Context: large platform-agnostic CLI tool built as a handcrafted bundle (not via an Xcode project) that has been successfully codesigned, stapled, and zipped; macOS 14.7.5 syspolicy_check reports App passed all pre-distribution checks and is ready for distribution. However, running the executable in the Terminal produces a "cannot be opened because the developer cannot be verified" popup. The executable does succeed after manually clearing its quarantine attribute. Having worked through Resolving Gatekeeper Problems, the only detail logged in the Console is Adding Gatekeeper denial breadcrumb (direct): ... bundle_id: NOT_A_BUNDLE. Experimental observations: a minimized trivial CLI executable with a similar bundle layout and name successfully executes without being rejected, and oddly, renaming the original bundle from "name" to "name.suffix" allows it to be successfully executed. It's unclear why the bundle name would affect Gatekeeper only in some circumstances, and we'd greatly prefer not to rename the bundle for compatibility reasons, so it would be good if there were some way to get further diagnostic detail leading to a workaround - thank you.

Hello, I recently had my Electron app notarized by Apple and then performed the following steps: Stapling the Notarization Ticket: xcrun stapler staple "appPath/Aiparalegal.app" Zipping the App for Distribution: ditto -c -k --keepParent "appPath/Aiparalegal.app" theAIParalegal.zip However, after unzipping and attempting to launch the app, macOS displays the following message: Apple could not verify "theAIParalegal" is free of malware that may harm your Mac or compromise your privacy. Yet, when I run validation using: xcrun stapler validate "theAIParalegal.app" I receive confirmation: The validate action worked! I then tried restarting my computer but the problem persist Could you help me understand why the notarization validation appears successful, yet macOS still displays this security warning? Any advice on how to resolve this would be greatly appreciated. Thank you!

Hello, I recently had my Electron app notarized by Apple and then performed the following steps: Stapling the Notarization Ticket: xcrun stapler staple "appPath/Aiparalegal.app" Zipping the App for Distribution: ditto -c -k --keepParent "appPath/Aiparalegal.app" theAIParalegal.zip However, after unzipping and attempting to launch the app, macOS displays the following message: Apple could not verify "theAIParalegal" is free of malware that may harm your Mac or compromise your privacy. Yet, when I run validation using: xcrun stapler validate "theAIParalegal.app" I receive confirmation: The validate action worked! spctl -a -vvv -t install "theAIParalegal.app" theAIParalegal.app: accepted source=Notarized Developer ID origin=Developer ID Application: NIPartnership LLC (M92N2796Q9) Could you help me understand why the notarization validation appears successful, yet macOS still displays this security warning? Any advice on how to resolve this would be greatly appreciated. Thank you!

My Developer ID certificate will expire in few days, so I downloaded and installed new certificate in login keychain. However my key is still linked to my old certificate. I have my .p12 but even if I delete the old certificate from login keychain and reinstall the .12 file, my old certificate reappears in the login keychain. I tried to select the new certificate in the login keychain and choose Files > Export Items (in Keychain Access) but in the Save dialog under File Format the "Personal Information Exchange (.p12)" option is grayed out. How can I generate a key/.p12 file that will be linked to my new certificate?

