Properly notarized application loses "Execution" attribute after downloaded from web server

App & System Services Core OS
lshe
lshe OP
Created Feb ’21
Replies 1
Boosts 0
Views 2.4k
Participants 2
I signed and notarized my macos application and created a zip archive and uploaded it to a windows IIS web server.

When I downloaded it and unzipped it in a mac with Catalina or Big Sur and opened it, I got the error message "You do not have permission to open the application XX".

I have to do the following two things to make it work:

  1. Run "sudo xattr -rd com.apple.quarantine path/to/myapp" to remove the quarantine attribute.

  2. Run "chmod -R 755 paht/to/myapp" to grant the execution permission to the app because the attribute is stripped off by OS after download.

My Question:
Is there any way to prevent os from adding quarantine attribute and stripping off execution attribute from application if the application is downloaded from internet?






Replies  1
Boosts  0
Views  2.4k
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Feb ’21

Is there any way to prevent os from adding quarantine attribute

No. Quarantining downloads is an important security feature of macOS in that it triggers a thorough Gatekeeper check of the app on first run. For more background on this, see Safely open apps on your Mac - Apple Support, published by Apple Support.

You should structure your app such that it passes Gatekeeper. This involves signing and notarising it. Before we look at this issue, however, we need to talk about this:

stripping off execution attribute from application if the application
is downloaded from internet?

macOS does not do this. Given the observed symptoms it seems likely that either:

  • The file in the zip archive never had the executable bit set.

  • Something on the server side is stripping it.

You can determine which is which by unpacking the zip archive on the Mac. That is:

  1. Check that the original file has the executable bit set.

  2. Create the zip archive on the Mac.

  3. Unpack that archive on the Mac.

  4. Check the executable bit on the unpacked file.

If the executable bit is not set, there’s a problem with the way that you created your zip archive. If the executable bit is set, it’s likely that you’re server is stripping it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
Properly notarized application loses "Execution" attribute after downloaded from web server
First post date Last post date
 
 
Q