Ramaprasad Upadhyaya Ramaprasad Upadhyaya - 1 year ago 63
Objective-C Question

Mac Application security related

Can someone please clarify below behaviours from security point of view:
Please note, application will be distributed outside AppStore.


  1. I built mac application (.app) and I have not signed the same with developerid. If I open the app one some other Mac where Security & Privacy setting is Allow downloads from – Mac App Store and identified developers .
    In this scenario, will this app supposed to run? As I understand from the security, it should not. But it is running fine without warning.

  2. If I build dmg file with the app and both dog and app are not signed. How should be the behaviour in this case when I click on dmg?

  3. If I sign dmg file not app. What should happen when I click on dmg file and later app?
    Only signing dmg is enough?


Answer Source
  1. The Gatekeeper security policy only applies to "downloaded" files. When some apps (e.g. Safari, Mail, Messages, etc) download a file, they apply a com.apple.quarantine extended attribute to the file, marking it as being in quarantine because it was downloaded from an untrusted source. When you open the file, several quarantine-based security policies are applied, including the Gatekeeper policy.

    If the file was never placed in quarantine because it was not "downloaded", the Gatekeeper policy will not be applied. Note that copying files via USB disks, AFP or SMB file sharing, etc do not apply the quarantine attribute (see this Apple.SE question).

    If you want to test the quarantine behavior, you can create your own com.apple.quarantine attribute with either of the procedures described here.

  2. If the disk image is quarantined, the quarantine will be applied to its contents and running the app will apply the Gatekeeper policy. If the disk image is not quarantined, Gatekeeper will not activate.

  3. Under older versions of OS X (through 10.11), signing the disk image is irrelevant. If the disk image is quarantined, the app contained in it will be as well, and so the app must be signed to run.

    [UPDATE] Starting in macOS Sierra (10.12), signing the disk image is sometimes required in addition to signing the app. The details are complicated, so for simplicity's sake I'll just recommend signing your disk images. But be sure to do the signing under 10.11.5 or later; that's when Apple added the ability to embed a signature in a disk image in a way that won't be lost when it's downloaded.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download