Avoiding notarisation & Gatekeeper for development builds & testing

We're building a game for macOS, but during testing have noticed that it takes a long time between double-clicking the icon, and the actual launch of the game. During that time, we can see that XprotectService and syspolicyd are both running at 100% CPU. It takes on the order of several minutes for the actual game to launch.

I understand that this is due to the newly-introduced Gatekeeper system: since we haven't notarised the game, the system kicks in to verify the app when it's launched. However, the (up to 10) minutes-long delay is significantly impacting our internal testing process. Further, it seems a bit much to build the game, then run a series of command line tools to upload the build, wait for a response, download & staple the ticket to our app, and then distribute it to our own internal developers, simply in order to test minor functional changes to the app.

Is there some way around notarisation and the launching delay introduced by Gatekeeper, if we're simply building an app to test internally? Similar to signing with a development certificate & profile?

Accepted Reply

How would they go about un-quarantining the app

To unquarantine a file, use the xattr command-line tool to remove the com.apple.quarantine extended attribute. See the xattr man page for details on how to use that tool.

IMPORTANT The com.apple.quarantine extended attribute is not considered API. If you’re writing code to quarantine or unquarantine a file, use the quarantine API (discussed next) rather than modifying the extended attribute directly.

Alternatively, you could write a small tool to modify the quarantine state using the quarantinePropertiesKey URL resource. Its value is a dictionary where the dictionary keys are kLSQuarantineAgentNameKey and friends.

downloading it without it being placed in quarantine?

Most Unix-y tools don’t quarantine their downloads, including curl and scp.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Replies

How are you downloading your app to the test Macs?

Gatekeeper usually only kicks in the app is quarantined, and thus you can either use a download mechanism that doesn’t quarantine the download or unquarantine the app before running it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Since we're building the game with Unity, it simply creates the .app file, which I then compress to a .zip file and send to our internal team via Dropbox.

How would they go about un-quarantining the app, or downloading it without it being placed in quarantine?

How would they go about un-quarantining the app

To unquarantine a file, use the xattr command-line tool to remove the com.apple.quarantine extended attribute. See the xattr man page for details on how to use that tool.

IMPORTANT The com.apple.quarantine extended attribute is not considered API. If you’re writing code to quarantine or unquarantine a file, use the quarantine API (discussed next) rather than modifying the extended attribute directly.

Alternatively, you could write a small tool to modify the quarantine state using the quarantinePropertiesKey URL resource. Its value is a dictionary where the dictionary keys are kLSQuarantineAgentNameKey and friends.

downloading it without it being placed in quarantine?

Most Unix-y tools don’t quarantine their downloads, including curl and scp.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"