Apple’s Abrupt Mac OS X Change Could Block Many Apps

Apple told developers Monday afternoon that many of their older Mac applications may not run in the next update to Mac OS X unless they “re-sign” them using a digital-signature tool in OS X 10.9 Mavericks, the current version of the Mac operating system. Many developers aren’t happy about the abrupt change:

https://twitter.com/ibogost/status/496435057041879041/

The change affects all Mac applications built on older versions of Mac OS X—specifically, any version that predates Mavericks, which officially launched last October. As of the next release of the desktop operating system—that’ll be OS X 10.9.5—those apps may simply no longer function until their digital signatures are updated using a tool in Mavericks. (These apps also may not function in future versions of OS X, including beta versions of OS X 10.10 Yosemite.)

Update, 6:56pm PT: Programs with older digital signatures may simply trigger a security warning for users. At least, that’s the gist of an explanation that Apple apparently sent to developers earlier on Wednesday, per this report in the The Unofficial Apple Weblog:

Signatures created with OS X Mountain Lion 10.8.5 or earlier (v1 signatures) will be obsoleted and Gatekeeper will no longer recognize them. Users may receive a Gatekeeper warning and will need to exempt your app to continue using it. To ensure your apps will run without warning on updated versions of OS X, they must be signed on OS X Mavericks 10.9 or later (v2 signatures).

A large number of common apps could be affected by the change; see below for details.

Sign Me Up

Apple encourages developers to digitally “sign” their applications, ostensibly for security reasons. Signing an app vouchsafes it as the creation of a given developer, and lets the Mac operating system detect any changes to its underlying code. (Apple explains the process in more detail in its official code-signing guide.)

Pre-Mavericks versions of OS X used an older code-signing technology that produced what Apple calls “version 1” signatures. OS X 10.9.5 and future OS X versions will require “version 2” signatures, which require the use of the “codesign” tool within Mavericks.

It’s not clear how much time developers have to re-sign their older applications. Apple hasn’t said when Mavericks 10.9.5 will launch; it just released the first 10.9.5 beta last Wednesday.

Caught In The Digital Dragnet

If developers don’t act quickly, large numbers of common apps could be affected. Developer John Bafford published a command-line script on GitHub Gist that identifies the signature version of all programs in a Mac’s applications folder. It looks like this, in case you’re curious:

https://gist.github.com/jbafford/d91ac15cf79a22e70f65

I ran the command on my Mac and found almost 50 applications with version 1 signatures, including Apple’s iMovie, iPhoto, iTunes, Numbers, Pages and Keynote. Other affected programs include Microsoft Office 2011, Adobe Reader, Dropbox, Google Chrome, Firefox and Evernote. (Oh, and Minecraft, too.)

I don’t have many apps from smaller developer teams on my machine, but I wouldn’t be surprised to find lots of them with version 1 signatures. What’s more, big companies have the resources to re-sign and update their apps well in advance of the release of OS X 10.9.5; smaller developers may be much harder pressed to do that in time.

I pinged Apple PR for further explanation of the announcement, and will update if I hear back.

Lead image by Antonio Taujelo on Flickr, CC 2.0

Facebook Comments