Gatekeeper and code signing

Hello,

I have made a basic c program and i have compiled it with gcc. This program has not been signed (i didn't run codesign). When i am trying to run this program from terminal, i don't get any Gatekeeper popup. My first question is... why ?

I have create a SwiftUI project with Xcode (Xcode 15). I have set signing settings to "Sign to run locally" (by the way, can you tell me how i can disable signing in Xcode ?) I have opened terminal and i have changed current directory to ~/Library/Developer/Xcode/DerivatedData/..../Products/Debug/MyApp.app/Contents/MacOS folder. Now i get a gatekeeper confirmation popup if run "./Myapp" from terminal. My second question is... Why ?

Does that mean Gatekeeper only checks signed binaries ?

Thanks

Up vote post of juliencrypt Down vote post of juliencrypt
813 views
Posted by
juliencrypt
Reply
Add a Comment

Replies

This program has not been signed (i didn't run codesign).

FYI, if you’re on Apple silicon be aware that all code must be signed. In situations like this you typically find that your code was ad hoc signed by the linker.

My first question is... why ?

Because Apple wants the Mac to be a Mac, and that means that folks should be able to build and run their own code without too much grief.

I have create a SwiftUI project with Xcode (Xcode 15). I have set signing settings to "Sign to run locally"

Sign to Run Locally is Xcode parlance for ad hoc signing.

In most cases it’s better not to use Apple Development signing. If you’re not a paid member of the Apple Developer Program, you can use any Apple ID as a free (as in beer) Personal Team.

The reason why you want to use Apple Development signing is that there are a bunch of subsystem within macOS that behave weirdly if your code doesn’t have a stable code signing identity. For example, if you create a keychain item with one build of your app and then try to access it with another build, you’ll see an authorisation alert. The stable code signing identity is the thing that allows the keychain to know that the new build of your app is the ‘same code’ as the old build.

I talked about this in some detail in TN3127 Inside Code Signing: Requirements.

(by the way, can you tell me how i can disable signing in Xcode ?)

There’s no good way to do that because, as I mentioned above, all code on Apple silicon must be at least ad hoc signed.

My second question is... Why ?

I’ve no idea. That doesn’t match my expectation and, when I tried this here in my office, I didn’t see a Gatekeeper alert.

Does that mean Gatekeeper only checks signed binaries ?

No. The rules as to what Gatekeeper checks are complicated, not officially documented, and evolve over time. However, for something simple like an app, Gatekeeper typically only kicks in if the app is quarantined.

Do you see this problem is if you sign with a Personal Team? If not, I recommend that you do that and move on with your day.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Sorry but i really need to understand something: I have compiled a binary with gcc on a M1 mac. I have no apple developer program account on this computer. I am not an identified developper. As you said, this binary has an adhoc signature (i don't really understand what is an "adhoc" signature, but i suppose this is a self signed mechanism ?)

I have sent this binary to another computer with an USB key. This mac is running on Sonoma too. The security configuration on this mac is "Allow applications downloaded from App Store and identified developers".

I had no gatekeeper popup when i tried to run this binary on this other computer. The binary has been run. I was expecting to get a confirmation popup because this binary is not signed by an identified developer...

Posted by
juliencrypt
Up vote reply of juliencrypt Down vote reply of juliencrypt
Add a Comment

I was expecting to get a confirmation popup

The exact circumstances under which Gatekeeper runs a full check of a program, and thus would generate this alert, are not documented. They also change regularly. This is because Gatekeeper has to strike a careful balance between:

  • Protecting users from relevant threats

  • Avoiding security alert fatigue

  • Keeping the Mac a Mac

If, for example, you uploaded this program to a web server and downloaded it using Safari, Safari would quarantine the download and the program would be rejected by Gatekeeper.

Again, this is all implementation detail and AFAIK there isn’t an official rationale for it [1]. If you’re looking for official info on this sort of thing, the go-to document is Apple Platform Security. It does cover Gatekeeper, but doesn’t cover this specific point. If you’d like to see more detailed info about Gatekeeper’s policy, you should absolutely file an enhancement request against that doc.

If you’re developing software for the Mac, test for Gatekeeper compatibility using the process described in Testing a Notarised Product.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Personally, I view this as an indication that ‘sneaker net’ is not a relevant threat.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment