Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

macOS 15.1 completely removes ability to launch unsigned applications

mystery hill

mystery hill

macrumors 65816
Original poster
Apr 2, 2021
1,132
4,616
“It seems Apple has disabled the ability for users to bypass application signing entirely, which would be just the next step in the company’s long-standing effort to turn macOS into iOS, with the same, or at least similar, lockdowns and restrictive policies. This would force everyone developing software for macOS to spend €99 per year in order to get their software signed, which may not be a realistic option for a lot of open source software.”

Bug or intentional? macOS 15.1 completely removes ability to launch unsigned applications – OSnews

www.osnews.com www.osnews.com

hackaday.com

Apple Forces The Signing Of Applications In MacOS Sequoia 15.1

Many MacOS users are probably used by now to the annoyance that comes with unsigned applications, as they require a few extra steps to launch them. This feature is called Gatekeeper and checks for …
hackaday.com hackaday.com

I think it’s a bug based on the wording of the dialog that pops up when launching unsigned apps.
 
  • Wow
Reactions: twanj
  • Like
Reactions: kkclstuff, frou and mystery hill
Folks, I'm dumb.

I ALWAYS disable SIP as a matter of personal policy.
I also DISABLE gatekeeper immediately.

I have a "test copy" of 15.1 on an external drive that I use for my 2018 Mini, but in the Security & Privacy panel, I can still choose "anywhere".

Can someone provide a URL that links to one of these "un-runnable" (unsigned) apps, so that I can try it?
(Must be Intel-compatible, I don't have 15.1 running for my m-series MBP yet)
 
Includes section on running apps and mentions Sequoia requirement to enable app in Privacy & Security settings.
eclecticlight.co

Securing the modern Mac: an overview

Recommendations for the ‘standard’ user for security and privacy protection from startup to shutdown. A broad overview of all key systems and how they fit together.
eclecticlight.co eclecticlight.co
 
To clear some confusion here:

Since the M1 introduced, all macOS apps has to be signed to run on Apple Silicon anyway. But it does not require an Apple-signed binary. A local ad-hoc sign will be enough. macOS will do an ad-hoc sign automatically on first run on Apple Silicon if the binary is unsigned and does not have the `com.apple.quarantine` flag. The gatekeeper will not be happy and pop up because downloaded apps will have that flag set.

So intentional or not, all binaries runs on Apple Silicon Macs under macOS are signed for years.
 
Fishrrman said:
Can someone provide a URL that links to one of these "un-runnable" (unsigned) apps, so that I can try it?
(Must be Intel-compatible, I don't have 15.1 running for my m-series MBP yet)
Click to expand...
OpenSCAD is the one I had trouble with. Choosing "Anywhere" was not sufficient to get it working.
 
That doesn't work. If the app is not signed then it doesn't show up in Privacy & Security.

You can use that workaround for non-notarised apps, but they must still be signed.
 
Nermal said:
That doesn't work. If the app is not signed then it doesn't show up in Privacy & Security.

You can use that workaround for non-notarised apps, but they must still be signed.
Click to expand...

Ahhh... Yes you're right.
 
You can use Sentinel to clear quarantine flag and force-auto sign your app from the GUI.
github.com

GitHub - alienator88/Sentinel: SwiftUI gatekeeper configuration GUI

SwiftUI gatekeeper configuration GUI. Contribute to alienator88/Sentinel development by creating an account on GitHub.
github.com github.com

At first launch, go to settings/security and click on "open anyway" (we used before the trick control-clic/Open).

Add your app in development tools (in system settings/security) to bypass GateKeeper rules.
 
  • Like
Reactions: gank41 and bogdanw
Gnattu said:
To clear some confusion here:

Since the M1 introduced, all macOS apps has to be signed to run on Apple Silicon anyway. But it does not require an Apple-signed binary. A local ad-hoc sign will be enough. macOS will do an ad-hoc sign automatically on first run on Apple Silicon if the binary is unsigned and does not have the `com.apple.quarantine` flag. The gatekeeper will not be happy and pop up because downloaded apps will have that flag set.

So intentional or not, all binaries runs on Apple Silicon Macs under macOS are signed for years.
Click to expand...
Not all:
"For binary compatibility, translated x86_64 code is permitted to execute through Rosetta with no signature information at all."
https://support.apple.com/guide/security/rosetta-2-on-a-mac-with-apple-silicon-secebb113be1/1/web/1
 
The signature verification and the bundle integrity verification are quite complex, so probably they added some additional checks and OpenSCAD is doing something weird, like having a broken Info.plist file.

Anyway, there aren't any additional restrictions in 15.1.
 
I've tested out installing SMAPI (mod tool for Stardew Valley) https://github.com/Pathoschild/SMAPI/releases/tag/4.0.8 and it worked the same as previous versions. You get the message to throw it away, but can go into Security and Privacy to allow it to run per https://support.apple.com/102445.

Edit: It appears this is a gatekeeper message and one of the potential causes is unsigned code. I'm not 100% sure if it's unsigned, but it displays the error:
"install on macOS.command" Not Opened


Apple could not verify "install on macOS.command" is free of malware that may harm your Mac or compromise your privacy.
 
Last edited:
  • Like
Reactions: _Mitchan1999
galad said:
Anyway, there aren't any additional restrictions in 15.1.
Click to expand...
Thanks.

to allow it to run per https://support.apple.com/en-us/102445.
Click to expand...
Tip; if you remove the country/language from the adress, the apple support pages automatically show up in the native language of the user, like this:

https://support.apple.com/102445.

Edit: Oops, it usually works with apple support pages, I do it all the time, not this one obviously. Maybe it's only available in english.
 
  • Like
Reactions: goatbasalt
nermal wrote in #10 above:
"OpenSCAD is the one I had trouble with. Choosing "Anywhere" was not sufficient to get it working."

I'm typing this on a 2018 Mini that's still using Mojave (OS 10.14.6).
SIP is disabled.
Gatekeeper is turned completely off (open apps from anywhere selected).

I downloaded "OpenSCAD" using the link in reply 10 above.
If I try to launch it, I get this:
Screen Shot 2024-11-03 at 11.00.38 AM.jpg

(I could not try the "Sentinel" app mentioned above because it won't run on OS 10.14)

I'm not a programmer or coder.
But this indicates to me that the problem is not localized in OS 15.1.
Same problem 'way back in OS 10.14 ...
 
  • Like
Reactions: _Mitchan1999 and goatbasalt
Fishrrman said:
nermal wrote in #10 above:
"OpenSCAD is the one I had trouble with. Choosing "Anywhere" was not sufficient to get it working."

I'm typing this on a 2018 Mini that's still using Mojave (OS 10.14.6).
SIP is disabled.
Gatekeeper is turned completely off (open apps from anywhere selected).

I downloaded "OpenSCAD" using the link in reply 10 above.
If I try to launch it, I get this:
View attachment 2446325
(I could not try the "Sentinel" app mentioned above because it won't run on OS 10.14)

I'm not a programmer or coder.
But this indicates to me that the problem is not localized in OS 15.1.
Same problem 'way back in OS 10.14 ...
Click to expand...
Have you tried right-clicking on the app and select 'Open'?
Does it give you the option to "Open anyway"?
 
  • Like
Reactions: jon.f and schnaps
Work in progress, AppleScript that can be saved as an app, checks the quarantine attribute and signature of an app, can remove the quarantine attribute and self-sign the app.

AppleScript: 
set theApp to choose file with prompt "Please select an application:" of type {"app"}
set appPath to POSIX path of theApp
try
    set QuAtt to "Quarantine attribute:" & return & (do shell script "xattr -pl com.apple.quarantine " & quoted form of appPath)
on error
    set QuAtt to "Quarantine attribute not present"
end try
try
    set SignStat to "Signing ststus:" & return & (do shell script "codesign -dv " & quoted form of appPath & " 2>&1")
on error
    set SignStat to "Signing ststus:" & return & "the application is not signed at all"
end try

