Tech —

Apple releases OS X 10.9.5 with fixes, new code signing requirements [Updated]

On Nov. 1, apps submitted to Mac App Store will need new signatures.

Apple releases OS X 10.9.5 with fixes, new code signing requirements [Updated]

Yesterday evening Apple released OS X 10.9.5 to the general public, the fifth major update for OS X Mavericks. As usual, the update comes with a handful of fixes for user-facing features as well as a small pile of security updates. Many of these security patches are also available for OS X 10.7.5 and 10.8.5 in separate updates.

Like OS X 10.9.4, the update focuses on smaller problems that affect a subset of Macs. The new features include Safari 7.0.6, improved "reliability for VPN connections that use USB smart cards for authentication," and better reliability for connecting to file servers that use the SMB protocol. For businesses using OS X, the update fixes a problem that could keep system admins from "performing some administrative tasks successfully" on larger groups of Macs, and it also speeds up authentication "when roaming on 802.1x networks which use EAP-TLS."

Among the security updates are fixes for Bluetooth, CoreGraphics generally and the Intel graphics driver specifically, and OS X's version of OpenSSL among many others. The latter problems were fixed by updating from OpenSSL version 0.9.8y to 0.9.8za.

There's a larger, potentially disruptive change in 10.9.5 coming for developers. Beginning on November 1, all OS X applications submitted to the Mac App Store will need to be signed with new v2 signatures. Apple recommends that developers build, sign, and test their apps on Macs running OS X 10.9 or OS X 10.10 Developer Preview 5 or later to make sure that the new signatures are working properly.

Previously, Apple had said that all Mac apps would need to be signed with v2 signatures to work properly with the Gatekeeper security feature in OS X 10.9.5 and later versions. This had caused some consternation among developers who prefer or need to build applications in older versions of OS X or with older versions of Xcode, especially since Apple has not been especially clear on why the move to new signatures is necessary. However, developer Daniel Jalkut of IndieStack reports that most applications with v1 signatures continue to work properly. This is contrary to a message Apple sent to developers in early August, which indicated that all apps would need to be re-signed to work properly with 10.9.5.

The original e-mail message to developers, dated August 4. The release build of 10.9.5 doesn't actually appear to come with additional code signing requirements.
Enlarge / The original e-mail message to developers, dated August 4. The release build of 10.9.5 doesn't actually appear to come with additional code signing requirements.
Andrew Cunningham

Gatekeeper was introduced in OS X 10.8 as a way to reduce the risk of malicious software installation. It works differently than the SmartScreen filter that Microsoft uses to prevent dodgy apps from being installed in Windows 8, but the intent is similar. Trying to install an unsigned application in OS X prompts a warning message telling users that the software may not be safe to install and use. Unsigned can still be installed, but you need to permanently or temporarily disable Gatekeeper's protections to do it. This is obviously not a desirable situation, since it defeats the purpose of the feature in the first place. Developers still have about a month and a half to make the move, and applications signed with the new signatures will continue to work on older versions of OS X with older (or nonexistent) code-signing requirements.

10.9.5 is likely (but not guaranteed) to be the last major point update Mavericks will receive. Lion and Mountain Lion each received five post-release point updates before being replaced, and most rumors seem to point to an October-ish release for OS X Yosemite. If you prefer Mavericks to Yosemite for aesthetic or functional reasons, though, Apple should continue to issue security updates to 10.9 for the foreseeable future. You can download 10.9.5 through Software Update or from Apple's software downloads page.

Update: The new code signing requirements don't actually appear to be enforced in the release version of 10.9.5. We have updated the article to reflect that fact.

Update 2: Safari 7.1 for Mavericks has also been released today. It adds support for the DuckDuckGo search engine, among other small improvements.

Listing image by Apple

Channel Ars Technica