Author Archive: Adrian OLenskie

Potential Impact of Mountain Lion’s Gatekeeper on Adobe’s Third Party Developers

 

In Mountain Lion (Mac OS 10.8), Apple are introducing Gatekeeper, a mechanism by which they can provide a degree of protection to users against running potentially harmful code.

I’d like to give some thoughts on how this might impact third party developers delivering extensions and/or native plug-ins into Adobe Creative Suite product installations.

First a brief introduction to Gatekeeper (a better introduction can be found on the Apple site)…

Gatekeeper provides three potential levels of protection:

  1. Applications can be installed with total freedom.
  2. Applications can only be installed if they are signed with an Apple Developer ID or if they come from the Apple MacOS App Store. This is the default option.
  3. Applications can only be installed if they come from the Apple MacOS App Store.

How, as a third party developer, can you ensure your plug-in installation is not limited by Gatekeeper? The safest answer at this point is to adopt Apple’s best practices, yes, that means getting an Apple Developer ID and signing your plug-in. This way, you run less risk that your users will no longer be able to use your product (and users can guarantee this bundle of joy really did come from you – this is a good thing).

If for some reason you prefer not to take this route and you want to continue to deliver your plug-ins unsigned the alternative answer really depends on how you deploy your extension. I’ll consider adding the plug-in manually, adding it through an installer, and adding it through a utility application (such as Adobe Extension Manager).

If the plug-in is  manually added to the appropriate folder on disk, Gatekeeper should not get involved (this stands to reason, in essence if it was a malicious operation, your disk is compromised anyway).

If you depend on an installer, this installer will need to conform to the Gatekeeper security model. This means you need to either:

  • Sign your installer with an Apple Developer ID certificate (though you will need to educate the user if they have the strictest setting enabled).
  • Educate your users on how to reduce the restrictions introduced by Gatekeeper (temporarily, of course).
  • Arrange to have your installer distributed through the Apple App Store (at some point in the future if this scenario is supported by Apple).

If you depend on a utility application (such as Adobe Extension Manager) to handle the installation, you should not be affected; our experience is Gatekeeper does not intercept this condition.

Once installed, we have not experienced any restrictions on the execution of applications with third party plug-ins. That does not mean that Apple will not add them at some future point.

Clearly, this is based on some quick tests we’ve run. We would be very keen to hear if your experience/understanding differs.

Finally, we are expecting further changes in this area, especially as the OS vendors continue to move towards “sand-boxed” application contexts.

These are our rough first thoughts in an area that will likely continue to evolve (as the OS vendors continue their march towards sand-boxed applications), feedback welcome.