Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Untrusted files.

BR4DOKYBrazil

BR4DOKYBrazil

macrumors 6502a
Original poster
Jan 25, 2018
887
2,257
Londrina - PR / Brazil
I am a lawyer and, when carrying out process protocols, the electronic system uses .jnlp (java) files. On MacOS Sonoma, I accessed the file by pressing the "right button" on the mouse and clicking "Open". Now, on MacOS Sequoia, I have to access the "Privacy and Security" settings every time and authorize the file to be opened there. Although it enters the exception list, but each .jnlp file is unique, so the system will never identify it in the exception list. Would there be any other option for me to place files, in general, on the MacOS Sequoia exceptions list, without me having to authorize it, every time, through the "Privacy and Security" item?
 
  • Like
Reactions: Macs Pain
Grumpus said:
Why are you opening the files via right-click->open rather than simply double-clicking them? I'm not a java user, but I believe that java is the default app for .jnlp files and I would expect that you'll only have to authorize it once. See Permanently change the app used to open all files of a particular type.
Click to expand...
On MacOS Sonoma, when I double-clicked on the file, the system sent me a warning that the file could be malware, giving me the option to cancel or send it to the trash. When I right-clicked and clicked open, the system gave me access to the file. In Sequoia, this possibility is no longer available. I always have to confirm in settings, privacy and security. This .jnlp file is for digitally signing lawyer doc files, as a Word, PDF, etc.. So, each .jnlp file is unique and related to those documents I am signing.
 
  • Like
Reactions: Macs Pain
Are you downloading these .jnlp files from somewhere using Safari?

Downloaded files have a "quarantine" extended attribute, and this may be the root of the problem. If you're comfortable using the terminal, you could try removing (most) extended attributes using xattr. As an example, for the file "foo.jnlp" in your Downloads folder, you'd open Terminal.app and run:
Code: 
xattr -c ~/Downloads/foo.jnlp
Then try double-clicking that file in Finder to see if it will now run without you having to explicitly allow it in Privacy & Security.

I'm afraid I don't have a better idea at this point. In Sequoia, unsigned apps now have to be explicitly allowed in Settings->Privacy & Security. However, your .jnlp files should be handled by /System/Library/CoreServices/JavaLauncher.app, which should be signed (it definitely is in Sonoma). That's why I'm guessing that the problem stems from the quarantine attribute.
 
  • Like
Reactions: BR4DOKYBrazil
Have you tried DISABLING "Gatekeeper" ??

Open terminal and enter:
sudo spctl --master-disable

(administrative password will be required).

To turn on Gatekeeper again:
sudo spctl --master-enable

Personal experience:
As soon as Gatekeeper was introduced by Apple, I DISABLED it on all my Macs and do so now as a matter of course.

Never had a problem with this...
 
  • Like
Reactions: BR4DOKYBrazil
Grumpus said:
Are you downloading these .jnlp files from somewhere using Safari?

Downloaded files have a "quarantine" extended attribute, and this may be the root of the problem. If you're comfortable using the terminal, you could try removing (most) extended attributes using xattr. As an example, for the file "foo.jnlp" in your Downloads folder, you'd open Terminal.app and run:
Code: 
xattr -c ~/Downloads/foo.jnlp
Then try double-clicking that file in Finder to see if it will now run without you having to explicitly allow it in Privacy & Security.

I'm afraid I don't have a better idea at this point. In Sequoia, unsigned apps now have to be explicitly allowed in Settings->Privacy & Security. However, your .jnlp files should be handled by /System/Library/CoreServices/JavaLauncher.app, which should be signed (it definitely is in Sonoma). That's why I'm guessing that the problem stems from the quarantine attribute.
Click to expand...
I download using Firefox. It is a .jnlp file for digitally signing documents related to lawyers in Brazil.

I'll try to use your tip and see if it works! Thank you very much for your help, Grumpus.
Fishrrman said:
Have you tried DISABLING "Gatekeeper" ??

Open terminal and enter:
sudo spctl --master-disable

(administrative password will be required).

To turn on Gatekeeper again:
sudo spctl --master-enable

Personal experience:
As soon as Gatekeeper was introduced by Apple, I DISABLED it on all my Macs and do so now as a matter of course.

Never had a problem with this...
Click to expand...
I haven't tried disabling it yet. If the tip above doesn't help, I'll try to disable it. Thank you very much, Fishrrman!
 
  • Like
Reactions: Grumpus
Fishrrman said:
Have you tried DISABLING "Gatekeeper" ??

Open terminal and enter:
sudo spctl --master-disable

(administrative password will be required).

To turn on Gatekeeper again:
sudo spctl --master-enable

Personal experience:
As soon as Gatekeeper was introduced by Apple, I DISABLED it on all my Macs and do so now as a matter of course.

