I have a macOS app that I have been distributing for free outside the app store for more than 15 years, without notarization, without sandboxing, and without hardened runtime, all with no problems. If I understand correctly, macOS will soon be modified so that it will not launch any developer-distributed apps that are not notarized. Notarization will require both hardened runtime and sandboxing, and unhappily, my app will not run when notarized -- I have added sandboxing and hardened runtime, than gotten it notarized and tried -- and that is because it will not run when sandboxed. Thus I have two questions: Will there be some means, that I perhaps have missed, for my users to run my app as is, in un-notarized form with no sandboxing and no hardened runtime? (Assume that they are willing to click "Okay" on any macOS popups of the form "Abandon hope, all ye who enter here.") Perhaps I have missed something about the signing or distribution process ... ? If not, is there some entitlement I can obtain to allow my app to run when sandboxed? Perhaps the question is even "Should there be such an entitlement?" And to that end, I must now explain why it cannot run sandboxed: My app is a parallel processing system: To work properly it must open multiple copies of itself -- that's right, there will be multiple instances of the app window visible on the console, distinguished by tint, title and location so the user can tell which is which, and multiple app badges in the dock, similarly distinguished. Doing so is easy -- I use the c++ "system" function to call the Unix executable that is buried within the ".app" folder, passing it a command tail whereby the launched copy can tell how to distinguish itself. I build up the text string for the call piece by piece, but the result looks rather like this: system("<path-to-my-app>/MyApp.app/Contents/MacOS/MyApp -tail-item-1 -tail-item-2 ... &"); The app is written in mixed C++ and Objective C. The usual "Main.mm" file contains the entry point for the program, a "main()" function that does nothing but call "NSApplicationMain()", but I have added code to "main()" that runs before the call of NSApplicationMain(). That code uses C function "getopt()" to look for the extra command-tail items. If any are present, the app acts appropriately -- generally assigning non-default values to global variables that are used later in initialization. The first instance of the app that is called -- presumably by the user mousing on an icon somewhere -- knows by the absence of extra command-tail items that it is the first one launched, and thus knows to launch multiple additional instances of itself using this mechanism. The launched instances know by the presence of extra command-tail items that they are not the first one launched, and act differently, based on the command-tail items themselves. All this has been working fine for over a decade when the app is not sandboxed and does not have a hardened runtime. For what it is worth, the app will run with hardened runtime, provided the option "Disable Executable Memory Protection" is checked. Furthermore, when it is also sandboxed and I open it with no extra copies of itself launched (the number to launch is a preferences option), that single app instance runs fine. I have instrumented the code, and what seems to be happening is that the system call to launch another app returns zero -- implying it succeeded -- but has no effect: It is as if someone had special-cased "system" to do nothing, but to report success nonetheless. That is an entirely reasonable feature of a hardened runtime -- allowing arbitrary system calls would be a security disaster looking for a place to happen. The point is that my app would not be making an arbitrary system call -- it would be trying to open one specific app -- itself -- which would be sandboxed with a hardened runtime, and notarized. That is not likely to be a huge security problem. Incidentally, not all system calls fail this way -- I can do system("osascript -e 'tell app \"Safari\" to activate';"); or system( "open -a \"Safari\" <path to a help file located in MyApp's Resources>"); with impunity. Also incidentally, using AppleScript to launch another copy of MyApp from within itself doesn't do what I want: The system notices that MyApp is already running and just makes it active instead of launching a new copy, and there is no way to pass in a command tail anyway. I don't wish to appear to be advertising, so I won't identify my app, but a little more detail might be useful: It is a parallel program interpreter. The language implemented is the "Scheme" dialect of Lisp. Each instance running is a complete read/eval/print loop embedded in an application window where the user can read and type. The first instance of the app launched mmaps a large memory area for the Lisp system's main memory: That works kind of like a big heap in more conventional programs. It is not executable code, it contains Lisp data structures that an application instance can access. The other instances launched use the same mmapped area. The shared memory has lots of lock bits. I use low-level "lockless coding" -- hand-coded assembler with the Intel "lock" prefix or the more complicated arm64 stuff -- to keep simultaneous access by different app instances from corrupting the shared memory. Parallel Scheme has many uses, which include debugging and monitoring of running Scheme programs, and having multiple tail-recursive "actors" (Lisp jargon) operate on the same data at the same time. Enough said. I would like to be able to notarize this app so that users who obtained it outside the app store could understand that Apple had checked it for dangerous code. If that were possible, I might even try submitting it to the app store -- but that would be another story. Do I have any hope of keeping this product available?

