Notarize pkg installer in order to address Quarantine xattr

trailofbits / sinter

A user-mode application authorization system for MacOS written in Swift

https://blog.trailofbits.com/2020/08/12/sinter-new-user-mode-security-enforcement-for-macos/

GNU Affero General Public License v3.0

301 stars 15 forks source link

Notarize pkg installer in order to address Quarantine xattr #58

Closed mike-myers-tob closed 4 years ago

mike-myers-tob commented 4 years ago

When distributed via an MDM, the Quarantine extended attribute is not set on a pkg installer file and it will run without interference from Gatekeeper.

If downloaded via a browser, the browser will set the Quarantine xattr and Gatekeeper will want to see that the package is notarized. In order to avoid this issue, we will notarize the package.

Add steps in the pkg building script to notarize the pkg.

mike-myers-tob commented 4 years ago

Release 0.1.1 should exhibit a properly notarized pkg installer file. We will continue using these steps to notarize the pkg installers from here on. The steps are currently manual but can be semi-automated by adding them to the existing script.