Distributing Mac software is increasing my cortisol levels

LLorenDB about 5 hours ago 33 commentsRead Article on blog.kronis.dev

FR version is available. Content is displayed in original English for accuracy.

⚡ Community Insights

Discussion Sentiment

50% Positive

Analyzed from 1073 words in the discussion.

Discussion (33 Comments)Read Original on HackerNews

Wowfunhappy•about 1 hour ago

Any user who does not like Gatekeeper can turn it off on their machine in ten seconds by running this in a Terminal:

    sudo spctl —-master-disable

People will say, no, that’s too big a hammer, it’s not safe… but then, like, what do you actually want? Either you keep Gatekeeper because you like the friction it introduces, or you don’t like that friction and you should go turn it off. Pick one, you obviously can’t have both!

Of course, you as the developer can’t make this choice for your users… but isn’t that as it should be? The user decides what code is allowed to run on their machines. And the default setting is restrictive because anyone who knows what they’re doing can easily change it.

P.S. Meanwhile, on iOS there’s no way to install unsigned software at all, and on Android (starting soon) the process takes 24 hours instead of ten seconds. That is actually ridiculous because it’s taking away user choice.

P.P.S. To be clear, modern macOS has plenty of other restrictions which can’t really be turned off and which I find super annoying. Gatekeeper just isn’t one of them.

Edit: I’ve just learned that as of Sequoia, you have to also tick a box in Settings after running the Terminal command. So maybe it takes 30 seconds instead of ten seconds. That’s mildly more annoying, but still doesn’t really seem like a big deal to me.

novafunc•32 minutes ago

Rather than just having the options "Done" and "Move to Bin", give me an option to actually run it without having to manually go into System Settings each and every time without disabling security features?

The added friction feels more like a way to force developers to pay Apple an annual fee for distributing rather than for my safety. Not saying it doesn't help with safety, just that it's more weighed to the former.

ceejayoz•8 minutes ago

> give me an option to actually run it without having to manually go into System Settings each and every time without disabling security features?

People reflexively hit yes to these things.

Wowfunhappy•24 minutes ago

> without disabling security features?

With Gatekeeper turned off, you’ll still get a warning on first launch which you can easily click through. (Unless Apple changed something in the last few versions—let me know if that’s the case—but it would be out of character for them to remove a warning...)

The “security feature” you don’t want to disable is precisely the thing you are complaining about, so I don’t understand why you’d keep it around.

> The added friction feels more like a way to force developers to pay Apple an annual fee for distributing rather than for my safety.

I don’t imagine Apple makes a substantial amount of money from $99/year developer subscriptions. The App Store is another story of course.

plufz•23 minutes ago

I also have things I want to change in gatekeeper, but that feature is not one of them. Just gut feeling but I would say 110% of all users, would just click ”start” on every unsigned app if it was that easy.

ryandrake•19 minutes ago

10 seconds or 30 seconds, it's just too much friction to ask end users to do. I actually develop on a Mac, but I've written off Apple as a target system for hobby/open source projects. Between quarantine, code signing, and notarizing (which requires $99 a year), it's just not worth it. Good for Apple users if they like this shit--I'm just not going to bother with distributing to the platform anymore.

macOS is slowly getting like Windows, where, on a fresh install you have to go through and turn off all sorts of unwanted software just to have a sane environment where you, the user, are actually controlling your computer.

TrajansRow•28 minutes ago

So, Linux gets a free pass for requiring chmod +x to run his tool, but needing to run xattr on MacOS is somehow worthy of an entire blog post to complain about it?

Serious question - Is it really true that Windows 11 will run an untrusted .exe without a warning?

MrGilbert•20 minutes ago

You can configure it in a way that it won't allow you to run it at all, but out of the box, you will receive a message which forces you through three clicks. Enough to scare off people with no deep knowledge.

And yes, you can turn all of that off.

