Comment 4 for bug 1363305

Liam P. White (liampwhite) wrote :

> Many people are not technically wise enough to bypass the gatekeeper.

I'd suggest that everyone read the FAQ /before/ attempting to use the program. The solutions to common problems there are more than enough to get you started, and if the material provided on how to allow Inkscape.app through Gatekeeper is too complex to understand (a few clicks), maybe this program isn't for you.

********

> An user downloads the Inkscape package file from an unknown web site (very common)

How common are we talking about here?

> What he doesn't know is that the package is not the original Inkscape package, but it is infected with a trojan or contains malicious code. The user try to install the package on his Mac, but the Mac gatekeeper (wisely) prevents him from running the application because it is not signed.

Just because an application has a code signature does not imply that it is not malware -- in fact, digitally signed OS X malware has occured before «http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/» and it will appear again.

> He searches on google and find the official FAQ on Inkscape.org website explaining how to bypass the gatekeeper check. He follows the instructions and install the malicious package in his system, with sore consequences.

In a system with proper permissions enforcement, and assuming no exploits in the OS itself were used in the creation of such an application, the amount of damage any such bundle could do to a system would be severely limited -- this does not necessarily protect against the application stealing data or attempting to cause physical (heat) damage to the machine

While I agree that a signed bundle would be nice to have, keep in mind that a code signature in no way guarantees the safety or reliability of an application bundle.