I created a DMG .this has 640 and apache permissions. once i uploaded it to internet some extended attributes are getting added to it. Because of that when customer downloads it they are getting a pop up
"There may be a problem with this disk image. Are you sure you want to open it?
Opening this disk image may make your computer less secure or cause other problems."
I don't want quarantine attribute to be added to it.so what should i do to my dmg before uploading it to internet such that quarantine attribute will not be set.And also why this pop is not coming for other dmg's downloaded from net. I downloaded google chrome.dmg, for that quarantine attribute is not set.can any one help me out with better solution
Did you sign the entire DMG as well as the .app file? I believe this is a new requirement if you have additional files in the DMG besides the signed .app.
(Copied from my answer at Mac DMG oddity - signing and "damaged" applications)
In addition to signing the .app bundle:
codesign -f -s "Developer ID Application: Your Dev ID Here" -v "Your App.app"
you should also sign the created DMG as well:
codesign -f -s "Developer ID Application: Your Dev ID Here" -v YourProgram.dmg
I didn't put quotation marks around the dmg file path because it's less likely that you have spaces in the dmg name. If you do, don't forget to escape them on the command line, or wrap your file path in quotes.
I don't want quarantine attribute to be added to it.so what should i do to my dmg before uploading it to internet such that quarantine attribute will not be set.
Distribute it through the App Store or sign it with your Apple developer account.
And also why this pop is not coming for other dmg's downloaded from net.
The other DMGs are probably distributed through the App Store or signed it with an Apple developer account.
Here's the settings of interest:
The best you can do is distribute through the App Store (in Apple's opinion).
I settle on the App Store and Identified Developers. There's no difference between the two in my opinion - in both cases, I rely upon Apple to check the developer and binary. Where it comes from (App Store vs Internet) does not matter to me.
However, I trust some developers more than Apple's assertion. For example, I have more trust for the Wireshark folks than anything Apple has to say about an unknown developer. I would install Wireshark even if it was not signed (xattr -r -d "com.apple.quarantine" <app> to the rescue).
I don't think this is related to the extended attributes or quarantine at all. That error message indicates that the filesystem in the disk image is corrupt, probably because the image was damaged during uploading/downloading (see this previous SU question). Can you checksum the image before and after uploading & downloading it to see if it's been changed somewhere along the path? Also, using Disk Utility to verify the volume would be useful.
As far as quarantine is concerned: the quarantine attribute is added when the image (or any other file) is downloaded; there is nothing you can do to prevent this. If there were a way to avoid this, the bad guys would be using it on their malware to evade the quarantine security checks -- and Apple would consider this a bug, and fix it. Your customer can remove the quarantine after downloading the image, but this should not be necessary. (Although you may want to sign some/all of the files inside the image to comply with gatekeeper's restrictions.)
Related
I made a pkg installer and I'm trying to debug the codesigning issue where GateKeeper has put the quarantine flag on the installer.
This quarantine translates to the permission denied when the application through the CLI, or when double clicking, or when right clicking > open:
It does this only when the installer gets downloaded. I think I have figured out why the installer gets quarantined by GateKeeper, but the only way I can test this is by uploading it and then downloading it. This is slow, and I would like to run GateKeeper checks without wasting time uploading to the internet.
I read somewhere that zip`ing the file and unzipping it might work, it doesn't.
The quickest solution I came up with is to drag and drop the file onto a web browser and re-download it from the browser. This doesn't use any internet. It still passes through GateKeeper since the quarantine flag is re-added to the .pkg file.
Even Apple doesn't suggest this:
Quarantine a copy of your app. You can do this in either of the following ways:
Email the app to yourself and use the copy that Mail downloads.
Host the app on your own local or remote server and use the copy that Safari downloads
I have searched for a week and I checkkd all forums I know for an answer to the following Question. Then I thought the creator of Crackulous HAS to know how it works. So it would be great if he answers me here or through PM.
First of all Crackulous:
If I am right, Crackulous first find all Apps installed on the Device (in iFile var/mobile/Applications). Then it checks whether it is encrypted or decrypted.
If it's encrypted, it shows as if it is already decrypted and not visible.