We are developing a macOS application for distribution outside the Mac App Store. This application requires additional entitlements, including Keychain access groups, Network Extension, App Groups, and Sandbox. Both the app and the network extension import a custom framework. After creating the .app via Xcode, I ensured that a new Developer ID Application provisioning profile was generated. These profiles were then injected into the Contents folder of the .app and Plugins/.netappex as embedded.provisionprofile. Next, .entitlements files were created with the necessary "-systemextension" entitlement for the network extension and used for code signing. When inspecting the extracted entitlements from the .provisioningprofile as described in TN3125, everything appears correct. Code signing flow: codesign --force --options runtime --timestamp --sign "Developer ID Application: <team>" <.app>/Contents/Frameworks/<sdk>.framework/ codesign --force --options runtime --timestamp --sign "Developer ID Application: <team>" <.app>/Contents/PlugIns/vpn.appex/Contents/Frameworks/<sdk>.framework/Versions/A/<sdk> codesign --force --options runtime --entitlements <vpn-plist>.entitlements --timestamp --sign "Developer ID Application: <team>" <.app>/Contents/PlugIns/vpn.appex/ codesign --force --options runtime --entitlements <app-plist>.entitlements --timestamp --sign "Developer ID Application: <team>" <.app> The .app is then zipped with ditto -c -k --keepParent and set off for notarization, which is succesful and the .app is stapled. After that, a .dmg or .pkg is created, which is then sent for notarization and subsequently stapled. The problem occurs when the app is distributed to the client. Opening the extracted .app fails, as Gatekeeper refuses to launch it with the following error message: 661 debug staticCode syspolicyd Security 0x88d68d818 done serializing <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.application-identifier</key><string><teamid.bundleid></string><key>com.apple.developer.networking.networkextension</key><array><string>packet-tunnel-provider-systemextension</string></array><key>com.apple.developer.team-identifier</key><string>team-id</string><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.application-groups</key><array><string>teamid.group.appgroup</string></array><key>com.apple.security.files.user-selected.read-write</key><true/><key>com.apple.security.network.client</key><true/><key>com.apple.security.network.server</key><true/><key>keychain-access-groups</key><array><string>teamid.group.appgroup</string></array></dict></plist> com.apple.securityd 22207 debug ProvisioningProfiles taskgated-helper ConfigurationProfiles entitlements: { "com.apple.developer.networking.networkextension" = ( "packet-tunnel-provider-systemextension" ); "com.apple.developer.team-identifier" = team-id; "keychain-access-groups" = ( “teamid.group.appgroup” ); } com.apple.ManagedClient 22207 error ProvisioningProfiles taskgated-helper ConfigurationProfiles <bundle-id>: Unsatisfied entitlements: com.apple.developer.team-identifier, com.apple.developer.networking.networkextension, keychain-access-groups com.apple.ManagedClient After encountering this problem every time, we tried using a different development team with a new bundle ID, app groups, developer ID, developer ID certificate, and provisioning profiles. The .entitlements file remained the same (with different IDs), as did the capabilities for the App IDs in App Store Connect. With this new development team, we were successful, and the gatekeeper did not block the launch job. From a configuration standpoint, everything appears identical. Updating the App Store Connect App ID capabilities and generating new provisioning profiles for the first development team did not resolve the issue. Thank you for your help.

Hi, I've code-signed my app and notarized it, and created a DMG, and when I slacked it or airdropped it to someone for testing the FIRST time they open it, they get a warning that it was Slacked or airdropped to them and do they want to open it. if they say yes everything is fine. So looking through here someone said I need to sign the app and then make a dmg and sign the dmg and then send that for notorization and then staple that. So I did, and I still get a warning the first tie someone try's to run it. What am I doing wrong? I know I can buy software and not get a warning from apple. so how do I get my app to work correctly like that?

Hi folks We have a Developer ID Application which we create using electron. We made our last release for our Application on Nov'24 which was correctly working. Using the same code, we tried creating a notarized application again which started showing the following error while opening our Application. Monterey- M2- When we directly run the dmg on the dev machine, it does not give us the prompt. But if we download it from somewhere and run, the prompt comes up even in dev machine. We executed some commands to verify the notarization: 1- spctl --assess -vv /Applications/Refresh\ Pro.app On both dev machine and non-dev machine, the output was "accepted" /Applications/Refresh Pro.app: accepted source=Notarized Developer ID origin=Developer ID Application: Prograde Digital Incorporated (*******) 2- xcrun stapler validate /Applications/Refresh\ Pro.app On dev machine, we executed this command and the output is as follows. Processing: /Applications/Refresh Pro.app The validate action worked! 3- codesign -vvv --deep --strict /Applications/Refresh\ Pro.app/ /Applications/Refresh Pro.app: valid on disk /Applications/Refresh Pro.app: satisfies its Designated Requirement We have created a bug attaching the dmg. Please suggest anything we can try to make the release out the door. Bug link- https://feedbackassistant.apple.com/feedback/16811025

