alexloew
commented
3 years ago You have gatekeeper enabled. If allowed you can "right-click" or "control-click" the package then select Open.
Closed kris-enervee closed 3 years ago
alexloew
commented
3 years ago You have gatekeeper enabled. If allowed you can "right-click" or "control-click" the package then select Open.
kris-enervee
commented
3 years ago I've never actually seen this happen before. Not sure if it's related to macOS 11.2.2, or something with the pkg. But I can't get rid of this option in my Security and Privacy preference pane. A reboot doesn't clear it either.
kris-enervee
commented
3 years ago Deleting the file and emptying the trash gets rid of that prompt in Security & Privacy, but re-downloading and trying to open with a CTRL click results in the same behavior the video above shows.
alexloew
commented
3 years ago If you have MDM enabled on your device there may be a payload disallowing you to create Gatekeeper exceptions:
You can check the Gatekeeper quarantine by:
xattr /Applications/Some.app
And add an exception:
sudo xattr -r -d com.apple.quarantine /Applications/Some.app
Or disable Gatekeeper completely:
sudo spctl --master-disable
kris-enervee
commented
3 years ago Thanks @alexloew
There's nothing we do to disallow gatekeeper exceptions.
❯ xattr Downloads/Nudge-1.0.0.02262021211640.pkg
com.apple.macl
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine
~
❯ sudo xattr -r -d com.apple.quarantine Downloads/Nudge-1.0.0.02262021211640.pkg
Password:
~ took 3s
❯ xattr Downloads/Nudge-1.0.0.02262021211640.pkg
com.apple.macl
com.apple.metadata:kMDItemWhereFromsRunning sudo xattr -r -d com.apple.quarantine wasn't mentioned in the README. Running that does remove the pkg file from quarantine, and allows the pkg to be opened and installed. But if an apple approved certificate is used to sign that pkg file, that shouldn't be needed right?
alexloew
commented
3 years ago Without a doubt, I'm sure the developer here (@erikng) would have to explore that option, I at least wanted to offer you a workaround.
erikng
commented
3 years ago @kris-enervee this behavior exists when you download packages via a browser. The package is indeed signed with a proper developer certificate.
It is not notarized however and Apple has new rules with Big Sur. Figuring out how to notarize automated packages is significantly harder and at the moment I have zero intention of figuring it out. When you deploy this package via any MDM tool or Munki, this will not be an issue.
If you look at the autopkg recipe you will see it is properly signed by Apple just like every other signed package. https://github.com/autopkg/erikng-recipes/blob/main/Nudge/Nudge.download.recipe
natewalck
commented
3 years ago Should we consider notarization now that we are not shipping Python?
erikng
commented
3 years ago If you want to tackle that go for it, but since Apple can't guarantee notarization quickly and GitHub will charge us for long tail runs, I don't know what to do.
Thanks, Erik Gomez
From: Nate Walck notifications@github.com Sent: Wednesday, March 3, 2021 9:47:55 AM To: macadmins/nudge nudge@noreply.github.com Cc: Erik Gomez e@eriknicolasgomez.com; Mention mention@noreply.github.com Subject: Re: [macadmins/nudge] GitHub Prebuilt Release pkg can't be opened (#139)
Should we consider notarization now that we are not shipping Python?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/macadmins/nudge/issues/139#issuecomment-789812301, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABLL6GA4WPFGYREPIZAED3LTBZK2XANCNFSM4YKMZFUA.
erikng
commented
3 years ago As of https://github.com/macadmins/nudge/releases/tag/v.1.1.0.08182021220242 and any new releases, this is now fixed.
The current pkg downloaded from the GitHub build process isn't using an Apple approved certificate for signing, and therefor can't be opened.