macOS 15 – Is AppleScript a Gatekeeper workaround ?

Question

Created Sep ’24

Replies 4

Boosts 0

Views 1.1k

Participants 2

I have tried to manually install binaries using Finder by clicking and dragging from the Desktop into "/usr/local/bin/". The binaries come with a collection of frameworks etc. All the binaries are adhoc signed. macOS asks for Admin credentials which is fine. But then, when I execute the binaries in Terminal, Gatekeeper shows the now expected "'[binary"] Not Opened Apple could not verify ........" etc. It shows that dialog for every component and requires user input 2-3 times to allow each component of which there are perhaps dozens.

BUT, none of that happens if I install those binaries using AppleScript. So, it might have a call like this:

do shell script "curl -L " & download_URL & " -o " & download_binary_zip with administrator privileges
do shell script "unzip -o " & download_binary_zip & " -d " & usr_bin_folder with administrator privileges

The resulting installs work perfectly.

Is this intended ? Using both install methods requires Admin credentials. Why does using a script work but using Finder does not ?

Answered by DTS Engineer in 806786022

The reason why AppleScript is working is that it doesn’t quarantine those binaries. In general, Gatekeeper only runs on things that are quarantined.

IMPORTANT This isn’t universally true today. In some circumstances Gatekeeper will check code even if it’s not quarantined. Moreover, it’s easy to imagine a future where it’s not true at all.

Where do these binaries come from? My general advice is that you arrange to get them signed properly. Without that, things are just complicated.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’24

Accepted Answer

The reason why AppleScript is working is that it doesn’t quarantine those binaries. In general, Gatekeeper only runs on things that are quarantined.

IMPORTANT This isn’t universally true today. In some circumstances Gatekeeper will check code even if it’s not quarantined. Moreover, it’s easy to imagine a future where it’s not true at all.

Where do these binaries come from? My general advice is that you arrange to get them signed properly. Without that, things are just complicated.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Crudgle OP

Oct ’24

Many thanks for this. Seems a bit counter-intuitive – I have thought quarantined code would be safer than non-quarantined. I will do more reading on what quarantining means.

The binaries come from GitHub. The tool is a well known public domain cross-platform Python script maintained by volunteers. They are not macOS developers and I doubt they have an Apple Dev ID. They use GitHub's workflows to build macOS, Windows and Linux binaries. They are accommodating in providing packed and unpacked macOS binaries as well as a version for macOS prior to 10.15. Their tool is the best in the business and is used in many commercial and free apps.

0

Answer 3

DTS Engineer OP

Apple

Oct ’24

The tool is a well known public domain cross-platform Python script maintained by volunteers.

Have you thought about volunteering to do the signing and notarisation for them? It sounds like a lot of folks would benefit.

The other option would be for you to build a local installer package that contains this stuff. You could then sign and notarise that.

While I can’t predict the future, the historical path of Gatekeeper is very clear: macOS is getting increasing unaccepting of unsigned code [1]. So, it’d be better to get your process on to a path that doesn’t rely on that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, code that isn’t signed and notarised.

1

Answer 4

Crudgle OP

Oct ’24

Yes, I've thought of volunteering my own ~~Apple~~ Developer ID. However, I think it's best that the signing be by the people responsible for the code. ~~Perhaps the developers can acquire a group Apple ID.~~ Then, users who check the signing details will see the developers' details and not mine. Yes, quite a lot of people would benefit but the developers have no cash. I can donate some $ for an ~~Apple~~ Developer ID for them but, they would not want to rely on me in the long term.

I'd rather not build and distribute the Python script to my users myself. The script is updated at least monthly and there are nightly releases too. It'd be too much ongoing maintenance to keep users up-to-date. My applet currently lets users update when they want which means I would have to be up-to-date 24/7.

Apparently, it is possible to add code signing to a GitHub workflow. I've had a look and do not understand any of it. There's mention of secrets, actions, provisioning, profiles, etc. As GitHub warn: "You should be familiar with YAML". I did once try to learn YAML but gave up.

Cheers.

Updated to change Apple ID to Developer ID

Updated to remove idea of an organisation developer ID – just not possible for unincorporated volunteer groups !!

0