Hi, I develop a Mac application, initially on Catalina/Xcode12, but I recently upgrade to Monterey/Xcode13. I'm about to publish a new version: on Monterey all works as expected, but when I try the app on Sequoia, as a last step before uploading to the App Store, I encountered some weird security issues: The main symptom is that it's no longer possible to save any file from the app using the Save panel, although the User Select File entitlement is set to Read/Write. I've tried reinstalling different versions of the app, including the most recent downloaded from TestFlight. But, whatever the version, any try to save using the panel (e.g. on the desktop) results in a warning telling that I don't have authorization to record the file to that folder. Moreover, when I type spctl -a -t exec -v /Applications/***.app in the terminal, it returns rejected, even when the application has been installed by TestFlight. An EtreCheck report tells that my app is not signed, while codesign -dv /Applications/***.app returns a valid signature. I'm lost... It suspect a Gate Keeper problem, but I cannot found any info on the web about how this system could be reset. I tried sudo spctl --reset-default, but it returns This operation is no longer supported... I wonder if these symptoms depend on how the app is archived and could be propagated to my final users, or just related to a corrupted install of Sequoia on my local machine. My feeling is that a signature problem should have been detected by the archive validation, but how could we be sure? Any idea would be greatly appreciated, thanks!

I have a .NET 6 application that runs in the background. The installer is a .pkg file built using a third-party tool called "Packages". All .dylib and executable files are codesigned before packaging. The resulting .pkg file is notarized. The app uses these entitlements: com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.allow-dyld-environment-variables com.apple.security.cs.disable-library-validation The app is built on a macbook Air 2015 running macOS 12.6 and it works without issues on that machine. On a macbook Pro M3 running macOS 14.6.1 the app fails to run even though the installation itself is successful. The only logs that I was able to find are related to syspolicyd (4 warnings): Unable to apply protection to app: 45, PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null)) Failed to register app bundle for protection: 45, PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null)) scan failed, finishing evaluation : PST: (vuid: A78FF6C2-08D5-4DCC-B946-8836251AA0E7), (objid: 1873967), (team: (null)), (id: (null)), (bundle_id: (null)) Terminating process due to Gatekeeper rejection: 95158, Unfortunately, verification commands such as sudo codesign --verify --deep --strict -vvv MyApplication.App spctl -a -vvv -t install MyApplicationInstaller.pkg do not indicate any issues. Are there any additional steps that need to be performed in order for my app to work properly on newer machines?

Hello, I have an application which uses a helper[1] to download[2] files. When files download is a DMG and user mounts the image to run the application from this DMG it doesn't pass Gatekeeper. It presents the "Application XYZ.app can't be opened.". Same file downloaded via Safari shows a different dialog, the "XYZ.app is an app downloaded from the internet. Are you sure you want to open it?" In the system log I see this line: exec of /Volumes/SampleApp/SampleApp.app/Contents/MacOS/SampleApp denied since it was quarantined by Download\x20Helper and created without user consent, qtn-flags was 0x00000187 The application is running sandboxed and hardened, the main application has com.apple.security.files.downloads.read-write entitlement. Everything is signed by DeveloperID and passes all checks[3]. I tried to check the responsible process[4] of the helper. Then trivial stuff like download folder access in System Settings/Privacy & Security/Files & Folders. Everything seems to be fine. For what it worths the value of quarantine attribute is following: com.apple.quarantine: 0087;6723b80e;My App; The Safari downloaded one posses: com.apple.quarantine: 0083;6723b9fa;Safari;02162070-2561-42BE-B30B-19A0E94FE7CA Also tried a few more ways and got to 0081 with Edge and 0082 with a sample app with similar setup. Not sure if that has any meaning. What could I be doing wrong that Gatekeeper right away refuses to run the application from DMG instead of showing the dialog like in other cases? [1] The executable is in application bundle located in Contents/Helpers/DownloadHelper.app in the main application bundle. [2] Nothing fancy, curl + regular POSIX file operations [3] codesign, syspolicy_check, spctl [4] launchctl procinfo pid

I have something with a new individual on my team I've never seen before. They checked out our code repository from git and now anytime they try to open a .json file that is legitimately just a text file, GateKeeper tells them it cannot verify the integrity of this file and offers to have them throw this file away. I've seen this with binaries, and that makes sense. I removed the com.apple.quarantine extended attribute from all executable files in our source tree, but I've never seen GateKeeper prompt on text files. I could remove the extended attribute from all files in our source tree, but I fear the next time he pulls from git he'll get new ones flagged. Is there someway around this? I've never personally seen GateKeeper blocking text files.

