Tom Brow →

Before the law sits a Gatekeeper

August 19, 2020

Before the Law, by Franz Kafka:

Before the law sits a gatekeeper. To this gatekeeper comes a man from the country who asks to gain entry into the law. But the gatekeeper says that he cannot grant him entry at the moment.

The man thinks about it and then asks if he will be allowed to come in later on. "It is possible,” says the gatekeeper, "but not now."

Can't you just right click?, by Jeff Johnson:

In 2012, Apple added Gatekeeper to Mac OS X (now macOS). When you try to run Mac software downloaded from the internet, Gatekeeper checks whether the software was signed with a valid Developer ID certificate. If not, then Gatekeeper refuses to run the software.

Some people claim that Mac users can "just right click" to run unsigned software. But what does that mean exactly? Let's look at the user experience, in a series of screenshots.


The man from the country has not expected such difficulties: the law should always be accessible for everyone, he thinks, but as he now looks more closely at the gatekeeper in his fur coat, at his large pointed nose and his long, thin, black Tartar’s beard, he decides that it would be better to wait until he gets permission to go inside.


Most users would be scared away, rightfully so. Apple is specifically, deliberately warning you about malware and exposing yourself, so who in their right mind would ignore the warning, if they didn't already know that it was "safe" to ignore?


There he sits for days and years... The man, who has equipped himself with many things for his journey, spends everything, no matter how valuable, to win over the gatekeeper. The latter takes it all but, as he does so, says, "I am taking this only so that you do not think you have failed to do anything."


This is why every Mac developer I know signs up for Developer ID and ships only signed, notarized apps. It would be financial suicide to do otherwise... From a business perspective, there's no avoiding the Gatekeeper.

However, [Macs with Apple Silicon] will run ad-hoc signed software, which doesn't require a certificate. According to the man page for the codesign command-line tool:

Ad-hoc signing does not use an identity at all, and identifies exactly one instance of code. Significant restrictions apply to the use of ad-hoc signed code; consult documentation before using this.


"Everyone strives after the law," says the man, "so how is that in these many years no one except me has requested entry?" The gatekeeper sees that the man is already dying and, in order to reach his diminishing sense of hearing, he shouts at him, "Here no one else can gain entry, since this entrance was assigned only to you. I’m going now to close it."