Mozilla readies Firefox for Mountain Lion's Gatekeeper

Apple also reminds developers of June 1 deadline to sandbox programs for the Mac App Store

Mozilla is scrambling to craft a code-signed version of Firefox for the Mac in case Apple launches OS X 10.8, or Mountain Lion, early.

In February, Apple announced that Mountain Lion will include a new feature, dubbed "Gatekeeper," that will restrict which applications users can install on their machines.

By default, Gatekeeper will let users install only programs downloaded from the Mac App Store or those digitally signed by a registered developer.

Last week, Mozilla said it was laboring on meeting the second requirement, and hoped to wrap up the work for Firefox 13 by the end of this week.

Firefox 13 is now slated to ship June 5.

"We must have a signed and released Firefox out there before the general public starts upgrading [to Mountain Lion] and we've been working hard to make that happen as soon as possible," wrote Ben Hearsum, a release engineer at Mozilla, in a blog posted last Thursday.

According to Hearsum, the only thing left on the to-do list is to untangle the access restrictions to Mozilla's Apple developer account.

Because Firefox is not distributed via the Mac App Store, downloads must be code-signed before Mountain Lion appears. While Apple has said that it will ship OS X 10.8 in "late summer," hints have appeared on Mac-centric blogs and in the shipping cadence of the three developer previews that point to a June delivery of the operating system.

"We don't know exactly when 10.8 will be released to the public but some have speculated that it could be as early as the week of June 11th at WWDC 2012," Hearsum said, referring to Apple's Worldwide Developers Conference, which runs June 11-15 in San Francisco.

Apple has categorized Gatekeeper as a new security precaution that insures it can track down developers of rogue software submitted to -- and accepted by -- the Mac App Store.

Some, however, have criticized the feature because even if Apple revokes an application's certificate, the software remains on Macs and can continue to run. Others have noted that it will not stymie malware like Flashback, which relied on exploiting a known Java vulnerability to plant itself on hundreds of thousands of machines.

Other Apple-mandated deadlines are also fast approaching.

Last week, Apple emailed registered Mac developers with a reminder of the impending June 1 deadline for "sandboxing" applications sold or distributed through the Mac App Store. Apple had postponed the sandboxing deadline several times, most recently in March when it extended it to June 1.

Only new applications submitted to the Mac App Store starting June 1 must be sandboxed; programs already in the e-mart are not held to the requirement, although upgrades will be.

For Mac apps, sandboxing places tighter controls on what they can access from OS X and other apps. Theoretically, that makes those applications more secure, since malware exploiting a vulnerability in that program will have a more difficult time -- or find it impossible -- to access the operating system to plant attack code on the Mac.

Some developers have already sandboxed their software -- AgileBits, for example, has sandboxed the version of its popular 1Password password manager that's sold through the Mac App Store -- but others have announced they'll opt out of Apple's distribution channel.

Atlassian, for instance, which creates the developer tool SourceTree, has said that it is "not currently planning on submitting any more updates to the Mac App Store" because of the sandboxing restrictions.

OS X Mountain Lion's Gatekeeper
Mountain Lion will display a warning when users try to run programs that haven't been downloaded from the Mac App Store, or digitally signed by a registered developer.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2012 IDG Communications, Inc.

Shop Tech Products at Amazon