set theQuestion to display dialog QuAtt & return & SignStat & return & "Would you like to" buttons {"Remove quarantine attribute", "Self-sign the app", "Remove quarantine & Self-sign"} default button "Self-sign the app"
set theAnswer to button returned of theQuestion
if theAnswer is equal to "Remove quarantine attribute" then
    do shell script "xattr -rd com.apple.quarantine " & quoted form of appPath
end if
if theAnswer is equal to "Self-sign the app" then
    do shell script "codesign --remove-signature " & quoted form of appPath & "; codesign --force --deep --sign - " & quoted form of appPath
end if
if theAnswer is equal to "Remove quarantine & Self-sign" then
    do shell script "xattr -rd com.apple.quarantine " & quoted form of appPath
    do shell script "codesign --remove-signature " & quoted form of appPath & "; codesign --force --deep --sign - " & quoted form of appPath
end if
set theQuestion2 to display dialog "Operation completed." & return & "Would you like to open the app?" buttons {"Yes", "No"} default button "Yes" cancel button "No"
set theAnswer2 to button returned of theQuestion2
if theAnswer2 is equal to "Yes" then
    do shell script "open -a " & quoted form of appPath
end if

Obviously, don’t use on apps you don’t trust. :)
 
  • Like
Reactions: osplo, !!!, fmaione and 1 other person
Could someone please check one of the apps in question using Apparency (or whatever) to see if the signature has expired?

Sonoma runs HDHomeRun.app without complaint, but the signature expired on August 31, 2024. I'm curious to know if Sequoia has tightened things up in this regard (just not curious enough to risk installing it right now).
 
  • Like
Reactions: _Mitchan1999
Grumpus said:
Could someone please check one of the apps in question using Apparency (or whatever) to see if the signature has expired?

Sonoma runs HDHomeRun.app without complaint, but the signature expired on August 31, 2024. I'm curious to know if Sequoia has tightened things up in this regard (just not curious enough to risk installing it right now).
Click to expand...
OpenSCAD and SeaMonkey have no signatures.
If you are referring to HDHomeRun from https://www.silicondust.com/support/downloads/ it works in Sequoia 15.1.

Here is what happens with SeaMonkey and an updated version of the AppleScript above in action



AppleScript: 
set theApp to choose file with prompt "Please select an application:" of type {"app"}
set appPath to POSIX path of theApp
try
    set QuAtt to "Quarantine attribute:" & return & (do shell script "xattr -pl com.apple.quarantine " & quoted form of appPath)
on error
    set QuAtt to "Quarantine attribute not present"
end try
try
    set SignStat to "Signing ststus:" & return & (do shell script "codesign -dv " & quoted form of appPath & " 2>&1")
on error
    set SignStat to "Signing ststus:" & return & "the application is not signed at all"
end try
display dialog QuAtt & return & SignStat & return & "Would you like to" buttons {"Don't Continue", "Continue"} default button "Continue" cancel button "Don't Continue"
set theQuestion to display dialog "Would you like to" buttons {"Remove quarantine attribute", "Self-sign the app", "Remove quarantine & Self-sign"} default button "Self-sign the app"
set theAnswer to button returned of theQuestion
if theAnswer is equal to "Remove quarantine attribute" then
    do shell script "xattr -rd com.apple.quarantine " & quoted form of appPath
end if
if theAnswer is equal to "Self-sign the app" then
    do shell script "codesign --remove-signature " & quoted form of appPath & "; codesign --force --deep --sign - " & quoted form of appPath
end if
if theAnswer is equal to "Remove quarantine & Self-sign" then
    do shell script "xattr -rd com.apple.quarantine " & quoted form of appPath
    do shell script "codesign --remove-signature " & quoted form of appPath & "; codesign --force --deep --sign - " & quoted form of appPath
end if
set theQuestion2 to display dialog "Operation completed." & return & "Would you like to open the app?" buttons {"Yes", "No"} default button "Yes" cancel button "No"
set theAnswer2 to button returned of theQuestion2
if theAnswer2 is equal to "Yes" then
    do shell script "open -a " & quoted form of appPath
end if
 
  • Like
Reactions: osplo and DianaofThemiscyra
bogdanw said:
OpenSCAD and SeaMonkey have no signatures.
Click to expand...
Thanks for confirming.

bogdanw said:
If you are referring to HDHomeRun from https://www.silicondust.com/support/downloads/ it works in Sequoia 15.1.
Click to expand...
That's an older version, 20231214, and it too has an expired certificate. I'm running version 20240708, installed via the App Store last July, and the certificate expired last August. Sonoma doesn't seem to care, and you've verified that Sequoia wouldn't either - thanks!

Now I'm wondering if Sequoia will complain about unsigned binaries (as opposed to app bundles).
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back