How to trigger GateKeeper quarantine without uploading/ downloading the file/ installer? - macos

I made a pkg installer and I'm trying to debug the codesigning issue where GateKeeper has put the quarantine flag on the installer.
This quarantine translates to the permission denied when the application through the CLI, or when double clicking, or when right clicking > open:
It does this only when the installer gets downloaded. I think I have figured out why the installer gets quarantined by GateKeeper, but the only way I can test this is by uploading it and then downloading it. This is slow, and I would like to run GateKeeper checks without wasting time uploading to the internet.
I read somewhere that zip`ing the file and unzipping it might work, it doesn't.

The quickest solution I came up with is to drag and drop the file onto a web browser and re-download it from the browser. This doesn't use any internet. It still passes through GateKeeper since the quarantine flag is re-added to the .pkg file.
Even Apple doesn't suggest this:
Quarantine a copy of your app. You can do this in either of the following ways:
Email the app to yourself and use the copy that Mail downloads.
Host the app on your own local or remote server and use the copy that Safari downloads

Related

How to install unpacked extension in firefox & chrome?

i have created extension by using crossrider they gave me xpi & crx file which i extracted and want to install manually by copying data to the browser's extension path.
I've read & tried many posts regarding this but they are not helpful because i think some posts are old & not able to find target paths & registry.
like in many posts they say create the following key in the registry here
32-bit Windows: HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions
but i couldn't find that on my windows registry & i am using 32bit.
i want something like i copy my extension data to the browser's extension directory & inject some registry value thats all. if it possible then How?
For firefox just add the xpi or unpacked folder to the profile folder. No need for registry so its cross platform.
It can't be automatic as spyware would be all over that. After placing xpi in the extensions folder of the profile, on next startup of Firefox it will prompt saying it found an unauthorized by user add-on, and gives user a chance to enable it, or keep it disabled.
If you want to do it without startup, just launch the file path to the xpi or unpacked folder (if unpacked folder doesnt work, then point it to the install.rdf) in the browser, user will be prompted if they want to install.
There are some registry options though: Install Firefox extension using Windows registry
In Chrome, it's no longer possible to add an extension programmatically on Windows unless the extension is actually published in the Store.
This is for security reasons: previous registry-based (and otherwise) methods were open to malware abuse.
If your extension is published in the store, you can add it semi-automatically via registry. The user will still be asked whether to enable it on the next load.
You can also install extensions silently using Enterprise policy (only if the machine is part of a Windows domain and you have admin rights on the domain policy), on other OSes, or load it unpacked for testing with the --load-extension command line switch (will not persist after Chrome is restarted).
In Chrome go to
chrome://extensions
Enable Developer Mode at the top and click on the button to load an extracted extension.

Why My DMG is not getting opened without asking security popup

I created a DMG .this has 640 and apache permissions. once i uploaded it to internet some extended attributes are getting added to it. Because of that when customer downloads it they are getting a pop up
"There may be a problem with this disk image. Are you sure you want to open it?
Opening this disk image may make your computer less secure or cause other problems."
I don't want quarantine attribute to be added to it.so what should i do to my dmg before uploading it to internet such that quarantine attribute will not be set.And also why this pop is not coming for other dmg's downloaded from net. I downloaded google chrome.dmg, for that quarantine attribute is not set.can any one help me out with better solution
Did you sign the entire DMG as well as the .app file? I believe this is a new requirement if you have additional files in the DMG besides the signed .app.
(Copied from my answer at Mac DMG oddity - signing and "damaged" applications)
In addition to signing the .app bundle:
codesign -f -s "Developer ID Application: Your Dev ID Here" -v "Your App.app"
you should also sign the created DMG as well:
codesign -f -s "Developer ID Application: Your Dev ID Here" -v YourProgram.dmg
I didn't put quotation marks around the dmg file path because it's less likely that you have spaces in the dmg name. If you do, don't forget to escape them on the command line, or wrap your file path in quotes.
I don't want quarantine attribute to be added to it.so what should i do to my dmg before uploading it to internet such that quarantine attribute will not be set.
Distribute it through the App Store or sign it with your Apple developer account.
And also why this pop is not coming for other dmg's downloaded from net.
The other DMGs are probably distributed through the App Store or signed it with an Apple developer account.
Here's the settings of interest:
The best you can do is distribute through the App Store (in Apple's opinion).
I settle on the App Store and Identified Developers. There's no difference between the two in my opinion - in both cases, I rely upon Apple to check the developer and binary. Where it comes from (App Store vs Internet) does not matter to me.
However, I trust some developers more than Apple's assertion. For example, I have more trust for the Wireshark folks than anything Apple has to say about an unknown developer. I would install Wireshark even if it was not signed (xattr -r -d "com.apple.quarantine" <app> to the rescue).
I don't think this is related to the extended attributes or quarantine at all. That error message indicates that the filesystem in the disk image is corrupt, probably because the image was damaged during uploading/downloading (see this previous SU question). Can you checksum the image before and after uploading & downloading it to see if it's been changed somewhere along the path? Also, using Disk Utility to verify the volume would be useful.
As far as quarantine is concerned: the quarantine attribute is added when the image (or any other file) is downloaded; there is nothing you can do to prevent this. If there were a way to avoid this, the bad guys would be using it on their malware to evade the quarantine security checks -- and Apple would consider this a bug, and fix it. Your customer can remove the quarantine after downloading the image, but this should not be necessary. (Although you may want to sign some/all of the files inside the image to comply with gatekeeper's restrictions.)

