macOS Sierra will break many installers and updaters

macOS 10.12 Sierra, due to ship this autumn/fall, brings several security enhancements. Among them are some changes to the way that Gatekeeper works which affect many existing installers and updaters. This is likely to make it much more difficult to use many installers and updaters unless they have been built to work with Sierra.

In El Capitan and earlier, we have enjoyed a lot of flexibility with Gatekeeper. So long as your security settings allowed, you could override Gatekeeper, run unsigned apps, and almost any old installer or updater. The snag with this is that if we can override Gatekeeper, so malware can exploit overrides and other loopholes, and get onto our Macs. A whole new class of attack, called dylib hijacking, has emerged as a result.

Apple’s preferred solution is, of course, the App Store, and none of the changes in security in Sierra should affect App Store apps. All other apps, according to the recently-released What’s New in OS X 10.12 (which should have read macOS 10.12, of course!), will be run differently on the first occasion: this is known as App Translocation.

The reason for this is an exploit involving a downloaded disk image, Zip archive, or even an optical disk image (ISO, CD/DVD). Currently, any of those can sneak code past Gatekeeper by loading their malicious code or content from that image or archive.

To prevent that, if you try to run an app from an image or archive, Gatekeeper moves that app to a randomised location, in a hidden folder on your startup volume. This in turn stops the app from accessing code or content in the image or archive.

When using Sierra, you therefore have to drag the app from a disk image to a location such as /Applications before trying to run it. The same applies to Zip and other archives, or apps downloaded to your Downloads folder. Once you have moved the app in the Finder, it will not be translocated by Gatekeeper.

Apple recommends that developers who still don’t wish to distribute via the App Store should supply apps in signed disk images, or signed installer packages. Gatekeeper can then check the signature when opening them, to verify that they are OK. As there is no way of signing a Zip (or other) archive, or an ISO CD/DVD image, Apple is advising developers not to use these for distributing software. The signing of disk images is only very recent, being introduced in macOS 10.11.5, so when Sierra ships the great majority of installers and other distribution packages will not comply with Apple’s new rules.

There is another problem which could trip up many existing products: as of Sierra, traditional bundle-style installer packages are unlikely to get through Gatekeeper’s checking. Instead, developers have to use their tools to create new flat-file packages. That could cause a lot of problems with older distributions, updates, and more.

It looks like there will be workarounds which may handle some problems resulting from old installers, but for the moment at least they will require the use of the command spctl in Terminal, which is not going to be simple.

Thanks to Patrick Wardle, and Jeff Johnson of Rogue Amoeba Software, for drawing attention to this.