Hi Team, I am unable to run the chrome driver exe when running automated tests using IntelliJ Idea and getting the following error Regards, Akshay

I have created a .Net MAUI application that I have written for Windows and MacCatalyst. In my entitlements.plist I have com.apple.security.app-sandbox = no. <PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Debug|net7.0-maccatalyst|AnyCPU'"> <MtouchLink>SdkOnly</MtouchLink> <EnableCodeSigning>True</EnableCodeSigning> <EnablePackageSigning>true</EnablePackageSigning> <CreatePackage>true</CreatePackage> <CodesignKey>Developer ID Application: xxxxxxxxxx</CodesignKey> <CodesignProvision>xxxxxxxx</CodesignProvision> <CodesignEntitlements>Platforms\MacCatalyst\Entitlements.plist</CodesignEntitlements> <PackageSigningKey>Developer ID Installer: xxxxxxxxx</PackageSigningKey> <UseHardenedRuntime>true</UseHardenedRuntime> <RuntimeIdentifier>maccatalyst-arm64</RuntimeIdentifier> <MtouchInterpreter>-all</MtouchInterpreter> </PropertyGroup> I have a 3rd party executable that I manually codesigned: codesign --force --verify --verbose --sign xxxxxx 3rdpartyApp --timestamp --deep --options runtime Then I build the application in Visual Studio Mac. Everything is codesigned, etc. After building I am able to successfully notarize the pkg and then staple the the notarization to it. When I take that pkg and install it in a test environment, everything installs fine, no warning. I am able to start my application and do what I need to do But when it tries to run that 3rd party executable, it just fails. At first I checked exec permissions. I chmod it to +x. within the .app container and also all the way at the beginning, and rebuilt the application, resigned, re-notarized, etc. I am working to get some logging out to see why it failed, but having an issue with that at the moment. In the meantime I have taken the non-notarized pkg, forced the install in the test environment and the 3rd party executable runs successfully. So it seems the notarization process is causing this child process to fail?

Hello, I have made a basic c program and i have compiled it with gcc. This program has not been signed (i didn't run codesign). When i am trying to run this program from terminal, i don't get any Gatekeeper popup. My first question is... why ? I have create a SwiftUI project with Xcode (Xcode 15). I have set signing settings to "Sign to run locally" (by the way, can you tell me how i can disable signing in Xcode ?) I have opened terminal and i have changed current directory to ~/Library/Developer/Xcode/DerivatedData/..../Products/Debug/MyApp.app/Contents/MacOS folder. Now i get a gatekeeper confirmation popup if run "./Myapp" from terminal. My second question is... Why ? Does that mean Gatekeeper only checks signed binaries ? Thanks

I have a toy application that uses CMake to generate a .dmg that contains a simple c++ binary that prints "codesignTest". The binary gets signed by CMake, and I manually sign the .dmg. I am using the "Unix Makefiles" generator, and am signing with a Developer ID Application certificate with a Private Key. Despite this, I still get an "App is damaged and can't be opened" error when running the binary on a secondary test MacOS machine. I've created a github repository with instructions on how to reproduce this problem, and I've copy/pasted the binary's signature below. Is there anything invalid with my signature? Thank you. cisl-ridgeland:~ pearse$ codesign -dv --verbose=4 /Applications/codesignTest.app/Contents/MacOS/codesignTest Executable=/Applications/codesignTest.app/Contents/MacOS/codesignTest Identifier=codesignTest Format=bundle with Mach-O thin (arm64) CodeDirectory v=20400 size=496 flags=0x0(none) hashes=10+2 location=embedded VersionPlatform=1 VersionMin=786432 VersionSDK=787200 Hash type=sha256 size=32 CandidateCDHash sha256=df158907d48f1eb3f5ef7b145d43d114bff0c6c3 CandidateCDHashFull sha256=df158907d48f1eb3f5ef7b145d43d114bff0c6c3e2564197c4a69594500f7f66 Hash choices=sha256 CMSDigest=df158907d48f1eb3f5ef7b145d43d114bff0c6c3e2564197c4a69594500f7f66 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=16384 Executable Segment flags=0x1 Page size=4096 Launch Constraints: None CDHash=df158907d48f1eb3f5ef7b145d43d114bff0c6c3 Signature size=9045 Authority=Developer ID Application: University Corporation for Atmospheric Research (DQ4ZFL4KLF) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Nov 1, 2023 at 9:43:36 AM Info.plist=not bound TeamIdentifier=DQ4ZFL4KLF Sealed Resources=none Internal requirements count=1 size=172