Xcode 4 exported app gives error 'Can't Open Application...Classic Environment Not supported'?

I made a simple app, archived it and went into organizer. From there I clicked Distribute -> Export As Application -> Don't Resign and then saved it to my desktop. It runs fine then, but if I upload it to Mediafire and try to download it I get the error You can't open the application X because the Classic environment is no longer supported. when trying to run it. I didn't change any default settings.
How did you upload it? Did you wrap it in a zip archive or did you just upload the raw app bundle?
If you just uploaded the raw app then you will have destroyed the permissions and extended attributes on the executables, causing the app to fail to work when downloaded.
The system will see your main executable as a non-executable file, and the "Classic Environment" error message is just the default error message in this situation as it's the most likely reason for this issue.
Wrapping the app in a zip works because the zip format retains the permissions information for the files in the zip archive.
Hm for whatever reason I had to zip up the file before uploading it. Don't know exactly why, but that works.

Remove Sandboxing

I have another question dealing with app sandboxing. So I need access to the users' home directory and at the same time the app should be able to shut down the Mac. This requires to not using sandboxing.
My problem is that I don't know how to remove sandboxing and being able to submit the app to the Mac App Store. I think that the archives are sandboxed because I had turned it on once..
How to remove sandboxing from the archives properly?
Thanks for your help!
On Xcode 11, you can turn off Sandboxing by removing it from the Signing & Capabilities tab:
If I understand what you are asking correctly, you'll need to remove the entitlements.plist from your project and make sure that the Summary view of your target in Xcode has sandboxing turned off:
As Derek Wade pointed out, you can make an App like GarageBand X (which behaves obnoxiously with third party plugins like Amplitube due to Sandboxing) NOT run in a sandbox by editing the binary itself with a HEX editor like HexFiend. Look for:
<key>com.apple.security.app-sandbox</key>
Immediately following that bit you'll see the true tag, which as suggested I switched to 'fals' (no extra bytes) and now GarageBand will happily interact with third party VST plugins. Huzzah.
I found if you go into the .app package, under Contents/MacOS, there should be a binary file that matches the name of your app. Copy that file to your desktop. Edit the desktop copy of the file with TextEdit. You should find within the file, the text representation (xml) of the Entitlements for the app. Find the Sandbox entitlement flag (usually set to <true/>) and change it to <false/>. You will have to unlock the file when editing. Save the file (located on the desktop). Rename the original file in the .app package (i.e. append .old to the filename). Copy the desktop file back to the .app Package location (you may have to authorize it). This should remove the sandboxing.
You cannot remove Sandbox if the user ran you application via Sandbox.
That's the whole point - don't you think ?

PackageMaker installs nothing

i have a problem, which is exactly as here http://compgroups.net/comp.sys.mac.apps/PackageMaker-not-installing-my-app (no solution is offered)
simply said, with PackageMaker i create an installer, which should just copy the .app inside /Applications
all goes well, the installer has the apropriate size of 150MB, the install starts, iam promped for the install location and admin password, i click install, progress shows up and a window that installation was successfull, but when i look at the Applications, or the custom folder specified, its nothing there
i tryed the PackageManager from Xcode 3 and also 4, but the result is the same, i also tryed to set the file permission for everybody, so they are world writable, but no success
Are you testing the installer on the same machine where you are building the installer? If you've set the "Allow Relocation" box a install will simply overwrite your already existing app you used for packaging instead of installing to /Applications.
Don't create the package just to move the app inside /Applications.
Just zip your app bundle so that it becomes YourApp.app.zip, which is a perfectly acceptable way to distribute your app. Then the user can place the app bundle (after unpacking the zip) wherever the user wants.
Do you have "Include root in package" enabled for the package's contents? See this answer for an explanation of what it does and why you probably need it.

Resources