control". Ars Technica. Retrieved June 18, 2015.
- Chatterjee, Surojit (February 21, 2012). "OS X Mountain Lion Gatekeeper: Can it Really Keep Malware Out?". International Business Times. Retrieved March 3, 2012.
- Goodin, Dan. "Drop-dead simple exploit completely bypasses Mac's malware Gatekeeper". Ars Technica. Archived from the original on March 20, 2016. Retrieved June 17, 2016.