TrajansRow•7 minutes ago

Why isn't the author getting that warning then? Is it because he's only testing the tool on the same machine that it was built on?

kingforaday•11 minutes ago

By default Windows 11 will not run an untrusted .exe/PE file - it's governed by Microsoft Defender SmartScreen that will present a pop-up scaring people away and it actually isn't intuitive to click-through to run the program unless you've done it before.

hmokiguess•12 minutes ago

Tangential but this made me appreciate how Gatekeeper is perhaps a notorious example of a great naming choice for a piece of software.

arusahni•about 1 hour ago

My favorite is when someone discovers they haven't yet granted Zoom screensharing permission, and that they need to exit the call to re-launch the application with the permission granted.

petra303•about 1 hour ago

> I can use SmartID to verify my ID (and age) in about 20 seconds when buying an energy drink at the local grocery store

Where do you have to show ID for that??

joenot443•19 minutes ago

I was also taken aback by this, but apparently it's a real trend.

https://en.wikipedia.org/wiki/Age_restrictions_on_energy_dri...

neoeno•about 1 hour ago

Under 16s can’t buy energy drinks in the UK

Edit: currently a voluntary but widespread scheme by retailers, proposed to be law. TIL

walthamstow•35 minutes ago

Only if you look 12

puppycodes•37 minutes ago

another feature of UK dystopia

plufz•20 minutes ago

You and I have very different ideas of dystopia.

bloppe•about 1 hour ago

I don't get the part about Homebrew. If you're using Homebrew, it doesn't make a ton of sense to use Itch.io. Just use Homebrew. Seems like a more appropriate place to distribute a dev tool anyway. You could set up a patreon and print a link to it when appropriate. That's basically what Vim does.

I agree that Apple is dumb of course.

avhception•about 1 hour ago

> I'm sure that other countries also have plenty of similar services for ID and age verification

laughs in Bundesdruckerei

LoganDark•5 minutes ago

Apple's ID verification failed for me and I am now banned for life. There is no opportunity to appeal this or to ever participate in the Developer Program for me. Which sucks because I am now permanently locked out of developing seriously for any of the Apple ecosystem, ever.

a2tech•about 1 hour ago

Try to open the file, say ok to the ‘can’t check for malware’ prompt, go to settings, security, approve running the software.

Annoying, but if you’re delivering your app to semi-technical users, not really a problem.

bloppe•about 1 hour ago

It's only a problem if you want people to use your software

0123456789ABCDE•about 1 hour ago

it's really cool when i can fall a sleep in peace knowing this keeps my folks from getting rooted

bigyabai•about 1 hour ago

Gatekeeper doesn't fully prevent you from downloading malware. It just replaces one attack vector with another: https://blog.lastpass.com/posts/warning-fraudulent-app-imper...

stephc_int13•32 minutes ago

I am not entirely against the whole notarization thing.

If it is good for the end-user, it is usually also good for the ecosystem a a whole, trust is valuable.

But ffs, they are rich enough to make this a lot less painful and hostile for developers.

And this is not a new thing, I used to develop games for iOS, from the very beginning, and while the process somewhat simplified over time, it was a huge cortisol inducing process, not to mention the regular forced OS+SDK updates where the procedures changes almost every time and could fail in not-so-evident ways.

syassami•about 1 hour ago

Siri has the same effect.

dcrazy•about 1 hour ago

Notarize the application and staple the receipt to your app bundle. It won’t trigger the Gatekeeper warning.

gumby271•about 1 hour ago

Doesn't that still require going though all the hoops that they were struggling with, or is this a different verification flow with Apple?

fg137•38 minutes ago

You talk as if the author doesn't know that.

phoyd•about 1 hour ago

That's literally what this post is about.

dcrazy•8 minutes ago

Sorry, it was meant to be a reply to a comment.

drcongo•13 minutes ago

I went through this recently. Got as far as verifying my identity, which Apple happily accepted as verified from my UK driving license. Unfortunately, they then automatically set my first and last name from that identity verification step, and some how managed to use a section of my driving license number as my surname - a string of random uppercase letters and numbers - and it's impossible to edit it. So fuck them, that's $99 they've lost.