The documentation mentions that an entitlement is required. However, this only implies that an Apple account is needed and the yearly dev fee is to be paid. Entitlements work outside of the App Store too.
Personally I'm happy to see WireGuard in the App Store, but would be concerned if Apple indeed limits the API to it. Could you elaborate on if distribution outside of the App Store is impossible?
I have tried to reproduce the issue and found that even though you can create provisioning profiles for direct distribution with the Network Extension entitlement, and the UI shows that all is fine, the provisioning profile does NOT contain the required entitlement.
After some digging I found a FAQ on network extensions by Apple [1]. Point #8 clearly says:
> #8 — On the Mac, can Developer ID apps host Network Extension providers?
> Currently this is not possible; only Mac App Store apps can host Network Extension providers.
Thus the missing entitlement is most likely not a bug (and the cert UI is just bad). This is not a technical limitation, just Apple with questionable politics.
I suspect the reasoning is to prevent malware/spyware from setting up an always-on VPN without the user’s permission (i.e. the recent Facebook/Onavo scandal). Without using NetworkExtension, a kext is needed (which now require fairly obnoxious user consent). And using NetworkExtensiom essentially requires Apple’s approval.
There are plenty of workarounds, but the issue is that when you want to pass quality control you have to play by they platform owner's rules. While not always nice on one hand, on the other hand this does mean that most users will be safe to install most software checked and distributed that way, without needing the intimate knowledge we have.
I totally understand that if Apple builds and maintains a PKI-based security model, they are going to want to check your stuff before allowing you in. If, on the other hand, the user doesn't care, they can simply turn off the security model or adjust it.
The problem is that on iOS Apple's "quality control" includes banning normal and fun human activities such as sex.
If that is now coming to the Mac as well then I will stop being Mac user and I will move away from Apple's platforms altogether.
Requiring Apple's permission to run WireGuard automatically means requring the permission of the government as well.
You don't even have to resort to China to see why that is bad. Many western governments are aggressively working towards banning various forms of encrypted communications.
That's not their quality control you are referring to but the content guidelines (censor). It's a choice they are free to make, and are probably mostly copied off some American idea on what should be public or not.
The problem you are running in to is that your ideas don't match their ideas and you want them to match your ideas (which they won't because they don't live in your world, they live in their world, which at this time is mostly the USA world).
If in your country the government would enforce some law stating that companies should not block sex in their content pipelines, then Apple, just like they do in every other country, will comply. This is also the reason they censor stuff in China, it's the law over there.
So while their ideas and values might not match with you, they do still have to follow the law. If you believe companies with a large impact should not block certain information from flowing, that is something you can enforce by law.
A company has to deal with the law, and cannot go and be an anarchist whenever it feels like it (but people can) because then they cease to exist.
If Apple did not block sideloading on iOS, they wouldn't practically be able to implement this kind of censorship in China and elsewhere. They would be able to remove it from the App Store, but people would be able to acquire the software via other means.
(This topic doesn't really apply to macOS though, just iOS.)
I agree, but now it appears to apply to the Mac as well, at least to some degree.
That's what I find so concerning. There has to be some general purpose computing device that allows me to take full responsibility in terms of security and in terms of complying with the law.
Other platforms often tend to imitate Apple. So if this is the general direction of travel then I find that very worrying
Someone downthread says the macOS signing requirements still go away fully when Gatekeeper is disabled, which is a simple terminal command. As long as that's the case, I don't think there's a real problem here.
It's hard to quantify "moving in a direction", but Gatekeeper was introduced nearly a decade ago and has always been possible to disable via a quick Terminal command. Apple did remove it from the UI in Sierra, so perhaps you could say that's a sign of things to come, but I honestly doubt it.
No. I don't want them to match my ideas. I want them to respect the fact that people have different ideas and values.
To allow that diversity of ideas to exist, it is necessary to keep the separation of concerns and legal responsibilities as it has been since the invention of the Mac (and the PC).
They make the hardware and the OS. I decide what software to install and what content to store. This has always been my legal responsibilty and it is on that basis that I decided to purchase my Mac.
If they change that equation, I'm out. I'm out as user. I'm out as developer. I'm out as decision maker and as a go-to person for others who make purchasing decisions.
Well, "your ideas" contains your idea of them respecting the fact that people have different ideas and values and that they should be allowed to use their platform in ways they see fit that might differ form the stakeholders that currently decide what is and isn't allowed.
The notion that they supply hardware and software and you then decide how they are going to work for you is no longer valid for the Apple products as they are. By default, macOS is being more like iOS now, which diverges from the generic idea of the personal computer.
This problem is of course far wider than just computers and Apple, more devices, services and companies are headed this way in varying degrees.
I suppose that means you are out as a user, developer and decision maker etc. Apple probably won't care unless you take 10 million customers with you at the same time. Anything less than 1 million is probably not even going to register on their metrics, and anything less than 10 million is only marginal. This is both the problem (our problem as users) and the benefit (their benefit as a company at scale) of this broad customer base many companies now have. It's not really a globalisation thing, but more a combined globalisation+commercialism+scale thing that makes this kind of thing common.
It's not that they want to make things less attractive to certain users on purpose either, that would be counter to their purpose of making money; it's probably far more likely that it's a case of Hanlon's razor. Take the way PKI is used to enforce some rules on hardware (i.e. iBoot and the A-series SoCs from Apple but also Intel's BootGuard on a much larger scale); it's not that they want to block people that want to fiddle with their hardware and software, it's just that this is the best they could come up with to defend against generic attacks. And it's far from ideal.
>Well, "your ideas" contains your idea of them respecting the fact that people have different ideas and values [...]"
I have ideas on different levels that shouldn't be conflated. I'm not asking Apple or anyone else to share my preferences and tastes.
But some meta ideas are a prerequisite for disagreement on preferences, tastes and beliefs. Without those ideas we are moving towards authoritarianism.
Once global companies become dominant enough, their decisions start to either facilitate or hinder liberty and authoritarianism, even under the assumption that they have to comply with the law at all times.
I don't think being seen to be on the side of oppression and authoritarianism against your own users is ultimately conducive to maximising profits.
> The problem is that on iOS Apple's "quality control" includes banning normal and fun human activities such as sex.
While being totally OK with (gun) violence. Hello, double (American) standard. Keep that double standard in the US. I don't want it in the EU. Thank you.
There are multiple ways and levels. The easiest is gatekeeper, which lives in the security settings. Next is SIP, which is a deeper layer (also PKI based) which cannot be changed while booted (which is a very good security model). You can only change this preboot or in the recovery environment. At that point, you may choose to disable SIP completely, or just parts of it (done using the csrutil). For an easier preboot option, you can use something like rEFInd/rEFIt to do this whenever you feel like it from a small preboot application.
Security-wise, that can be problematic, and I suggest you turn on EFI password authentication so it's not something everyone can do to your machine. This means you can still change the SIP settings on-demand per boot using a USB stick with rEFInd on it, but doing that requires you to chain boot off of that USB drive and doing that triggers EFI protection and requires a password before you can do that. Normal boot would not require a password and lets you use the system as-is.
I don't know a lot about Apple development, but there is presumably some way for developers to run these on their own machines for testing. An Apple Developer account is $99/year, including 100 iOS devices for sideloading, so I'd guess something similar applies to Macs?