I've built an app in Electron. I am in the process of preparing to release the app on my website as a free download. Since the app is free, I'm not really looking to spend a ton of money on security certificates. I can get the app to work on Windows by clicking through the Windows Defender, but I cannot run it at all on Mac even after disabling Gatekeeper. So my question is... Is it possible for me to get a certificate for my Electron app through the apple developer program. Keep in mind I have never touched the apple developer ecosystem. Avoiding subscriptions for this app's security certificates is what I am looking for. As that is all I have seen as options online so far. Any other suggestions are more than welcome! Thanks in advance!

Have been working on a Java Open Source project for 8 years with the last 2+ years on a cross-platform desktop GUI for it with a separate updater. The self-contained application runs on Linux and Windows - now I'm trying to figure-out Mac. Have had a Macbook Pro 13" Late 2013 Retina running Big Sur 11.7.10 for 3 weeks. Very new to Apple, but a retired 48-year engineer trying to support MacOS for the first time. Building with Ant and appbundler task, https://github.com/TheInfiniteKind/appbundler, then creating a DMG with DMG Canvas, https://www.araelium.com/dmgcanvas. Deliberately supporting older systems due to the nature of this data management and back-up application. It's been adapted to the MacOS look 'n feel. Questions: If I sign-up as an Apple Developer and pay the fee will this 2013 Macbook Pro still be able to sign DMG files - that will work on the latest MacOS - after the end-of-support in December 2023? For a updater: Should both the main application and separate updater both be signed? The basic process is: Download updater into system temp folder, prepare and execute updater, stop desktop application, updater downloads new version, prepares and copies update to installed location, then restarts desktop application and ends the updater. I'm old and have setup this Open Source project and web site so that it can be passed-off to others when I stop, one way or another. Can the developer account or certificate credentials be transferred to someone else at that time? Guidance for a noob would be appreciated. Thank you for your time. The project, not released yet: https://github.com/Corionis/ELS/tree/Version-4.0.0