Never had a problem with this...
Click to expand...
Researching, I saw that, doing this, releases the "anywhere" option in Privacy and Security. Could disabling the gatekeeper be harmful to my system in any way? Remembering that I use the Mac for simple operations like lawyering. I don't download apps all the time.
 
I've disabled Gatekeeper from the time it was first introduced.
I don't need it or want it.
Works for me.

Others' mileage... may vary.
 
  • Like
Reactions: BR4DOKYBrazil
BR4DOKYBrazil said:
Could disabling the gatekeeper be harmful to my system in any way?
Click to expand...
Yes, it could.

Gatekeeper prevents unsigned Apps from executing without the user's approval.
To quote Google:
"Its primary role is safeguarding macOS users from harmful applications by ensuring that any software installed on their Mac has been vetted for safety." - "It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware."

If you disable Gatekeeper completely, any website could potentially download a malware app in the background. If you accidentally open it, the damage is done.
I admit that this an unlikely worst-case scenario, but if you like to be on the safe side, i would follow the advice of Grumpus and disable the quarantine flag only on a case-by-case basis.

(Personal experience: The company I work for, handles confidential client data. Disabling Gatekeeper on any of our Production Macs would be a serious breach of security protocol.)
 
Last edited:
  • Like
  • Love
Reactions: KaliYoni, gilby101, BR4DOKYBrazil and 1 other person
Grumpus said:
Downloaded files have a "quarantine" extended attribute, and this may be the root of the problem.
Click to expand...

Mental note to self, will need to check this as…

I see the double click issue with a docx file I have in Dropbox. I’ve changed the application to open it to use LibreOffice. All other MS format files will open in LO no problem by double clicking, but the one in Dropbox, get the malware message. But can open it via LO > File > Open and navigate to it.
 
NoBoMac said:
Mental note to self, will need to check this as…

I see the double click issue with a docx file I have in Dropbox. I’ve changed the application to open it to use LibreOffice. All other MS format files will open in LO no problem by double clicking, but the one in Dropbox, get the malware message. But can open it via LO > File > Open and navigate to it.
Click to expand...

bogdanw said:
Sequoia appears to quarantine some cloud based files, including the ones stored on iCloud.
https://forums.macrumors.com/thread...h-unsigned-applications.2441792/post-33646581
Click to expand...
The big problem is that each .jnlp file is unique. Every time I make a protocol from a file in the lawyers system, it generates a .jnlp file for each protocol. When I confirm the opening of the file in "Privacy and Security", this file is placed on an exception list to never notify me of malware again, but, as each .jnlp file is unique, I always have to confirm its opening in "Privacy and Security".

I already thought about putting the Java app in the "Developer Tool" so that it runs files without any protection, but it didn't work. It does not recognize the Java app as an application itself.
 
You could create a folder action in Automator to remove the quarantine attribute for .jnlp files in the folder they are downloaded
FolderAction.jpg

Code: 
/usr/bin/xattr -d com.apple.quarantine $*


Folder Actions Reference
https://developer.apple.com/library...tLangGuide/reference/ASLR_folder_actions.html
 
  • Like
  • Love
Reactions: tonmischa, BR4DOKYBrazil and Grumpus
BR4DOKYBrazil said:
I already thought about putting the Java app in the "Developer Tool" so that it runs files without any protection, but it didn't work. It does not recognize the Java app as an application itself.
Click to expand...
If I create an empty FOO.jnlp file, right-clicking and selecting Get Info shows Open with: JavaLauncher.app, so JavaLauncher.app is what you'd want to add as a developer tool in Privacy & Security.
 
  • Love
Reactions: BR4DOKYBrazil
Not sure if it’s helpful, but I find it interesting: _javaws bypasses the quarantine attribute and launches the .jnlp file
Code: 
/Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/_javaws /path/to/file.jnlp
 
  • Like
Reactions: BR4DOKYBrazil
bogdanw said:
It doesn’t work if it’s saved as an app, but it works as a QuickAction.
Click to expand...
That looks like a good solution. I managed to ape what you did in automator.app by (loosely) following this OSXDaily article and using the Run Shell Script action. The result is an Openjnlp.workflow bundle in ~/Library/Services. I'd attach it, but it's untested since I'm both still on Sonoma and don't have Java installed.
 
  • Like
Reactions: BR4DOKYBrazil
Grumpus said:
So, wouldn't setting _javaws as the Open with: app for .jnlp files solve the problem? Sounds helpful to me :)
Click to expand...
On MacOS 14 it worked. It also worked by clicking the right mouse button and "open". On MacOS Sequoia it no longer works this way. I've tried pressing the "option" key too and it doesn't work. I tried pressing the "shift" key and it doesn't work either. The warning always appears that the file may contain malware and tells me to press "ok" or send it to the trash. Then I have to release it in "Privacy and Security".
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back