macOS 15 – Is AppleScript a Gatekeeper workaround ?

The reason why AppleScript is working is that it doesn’t quarantine those binaries. In general, Gatekeeper only runs on things that are quarantined.

IMPORTANT This isn’t universally true today. In some circumstances Gatekeeper will check code even if it’s not quarantined. Moreover, it’s easy to imagine a future where it’s not true at all.

Where do these binaries come from? My general advice is that you arrange to get them signed properly. Without that, things are just complicated.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Many thanks for this. Seems a bit counter-intuitive – I have thought quarantined code would be safer than non-quarantined. I will do more reading on what quarantining means.

The binaries come from GitHub. The tool is a well known public domain cross-platform Python script maintained by volunteers. They are not macOS developers and I doubt they have an Apple Dev ID. They use GitHub's workflows to build macOS, Windows and Linux binaries. They are accommodating in providing packed and unpacked macOS binaries as well as a version for macOS prior to 10.15. Their tool is the best in the business and is used in many commercial and free apps.

The tool is a well known public domain cross-platform Python script maintained by volunteers.

Have you thought about volunteering to do the signing and notarisation for them? It sounds like a lot of folks would benefit.

The other option would be for you to build a local installer package that contains this stuff. You could then sign and notarise that.

While I can’t predict the future, the historical path of Gatekeeper is very clear: macOS is getting increasing unaccepting of unsigned code [1]. So, it’d be better to get your process on to a path that doesn’t rely on that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, code that isn’t signed and notarised.

Yes, I've thought of volunteering my own Apple Developer ID. However, I think it's best that the signing be by the people responsible for the code. Perhaps the developers can acquire a group Apple ID. Then, users who check the signing details will see the developers' details and not mine. Yes, quite a lot of people would benefit but the developers have no cash. I can donate some $ for an Apple Developer ID for them but, they would not want to rely on me in the long term.

I'd rather not build and distribute the Python script to my users myself. The script is updated at least monthly and there are nightly releases too. It'd be too much ongoing maintenance to keep users up-to-date. My applet currently lets users update when they want which means I would have to be up-to-date 24/7.

Apparently, it is possible to add code signing to a GitHub workflow. I've had a look and do not understand any of it. There's mention of secrets, actions, provisioning, profiles, etc. As GitHub warn: "You should be familiar with YAML". I did once try to learn YAML but gave up.

Cheers.

Updated to change Apple ID to Developer ID

Updated to remove idea of an organisation developer ID – just not possible for unincorporated volunteer groups !!