So if I am right Docmorelli has to access or display the Directory var/mobile/Applications. Or has to access it to check if its decrypted or encrypted.
So I have a Project in Xcode where I need this information: I have to access var/mobile/Applications
e.g I am a Cheater so I cheat lots of Games.
I want to make a Button that when people click on it, it places a file in var/mobile/Applications....
So Docmorelli or any other Developer: Please tell me how can I access var/mobile/Applications with xcode!
I really need it!
e.g code: (not really objective c)
if buttonName clicked write File in var/mobile/Applications/Game.app
Place your application in /Applications. If you do that your program will launch with the permissions to write to the folder you specified.
Xcode can't do it, so place it there manually with SSH or something similar.
I would like to add an app (STS.app, the SpringSource ToolSuite) to the list of trusted apps for a given password entry within my keychain. The list already contains some apps (svn, Eclipse.app) but I can't add the given STS.app. After I choose that file from the file dialog, the list remains unchanged. I can delete/add other apps, e.g. the mentioned Eclipse.app but not the STS.app. Both files have equal permissions, but STS.app contains the com.apple.quarantine extended attribute. I can manually remove this ext.attribute (why does it ever exists, and why it wasn't removed automatically after the first start after download them via Chrome ???) but the STS.app is still not able to set as trusted app in keychain after that. Any suggestion ?
Kind regards, Dominik
After experiencing the same problem, I created the keychain item manually and that fixed it for me.
Go to your Mac keychain, click the '+' at the bottom, and then enter your SVN URL, friendly name and password.
I have another question dealing with app sandboxing. So I need access to the users' home directory and at the same time the app should be able to shut down the Mac. This requires to not using sandboxing.
My problem is that I don't know how to remove sandboxing and being able to submit the app to the Mac App Store. I think that the archives are sandboxed because I had turned it on once..
How to remove sandboxing from the archives properly?
Thanks for your help!
On Xcode 11, you can turn off Sandboxing by removing it from the Signing & Capabilities tab:
If I understand what you are asking correctly, you'll need to remove the entitlements.plist from your project and make sure that the Summary view of your target in Xcode has sandboxing turned off:
As Derek Wade pointed out, you can make an App like GarageBand X (which behaves obnoxiously with third party plugins like Amplitube due to Sandboxing) NOT run in a sandbox by editing the binary itself with a HEX editor like HexFiend. Look for:
<key>com.apple.security.app-sandbox</key>
Immediately following that bit you'll see the true tag, which as suggested I switched to 'fals' (no extra bytes) and now GarageBand will happily interact with third party VST plugins. Huzzah.
I found if you go into the .app package, under Contents/MacOS, there should be a binary file that matches the name of your app. Copy that file to your desktop. Edit the desktop copy of the file with TextEdit. You should find within the file, the text representation (xml) of the Entitlements for the app. Find the Sandbox entitlement flag (usually set to <true/>) and change it to <false/>. You will have to unlock the file when editing. Save the file (located on the desktop). Rename the original file in the .app package (i.e. append .old to the filename). Copy the desktop file back to the .app Package location (you may have to authorize it). This should remove the sandboxing.
You cannot remove Sandbox if the user ran you application via Sandbox.
That's the whole point - don't you think ?
I'm coding an app that needs a font that is not available on the system. I got the font from the web, but every time I launch the app, I get this message:
http://twitpic.com/3h4nj9
I cannot ship an app with this kind of message. I believe it's some metadata on the font file. Does anyone knows how can I solve that problem?
Thanks!
This is a security feature of the OS. You should not be trying to "solve" it.
I'd suggest obtaining a license for the font and bundling the file as a resource in your app. Or do without.
[EDIT]: I misunderstood. Since it's a file you're including in your bundle, you want to clear the com.apple.quarantine metadata from the file. Use the command
xattr -d com.apple.quarantine my_font_file.otf
You probably also want to get rid of the com.apple.metadata:kMDItemWhereFroms metadata as well.
You can just use
xattr my_font_file.otf
to get a list of all the extended attributes that the OS is keeping on the file. Delete as appropriate (with the -d flag).