Why does macOS allow dangerous operations on quarantined applications?

Hi! I am wondering about certain features that I witnessed today.

Base scenario: I created a developer certificate signed version of my installer package and then downloaded it via the internet. It has not been notarized.

As expected, macOS prevented the opening of the package, stating that it could not be determined whether it contained for malicious content.

But, several operations I then performed made this package trusted by macOS:

  • I moved the package through a file-sharing service via Finder, namely OneDrive. The recipient machine immediately opened the unsigned package, without any interruption from the operating system. This sounds extremely unsecure. I checked manually with xattr, and indeed, the com.apple.quarantine attribute has been removed on the recipient side.
  • I used pkgutil to explode the package, modified some files in it, then recompiled it. xattr again confirmed that the quarantine attribute has been removed. Why can pkgutil operate on untrusted packages?

I have personally been extremely surprised operations as simple as these remove security hurdles in macOS. These scenarios can be harmful for end-users who have little IT knowledge. Why are they allowed? Are these scenarios considered the responsibility of end-users? Why do we notarize and sign with precious distribution certificates if it's this simple to bypass any security check on macOS? :(

Do it all over again as a non-admin user of the Mac.

These are all why question, which are hard to answer here on DevForums. I have specific advice for you in tip 3 of Quinn’s Top Ten DevForums Tips.

I will note that:

  • There’s always a balance between security and convenience.

  • This is especially true on macOS, where security wasn’t a concern in its initial design.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Why does macOS allow dangerous operations on quarantined applications?
 
 
Q