hoakley October 4, 2019 Macs, Technology

Will Gatekeeper let me run that app in Catalina?

From comments being posted on articles here, there’s still some confusion over whether macOS 10.15 Catalina will allow you to install and run old apps which aren’t notarized, or new ones which aren’t either. To clear this up, I’ve diagrammed the whole process in detail, to show you how you can work with Catalina’s new security rules.

You can of course just double-click a quarantined installer or app, and see what happens. In that case, you’re just jumping down a few steps, which in the great majority of cases should be fine, and successful. But here’s the detailed sequence that should ensure there are no surprises.

RunANewAppCatalina

The first question is whether the app, or its installer, is going to try to install a kernel extension. Although this is unusual, it makes a very big difference in Mojave and Catalina, as kernel extensions now undergo stringent checks before they can be successfully installed. The simple answer here is to ensure that you install a recent version which is fully notarized and compatible with Catalina. You can still install some kernel extensions which were signed before April 2019, but that can also get complex. And if a kernel extension signed from then on hasn’t been properly notarized, Catalina is probably not going to install it at all.

Straightforward apps without kernel extensions should already be notarized if they were signed from 1 June 2019 onwards. Older apps may be notarized, but shouldn’t have to be to install and run successfully.

If you see a dialog which informs you that Apple can’t check the app for malware, that means the app you’re trying to run hasn’t been notarized, but Catalina thinks it should have been. The workaround then is to use the Finder’s Open command to open the app instead of double-clicking it. This produces a similar dialog, but with an Open button which allows you to override it.

Once an app has completed its first run successfully, and satisfied Gatekeeper, you shouldn’t have to go through the same procedure again, as its quarantine flag will be cleared.

I hope that puts your mind at rest, that Catalina will run apps which haven’t been notarized, or even signed, if you wish it to. That said, I’d prefer my apps to be fully hardened, deep signed, and notarized whenever possible – it’s for our own security.

Postscript

Thanks to Rich Trouton for pointing out that the Open button in the Finder dialog may only be available to users who have admin rights. If it doesn’t appear, try switching to an admin user account and repeating the process.

11Comments

Add yours

1

EcleX on October 4, 2019 at 6:59 am

Thanks. You said:
“The workaround then is to use the Finder’s Open command to open the app instead of double-clicking it. This produces a similar dialog, but with an Open button which allows you to override it”.

Yet, sometimes that may no work. In such a case I have found only one workaround, involving using Terminal:
sudo spctl –master-disable

Open the application and then restore previous setting in Terminal:
sudo spctl –master-enable

Is there any other way?

LikeLiked by 1 person
- 2
  
  hoakley on October 4, 2019 at 7:07 am
  
  Thanks.
  Are you saying that this sometimes doesn’t work in Catalina? I haven’t seen any reports of that.
  If you want to open a quarantined app or installer and bypass Gatekeeper checks, then much better than changing the whole system settings is just to remove the quarantine flag – then Gatekeeper checks are bypassed for that item alone. However, that is also an excellent way of installing malware, so isn’t something you should do lightly.
  Howard.
  
  LikeLike
  - 3
    
    EcleX on October 4, 2019 at 5:44 pm
    
    I meant for macOS 10.12 Sierra. I have not tested newer versions yet.
    
    LikeLiked by 1 person
- 4
  
  alvarnell on October 4, 2019 at 10:33 am
  
  The only time that hasn’t worked for me was when the signature had been revoked by Apple, usually because it was malware.
  
  LikeLiked by 1 person
5

EricF on October 8, 2019 at 9:45 pm

Hi Howard…
I just found your site, and your postings about notarization and code-signing have been invaluable.

But I’m finding myself in a situation that “just shouldn’t happen”, and I’m hoping you can help.

I have a clean install of macOS 10.15 released version. I have an unsigned installer that installs a partially-signed application bundle. Nothing is notarized. The application was recently built (if that’s the same as the timestamp of its signing, then it was built on Sept 6, 2019). The installer also installs a signed kernel extension.

It installs and runs just fine.

No issues at install or launch time. When the kext is loaded, I do get the “System Extension Blocked” dialog. I click “Allow”, and everything’s fine.

But nothing is notarized. Taccy (thanks also for that, btw) just has “Developer ID” checked. The only thing unusual in Taccy’s report is “Property list incorrect format”.

Even though everything seems to be running fine, I need to solve the mystery: How can this be working if it’s not notarized and running on macOS 10.15?

I’m hoping you can shed some light on this, ’cause I’m stumped!

Thanks!

-Eric

LikeLike
- 6
  
  hoakley on October 9, 2019 at 8:03 am
  
  Sorry, your comment got trapped in Spam, somehow.
  Has the installer got a quarantine flag set? If not, then it won’t undergo any first run checks, and its lack of notarization won’t be a problem.
  If the kernel extension was signed before April 2019, then it isn’t required to be notarized either, and the behaviour that you’re seeing is normal.
  I would also complain bitterly to the developer – they’re breaking the rules. @rosyna would be very interested to have further details, please.
  Howard.
  
  LikeLike
7

EricF on October 9, 2019 at 4:51 pm

Hi Howard! Thank you for your reply…

I think you’ve solved the mystery. The little detail of the quarantine flag. When testing, our installer doesn’t get downloaded from the Internet. Hence, no quarantine flag, and no notarization either. When tested via download from a local server (via web browser), there’s a quarantine flag set and we get the no notarization warning.

The kernel extension was signed Jun, 2019, and is notarized. What rules has the extension developer broken?

Thanks again for your help (I have another question waiting in the wings, which I’ll get to later 🙂 )
-Eric

LikeLiked by 1 person
- 8
  
  hoakley on October 9, 2019 at 5:19 pm
  
  Good for the developer notarising the kernel extension: without that, Catalina (and late Mojave) wouldn’t permit it at all.
  However, at WWDC in June this year, Apple told developers that all apps must be notarized with effect from 1 June 2019. This does get complicated with apps which contain and install extensions, but in essence the developer has to build the whole app, including the notarized extension, then get the whole thing notarized too. Apple is keen to help those developers who seem to be having trouble accomplishing this, as from January 2020 onwards, requirements get even tougher, with hardening of apps becoming mandatory, for example.
  Howard.
  
  LikeLike
9

Notarization for MacAdmins – Cebu Scripts on October 9, 2019 at 8:00 pm

[…] Howard Oakley: Will Gatekeeper let me run that app in Catalina? […]

LikeLike
10

Michael Tsai - Blog - Catalina Notarization on October 17, 2019 at 7:38 pm

[…] Howard Oakley: […]

LikeLike
11

Catalina’s Dialog Bureaucracy — Pixel Envy on February 21, 2020 at 4:03 pm

[…] launch. This has long been a feature of MacOS’ Gatekeeper security software, but Catalina requires apps to be notarized. If the app you’re is not notarized, Catalina will tell you that the app “cannot be […]

LikeLike

·Comments are closed.

Share this:

Related