We are using SHC to compile on macOS to convert the .sh script to a binary file. This binary file is then digitally signed by the Apple developer account and then notarised. After that, it will work on the same system where we follow this process. But if we share this file to another system, then it gets quarantined (com.apple.quarantine) while downloading. Is there any way to prevent it by getting quarantine on another system or something I'm missing, any clues?

I have built a flutter desktop app and I notarized it. I have to distribute it directly as I cannot turn on App Sandboxing due to the functions included in the application. I created a build of the app from Xcode and then uploaded it for notarization and it was successfully notarized. If I compress that app into a .zip and share it over the internet, it successfully opens on any computer. But when I create a dmg using appdmg from npm and I try to distribute it, it does not open and shows me the option to either move to bin or cancel. When I notarize the dmg using the command: xcrun notarytool submit "YourApp.dmg" --apple-id "email" --password "app-specific-password" --team-id "YOUR_TEAM_ID" --wait It notarizes successfully. I have also done: xcrun stapler staple "YourApp.dmg" And validated it but it does not seem to work when I distribute it over the internet by uploading on my website. It is a bit strange that when I distribute the notarized app, it does not show any error when distributed over the internet by uploading on my website and then downloading but for a notarized dmg, which is properly signed, it gives that error that wether move to bin or do nothing. Would love someone's help on this!

I recently got some plugins from Universal Audio, and have licensed them properly through both UA and iLok manager. Whenever I try to load up the plugins (specifically from UA) in GarageBand, it first says that "NSCreateObjectFileImageFromMemory-p47UEwps” because the developper can not be verified. After clicking either 'show in finder' or 'okay', it opens the plugin in a form without its GUI and showing that it is not licensed (even though it is). It also displays error code 100001. I have tried only some basic stuff to troubleshoot like restarting the DAW/my computer and reinstalling/relicensing the softwares. I don't know if the macOS version has anything to do with it but for some reason I just can't get it to work.

Hi, I am a long time programmer in C#, and newer to Rust, and a rookie to MacOS 15.1. Over the past few days I have made numerous attempts to run a Rust GUI binary that I compiled on Mac. Here are some examples of things I have tried using. Executable compiled in M1 mac not running on Apple Silicon Mac - help - The Rust Programming Language Forum And here.... How to run unsigned apps in macOS 15.1 Also here... "sudo spctl --master-disable" There are many more that I have tried. I also tried moving the binary from my developer folder to the Application folder and running.... xattr -r -d com.apple.quarantine /Applications/csv Note that "csv" is the name of my binary. You have probably seen this 100 times, so can you point me to me to something that allows my Rust binaries to run under MacOS? PS The Rust program code works just fine under Linux. I can either type Cargo Run and run the binary from the Terminal or go directly to the executable and double click on it to open the GUI application. The only thing that MacOS lets me do it open the GUI from the Terminal. Commander One says that I do not have the proper credentials to open the file directly. Finder also does not allow me to open the binary directly. Thanks, Jim

I built Mac app with Electron-forge and sign and notarize my app with Developer ID Application Certification and @electron/osx-sign, @electron/notarize module. I built my app on macOS Sonoma 14.7. Then I ran the built app on other mac with "App Store and identified developers" Gatekeeper of macOS version 12.7.3 And it worked well. But when I ran it on another mac PC of macOS Sonoma 14.4.1, it said my app is damaged. Why does it happen and How can I solve this issue?

