To the median user , the two unexampled protection applied science coming to OS X this class — sandboxing and Gatekeeper — should be about invisible . But they could be all too visible to more advanced users , particularly those who use AppleScript and Automator .
As we ’ve reported antecedently , Apple will soon expect that all Mac App Store apps enforce sandboxing , which forces developer to request specific permit ( or , in developer - speak , “ entitlement ” ) from Apple to give their apps access to certain part of a user ’s system . Few apps in the Mac App Store today hire sandboxing , but add up June all fresh apps and updates to exist ones will .
With the upcoming OS X Mountain Lion , another new technology , Gatekeeper , will swan that an app you ’ve downloaded and tried to run compeer a digital signature that Apple has given the developer ; if it does n’t , Gatekeeper can prevent the app from running . In other words , it could foreclose you from running malicious autotype of apps you think are OK .
Both of these unexampled security technologies will have an impact on scripting and automation .
Internal practical software scripts : Some apps practice “ internal ” AppleScripts to treat certain actions of their own . ( For example , BBEdit ( ) habituate such book when it installs its bid - melodic line tool . ) Such scripts are built into the app ; you never see them in menus or elsewhere . Such self - referential scripts should continue to work as they always have .
If , however , a sandboxed app wants to use AppleScript to interact with another app or with other parts of your organization — a menubar app that use AppleScripts to control iTunes , say — then the new restrictions will come into swordplay . A sandboxed app ca n’t utilise AppleScript to communicate with another app on your Mac , unless the developer specifically request ( and receives ) an entitlement to do just that .
Apple awards such entitlements before a sandboxed app can be approved for the Mac App Store . Internal playscript will be subject to the same restrictions and entitlements as the app that contains them .
External app scripts : Apps can also use AppleScripts “ externally”—which is to say the exploiter start them , typically from the app ’s Scripts card . In Mountain Lion , such handwriting will have to be installed in app - specific pamphlet within ~/Library / app Scripts . By default , covering in Mountain Lion wo n’t be able to salvage files to that pamphlet , but users will be capable to .
A developer offer a sandboxed app could therefore offer a downloadable hardening of AppleScripts from its own web site . If the user then establish those book in the right location , those scripts can be freely run by the user within the app , with no special entitlement needed . That ’s because the drug user needed to intentionally install those hand and then to trigger their execution . Because Apple considers the substance abuser the ultimate authority over his or her own Mac , the script will be allowed to race .
developer who worry about whether or not users will install scripts in the right place will be able to create installers that come out the playscript correctly ; if the exploiter runs and authorizes the installer , that ’s treated as permission to put the scripts in the ripe place .
Gatekeeper : We take note above that user - created AppleScripts will run without trouble . Apps from other sources that use script , however , might trigger a ostiary warning : If they are distributed online without an Apple - approved developer theme song , then Gatekeeper will alarm the user to the publication .
Developers trust to avoid foot race - ins with Gatekeeper for their app - based scripts will be able to do so , thanks to a new archive data formatting offered with Mountain Lion called XIP . While AppleScript and Automator applications and droplets ca n’t be signed directly , XIP archives can be . By enclose scripts ( or usance Automator actions ) within XIP archives , then , developers can sign the actions and give out them without evoke Gatekeeper ’s ire .