Our updating process is a launchd daemon that will download zipped bundle directories that contain resources to be used for updating. One of the bundles is an app that has a tool that is executed to perform the updating after all of the bundles have been downloaded. We are finding that on Sonoma starting in version 14.1 the zip extraction of the bundle containing the executable now is blocked on about 1 in 7 computers when the bundle directory itself is being created. &amp;lt;redacted&amp;gt;Updater &amp;lt;subsystem&amp;gt; Error during Extract state: Error Domain=&amp;lt;our error domain&amp;gt; Code=2001 "filesystem error: in create_directories: Operation not permitted ["/Library/Caches/&amp;lt;reverse-DNS name&amp;gt;/&amp;lt;redacted&amp;gt;Installer.bundle"]" UserInfo={NSLocalizedDescription=filesystem error: in create_directories: Operation not permitted ["/Library/Caches/&amp;lt;reverse-DNS name&amp;gt;/&amp;lt;redacted&amp;gt;Installer.bundle"]} We have seen the following error just preceding the above on some of these failures: &amp;lt;date&amp;gt; Error 0x45c755 184 0 sandboxd: tcc_server_message_request_authorization(kTCCServiceSystemPolicyAppBundles) failed: Error Domain=kTCCErrorDomain Code=2 "missing 'auth_value' in reply message" UserInfo={NSDescription=missing 'auth_value' in reply message} &amp;lt;date&amp;gt; Error 0x0 184 0 sandboxd: [com.apple.sandbox.reporting:violation] System Policy: &amp;lt;redacted&amp;gt;Updater(1431) deny(1) file-write-create /Library/Caches/&amp;lt;reverse-DNS name&amp;gt;/&amp;lt;redacted&amp;gt;Installer.bundle Violation: deny(1) file-write-create /Library/Caches/&amp;lt;reverse-DNS name&amp;gt;/&amp;lt;redacted&amp;gt;Installer.bundle I believe that the kTCCServiceSystemPolicyAppBundles failure occurs because TCC has determined that our Updater does not have permission to modify the Installer.bundle. Both the Updater and Installer.bundle have been signed by the same Apple Developer certificate (with the same team id). The Updater has been using this same procedure successfully but starts failing after the update to Sonoma v14.1. When this failure occurs, the updater has been able to extract the other resource-only bundles (no executables) that precede it. Computers that have this failure show the updater in the System Settings &amp;gt; Privacy &amp;amp; Security &amp;gt; Full Disk Access list as disabled. The computers that do not see this failure, do not have the updater listed in Full Disk Access. This has been raised as Feedback #FB13359407 What is the recommended way that an updater is supposed to create a new copy of an application without running into these TCC errors? Would extracting the app bundle as a directory without the .bundle extension and then renaming the directory to add the .bundle extension be a reasonable approach? BTW: The above approach does seem to work on Sonoma v 14.1 At what point does an app become subject to kTCCServiceSystemPolicyAppBundles? Is it is just a directory with a .app or .bundle extension or when a bundle structure exists that a signing check can validate?

Have been using a Mac for about a month, but am a 48-year engineer. Too many operating systems to list. Have my cross-platform self-contained Java application looking great on macOS with all the cool Mac conventions and a DMG "installer". Am attempting to get the existing self-updater working for macOS. It has conditional logic based on the operating system. But I'm stuck ... this is on a Macbook Pro 13" Retina Late 2013 2.8Ghz running macOS Big Sur 11.7.10 (fully updated). Deliberately supporting older hardware due to the nature of the application. The Process in Short Main program downloads updater program into a system temp directory Mounts updater DMG image with -mountroot in that directory Executes updater .app Exits Updater program downloads new Main program Mounts new program DMG image in the system temp directory The DMG image is the same one used for initial installations Makes back-ups of the Java and Plugins directories of existing program Copies the new Java and Plugins directories to existing Main program locations Umounts new program DMG image Either deletes back-up directories or restores them based on success or failure Restarts Main program .app Exits Main program receives special argument indicating success or failure of update Unmounts updater DMG image Displays appropriate dialog Issues The problems encountered are the mounting and unmounting of the DMG images executing hdiutil with Java Runtime.getRuntime().exec(). All mounts and unmounts have 1.5 sec. time-delayed retries for 3 attempts The initial download, mount, and execution of the updater works The mounting of the downloaded update DMG fails Running the command by hand works When the Main program is restarted the unmount of the updater DMG fails Running the command by hand works Also - these are unsigned images at this point. Have been unsure whether I would support macOS. But this is the last stumbling block. Questions Odd point - the initial download, mount and execution of the updater works Is this all because the DMG images are not signed (yet), so hdiutil is failing? Or is there something basic that I'm missing? Thank You For taking your time to read this. Any pointers would be appreciated. The Project https://github.com/Corionis/ELS/tree/Version-4.0.0 (not released) Component projects: https://github.com/Corionis

Hi! I am wondering about certain features that I witnessed today. Base scenario: I created a developer certificate signed version of my installer package and then downloaded it via the internet. It has not been notarized. As expected, macOS prevented the opening of the package, stating that it could not be determined whether it contained for malicious content. But, several operations I then performed made this package trusted by macOS: I moved the package through a file-sharing service via Finder, namely OneDrive. The recipient machine immediately opened the unsigned package, without any interruption from the operating system. This sounds extremely unsecure. I checked manually with xattr, and indeed, the com.apple.quarantine attribute has been removed on the recipient side. I used pkgutil to explode the package, modified some files in it, then recompiled it. xattr again confirmed that the quarantine attribute has been removed. Why can pkgutil operate on untrusted packages? I have personally been extremely surprised operations as simple as these remove security hurdles in macOS. These scenarios can be harmful for end-users who have little IT knowledge. Why are they allowed? Are these scenarios considered the responsibility of end-users? Why do we notarize and sign with precious distribution certificates if it's this simple to bypass any security check on macOS? :(