To ship a product outside of the Mac App Store, you must notarise it. The notary service issues a notarised ticket, and the ultimate consumer of that ticket is Gatekeeper. However, Gatekeeper does not just check the ticket; it also applies a variety of other checks, and it’s possible for those checks to fail even if your notarised ticket is just fine. To avoid such problems showing up in the field, test your product’s compatibility with Gatekeeper before shipping it. To do this: Set up a fresh machine, one that’s never seen your product before. If your product supports macOS 10.15.x, x < 4, the best OS version to test with is 10.15.3 [1]. Download your product in a way that quarantines it (for example, using Safari). Disconnect the machine from the network. It might make sense to skip this step. See the discussion below. Install and use your product as your users would. If the product is signed, notarised, and stapled correctly, everything should work. If not, you’ll need to investigate what’s making Gatekeeper unhappy, fix that, and then retest. For detailed advice on that topic, see Resolving Trusted Execution Problems. Run this test on a fresh machine each time. This is necessary because Gatekeeper caches information about your product and it’s not easy to reset that cache. Your best option is to do this testing on a virtual machine (VM). Take a snapshot of the VM before the first test, and then restore to that snapshot when you want to retest. Also, by using a VM you can disable networking in step 3 without disrupting other work on your machine. The reason why you should disable networking in step 3 is to test that you’ve correctly stapled the notarised ticket on to your product. If, for some reason, you’re unable to do that stapling, it’s fine to skip step 3. However, be aware that this may cause problems for a user if they try to deploy your product to a Mac that does not have access to the wider Internet. For more background on this, see The Pros and Cons of Stapling. [1] macOS 10.15.4 fixes a bug that made Gatekeeper unnecessarily strict (r. 57278824), so by testing on 10.15.3 you’re exercising the worst case. The process described above is by far the best way to test your Gatekeeper compatibility because it accurately tests how your users run your product. However, you can also run a quick, albeit less accurate test, using various command-line tools. The exact process depends on the type of product you’re trying to check: App — Run syspolicy_check like this: % syspolicy_check distribution WaffleVarnish.app This tool was introduced in macOS 14. On older systems, use the older spctl tool. Run it like this: % spctl -a -t exec -vvv WaffleVarnish.app Be aware, however, that this check is much less accurate. Disk image — Run spctl like this: % spctl -a -t open -vvv --context context:primary-signature WaffleVarnish.dmg Installer package — Run spctl like this: % spctl -a -t install -vvv WaffleVarnish.pkg Other code — Run codesign like this: % codesign -vvvv -R="notarized" --check-notarization WaffleVarnish.bundle This command requires macOS 10.15 or later. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Revision history: 2024-12-05 Added instructions for using syspolicy_check. Made other minor editorial changes. 2023-10-20 Added links to Resolving Trusted Execution Problems and The Pros and Cons of Stapling. Made other minor editorial changes. 2021-02-26 Fixed the formatting. 2020-04-17 Added the section discussing spctl. 2020-03-25 First version.

I am working on releasing my macOS arm64 app. My problem is that after the user downloads the dmg, double-clicking my.app in the dmg, a Gatekeeper pop-up box will appear with a warning that the developer cannot be verified. Question: Can an application signed with "com.apple.security.cs.disable-library-validation" be published as trusted? If yes, what steps have I missed? If not, can I get an official response from Apple? （Because I referred to this post, it seems to mention that it is possible to publish trusted software.I have looked up similar questions on the forum and tried many things, but nothing works. ） Here are my steps: Use the codesign to sign my.app. Because my app needs to access third-party dynamic libraries, entitlements.plist contains a "com.apple.security.cs.disable-library-validation". After the "codesign -dvvv" check, the signature was successful.✅ Use the "xcrun notarytool" command to notarize my app, and the status is displayed as accepted.✅ Use "xcrun stapler staple" to attach the notarization to my app, and it returns success.✅ Use the "spctl -a -v " command to verify whether my app has passed Gatekeeper, and it returns that it has passed.✅ Then I packaged my.app into a dmg, and then attached the notarization mark to the dmg, which was successful.✅ I completed the above steps and distributed the dmg. When I downloaded the dmg as a user test and double-clicked my.app in it, the Gatekeeper pop-up box still appeared, and the developer cannot be verified.❌

We get a "The application "Finder" does not have permission to open "(null)“" error message in macOS 15.1 when trying to open unsigned applications. Is this a known bug in macOS 15.1 ? If so any indications of whether it will be fixed in the future. In macOS 15.0.1 the workaround for launching unsigned applications still worked.

Adobe says that Animate works with the latest Mac OS. When I publish apps with Animate, they work on my computer. With a self-signed certificate, they work on some older Mac OS versions, but not on the 2 most recent. How can I test my apps on others' Mac computers? Robert