updated 11:00 pm EDT, Mon August 18, 2014
Enterprise Signing Key, Activation Lock keys could have been compromised
An unidentified Twitter user is claiming that recent changes to Gatekeeper in OS X Mavericks and OS X Yosemite which has forced developers to re-sign their app credentials is actually the result of a security breach that successfully pilfered the Gatekeeper keys and possibly "many other keys for many other things," according to the user. A corraborating source was located by TUAW that has allegedly confirmed the breach and tied it to the recent alleged Activation Lock hack.
Gatekeeper is an anti-malware feature introduced in recent OS X versions, starting with Mountain Lion (10.8). By default, it is set to allow apps from the Mac App Store and registered Apple developers to run unimpeded. This can be restricted just allowing apps from the Mac App Store to run, or loosened to allow unsigned programs to run. To work with Gatekeeper, apps must be code-signed by the developer using a key that matches the information Apple has, effectively providing authentication that the app is legitimate and not a disguised bit of malware.
While there are numerous examples of legitimate but unsigned software from developers who have chosen for one reason or another not to register with Apple (such as the $99 per year cost), most major programs already comply with Apple's requirements for the Mac App Store and "recognized developer" policies. A breach of the Gatekeeper keys would mean that miscreants could create fake apps or sign malicious apps in a way that would pass muster with Gatekeeper. The changes made recently are intended to protect users of recent versions of OS X from the risk of falsely-signed malware.
The unnamed sources for the reports have said they were approached to buy the keys shortly after the theft, and claimed that the data contained "virtually every key Apple used for everything." Included among those was said to the be the Enterprise Signing Key, which allowed devices to bypass iCloud locks such as Activation Lock.
Thus far, however, there have been no reports of any rise in malware or fake apps, nor widespread issues with Activation Lock. Assuming the story is true, Apple may have made changes on its end to fix any data breaches without inconveniencing most developers or users, apart from the re-signing requirement.