Hi, We have an app that installs a number of system extensions. According to this documentation the app must be located in the Applications folder to be activated so when the app launches we check that it is running from /Applications (or a subfolder) and if it isn't we inform the user and exit. This has been working fine until a recent submission whereupon installing the app via TestFlight casuses it to be translocated when run and our check to fail. So, a couple of questions: Is it expected that an app installed via TestFlight (or indeed the AppStore) can be translocated when it is run? If yes to the above, how can we ensure that out app is running from Applications and can therefore activate its extensions? Thanks Alan

I want to distribute my app with my developer ID. This works fine in a dmg or zip container if I download it on another Mac by FTP. But if I download it by HTTPS macOS brings a Popup: “Rocrail.app” is damaged and can’t be opened. You should move it to the Bin. I don't understand the diff between FTP and HTTPS download... How can I fix this?

I have an non-appstore application, using developer id which I want to transfer to another developer account. How can I go about doing this? How do I transfer the app ID? Will past versions of that app signed with the old account continue to work? Will I have to re-sign them?

Hi, I've ran into an issue which only seems to affect one of my macs. It's currently running 14.2.1 but I first saw this issue in 13.6. If I download the macOS Sonoma 14.2.1 installer (via App store) onto this particular machine, it will never execute the installer. It always reports that the installer is "damaged". Of course I did reasearch this online and you get the usual unhelpful posts which just say "re download it" and of course, I wouldn't be posting here had I not tried that. This happens with any macOS installer I download using the softwareupdate --fetch-full-installer utility as well. The thing is, if I copy this .app to another (identical as far as I can tell) Mac - it will work. So far this also seems limited to macOS installers - other third party apps are fine. I'm convinced this is related to trusted execution and something has gone wrong in the environment. I've been looking at my router logs to see if any connections may have been blocked (I'm using OPNsense) and also looking to see what connections are being made via Little Snitch and so far it looks fine. Again, other machines on the network can run these just fine. I've read through eskimo's excellent guide here: https://forums.developer.apple.com/forums/thread/706442 but I was wondering if anyone can give me some pointers to narrow this down further. As it stands, I can't trust this machine for app development if I can't even get the official Apple installers to run sucessfully.

Hello I jump on my mac every 3-4 months to release new version of my apps. Process usually is "ok" some cmake/compile issues as 99% of dev is done on windows but other than that its all good. But now I'm stuck. My app can run locally/start etc just fine, but clients are panicking because they can't run them. They have undefined developer warning. I don't understand this. Its notarised and been working for 2 years. What am I doing wrong ?! How can I test it ? I tried creating new user-profile on my mac, but there is no issue, app starts. Do I need to buy ANOTHER mac to test my apps before release ?! Can any1 help how to debug this issue? I'm lost, I used finder-compress myapp.app &amp; send it via slack to client to get him quickly going but that does not help either. - I though it was zip stripping down data or something. Anyway, very frustrated here, and lost. Can any1 help? hint? Is this good resource to check against? https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html I've run spctl --assess --type execute myApp and I'm getting rejected (bundle format is ambiguous (could be app or framework)) But then why does it notarize/sign/etc with no errors ?! I'm so lost :- (((( Any help would be greatly appreciated I've attached app content &gt; Ok I've tested my older releases, they all have the same issue but they all work on client system. I'm so lost :- (((

We are using an iPhone app distributed as an AdHoc app, but an error message saying "App cannot be verified" was displayed. The error screen says, "Internet connection is required to verify the credibility of developer "Apple Distribution:●●●● CO.,LTD.(QQQ29B8GG2)"." When using this app, We are connected to the LAN, but not connected to the Internet. If you temporarily connect to the Internet and start the app when the error screen appears, the error screen will disappear. After that, when I switched from connecting to the Internet to connecting to LAN, it worked normally for a while, but after about 2 months, the same error screen appears again. Please tell me how to resolve this error.