Apple’s new system to restrict programs on Macs is interesting. The default in the next version of OS X will only allow programs from the Mac App Store or programs digitally signed by an identified Apple developer. This could be a good feature, if Apple honestly only uses it to stop malware. But history has shown Apple can’t be entirely trusted.

The Mac App Store itself is not enough. App Store apps have to run in a restrictive sandbox. The sandbox isn’t a bad idea for a variety of ordinary iLife-like apps, but anything a little more technical or hooked into the OS is a non-starter. For example both app launcher Alfred and Git/Mercurial client SourceTree can’t operate in the sandbox.

So the ability to run any signed binary is essential. What will Apple’s policy about the signatures be? All the messaging so far has been about preventing malware. That sounds reasonable to me, but it’s going to be a challenge for Apple to make work. Launching an app the first time will require an online signature verification. Canceling a bad certificate will require some sort of revocation mechanism (something web browsers still can’t make work). And Apple has to administer the program, block spammers registering millions of certificates, deal with support requests from developers. It’s complicated.

The real danger is Apple might decide to use Gatekeeper to restrict what arbitrary apps do on the Mac. They say they won’t do that. Let’s hope not: the history of the iPhone app store with debacles like Google Voice or Camera+ shows Apple can’t be entirely trusted with this power. A power user could always just turn off Gatekeeper, but if it’s on by default there will be very little market for apps that can’t run with it.