What I don't like about Gatekeeper is that there is no way to revoke Apple's cert and replace it with another. Not that that would protect the activist in question, but it would certainly make a company machine secure against this kind of attack.
If I understand you correctly, it would also prevent you from launching any codesigned application, including the OS-provided ones, since they would all be considered to have an invalid code signature.
So yeah, I guess in a certain light, a machine that can't launch apps is definitely secure.
Good point. I think you half misunderstood; their certificate should be replaceable so that you disallow third-party software from developers in their developer program and allow it from your company only or vendor A only. Obviously one would need to implicitly allow certain OS processes and Finder for the system to work, but my point is basically that we should not be beholden to Apple beyond that, the CA should be something we can choose.
