Apple and Code Signing

By this point, most of us are familiar with the App Store and the controversy: why do apps have to be vetted by Apple before being deemed acceptable to install on our own devices? This is not a post specifically about that, but rather the extension of that practice.

Several months ago, I ran across a post on Rogue Amoeba’s Under the Microscope blog about code signing in Leopard. At the heart of the discussion was the following quote in an Apple mailing list:

In order to achieve the nirvana of only running valid code, the system must completely refuse to run unsigned code. Since that would really have ruined third party developers’ Leopard experience, we don’t do that in Leopard (except for the Parental Controls and firewall cases, where we surreptitiously sign unsigned programs when they are “enabled” to run).
Eventually you will all have signed your recent releases, and we’ll have fixed all the (important) bugs and closed all the (important) holes, and a switch will materialize to this effect – to refuse (at the kernel level) to run any code that isn’t valid.

Posted to apple-cdsa on March 3, 2008 ((It should be noted that I commented on that post as to who, exactly, “Perry the Cynic” was. He is an employee of Apple as past posts of his in the mailing lists will clearly indicate.))

At that time, I said that no one would accept such measures. How could people possibly use a system where all the code is signed in such a manor? The iPhone App store is certainly such a system, but it’s a closed device with the expectations of a closed device. ((Except, perhaps, for the Jailbreak community.))

However, with the apparent success of the App Store, Apple’s history of using smaller projects as test-beds for OS X, the inclusion of the Trusted Platform Module on Intel chip sets when Apple made the x86 transition ((Even though the TPM is not enabled on Intel Macs, its presence just adds fuel to the fire.)), and the support for signed code in Leopard, I have to wonder.

If Apple does indeed move to a closed system with all applications requiring signing in order to run, it will be a troubling time for those who run on Macs. Take, for example, the recent rejection of a podcasting application from the App Store:

Today I finally got a reply from Apple about the status of Podcaster.

Apple Rep says: Since Podcaster assists in the distribution of podcasts, it duplicates the functionality of the Podcast section of iTunes.

This bears repeating: an application was rejected because it duplicates the functionality of iTunes, an Apple app.

Now, I’m usually an advocate for Apple when it comes to “the whole solution.” I believe that by having control of the hardware and the OS which runs on that hardware enables them to provide a solid experience. That, however, is as far as my advocacy for a controlled system will go.

Yes, I use iCal, Mail, Final Cut Pro, and many other Apple apps, but I do so as a choice. The minute I lose that choice is when I jump ship. No user experience, regardless of polish and ease, can justify that. Imagine if I was forced to use iChat instead of Adium, Safari instead of Firefox… Motion instead of After Effects.

This single tweet from Steven Frank illustrates the worst-case-scenario:

Scenario: Apple makes code-signing mandatory for desktop Mac applications. You can now only buy them through iTunes. Think it can’t happen?

I think it can, I just hope against hope that it doesn’t. If it does? I’ll stick with Leopard (or in some cases Tiger) until I can no longer install those systems on new hardware. Once that happens? Well, I just hope Linux will have matured enough to get the support from the software I need to use on a daily basis.

[thanks to Daring Fireball for inspiring the conversation]