When you don’t have permission to run an app on an M1 Mac

One important difference between Intel and Apple Silicon Macs is that the latter can’t run unsigned code. Although executable code doesn’t have to be signed using an Apple certificate, or notarized, to run successfully on your M1 model, if there is a problem the error message is likely to confuse.

Instead of pointing out that what you just tried to launch wasn’t adequately signed, Big Sur 11.1 running on an M1 Mac complains that “you do not have permission” and refers you to a system administrator. Click on its Help button, and you’ll be further befuddled: this opens a page in the macOS User Guide which ultimately takes you to instructions on how to change file permissions.

In fact, the code signing error which has occurred is -67062, which indicates that macOS has been asked to run code which isn’t signed at all. It has absolutely nothing to do with permissions.

There’s also a simple workaround in many cases, which you definitely won’t discover if you follow up the misleading notion that this is about permissions. Chances are that the app you tried to run is a Universal App, in which case all you need do is open the Finder’s Get Info dialog and set it to be run following translation by Rosetta 2. This is because M1 Macs won’t run unsigned native (ARM) code, but will still run unsigned Intel code which has been passed through Rosetta’s translation. This is easily verified by taking a Universal App, stripping its signature using codesign, then running it with and without the Open using Rosetta option ticked.

If the app turns out to have just ARM executable code, not Intel, or should you want to run its ARM code despite its lack of a signature, then the best way forward is to sign it with your own ad-hoc signature using codesign – something that doesn’t require a developer account, or a certificate issued by Apple. You will, though, need to be absolutely certain that what you’re about to sign isn’t in the least bit malicious. I’ve explained ad-hoc and personal signing in this article.

When you launch an app from the Finder, this is passed to LaunchServices to handle. Although this starts the process of running the app, it puts that on hold while a whole series of checks are performed on the app. In just over 0.01 second, the LaunchServices daemon lsd calls for a trust evaluation on the code. This quickly returns the -67062 error, following which Apple Mobile File Integrity (AMFI) kills your app before it has even got going, as an “attempt to execute completely unsigned code (must be at least ad-hoc signed)”.

When the code is properly signed, even using an ad-hoc signature, that certificate is checked against any local list of revocations in /Library/Keychains/CARevocation.plist, which by default doesn’t exist. A relatively new subsystem, RunningBoard, then becomes involved and takes over management of your app’s access to resources such as memory and the GPU.

After that, AMFI runs a fuller signature check, LaunchServices fully registers the app in detail, then TCC (the privacy subsystem) gets to work on the app. An XProtect check is run on it, to ensure that it isn’t in its list of known malware signatures. The app’s signing certificate is checked online with Apple’s OCSP service to ensure that the certificate hasn’t been revoked, and any notarization is checked online with Apple’s CKTicketStore. If the app isn’t notarized, this returns an error of 3, but in the absence of a quarantine flag, that’s ignored, and the app is finally run.

Unsigned Intel apps – either those with only Intel code, or Universal Apps which have been set to Open using Rosetta – go through essentially the same sequence, but any code signing error of -67062 is ignored, as allowed by System Security Policy. Differences are best shown in the system policy evaluation result.

An acceptably-signed Universal App then returns a log entry similar to
AppleSystemPolicy evaluation result: 120, allowed, cache, 1611578100
An Intel executable being run using Rosetta translation returns
AppleSystemPolicy evaluation result: 125, allowed, skip-cache, 0
and failed, unsigned ARM code will return
AppleSystemPolicy ASP: Security policy would not allow process: 1197, /Applications/RostrumUU.app/Contents/MacOS/Rostrum
for example.

When you encounter an app which fails to open on an M1 Mac, resulting instead in that misleading alert, you now know what to do.

11Comments

Add yours

1

Joss on January 26, 2021 at 10:24 am

This also seems to happen when the executable has been compressed with upx.

LikeLiked by 1 person
- 2
  
  Joss on January 26, 2021 at 10:47 am
  
  I have to clarify. This also seems to happen on *Intel* Macs in Big Sur, so I assume it’s an additional security measure by macOS.
  
  LikeLiked by 1 person
  - 3
    
    hoakley on January 26, 2021 at 10:51 am
    
    Thank you.
    If that’s the case on Intel Macs, then it means that upx isn’t simply removing the signature, but is breaking it so that the macOS signature check returns an error other than one reporting that the code is unsigned. If that’s the case, upx isn’t compatible with current macOS requirements.
    Have you reported this as a bug?
    Howard.
    
    LikeLike
  - 4
    
    Joss on January 26, 2021 at 11:29 am
    
    My thoughts exactly. From the gut—and I might be wrong—I’d say the reason is that upx compresses the binary, and you can sign it afterwards, but when it’s executed, it gets decompressed in memory, and then the processes are (for lack of a better word) unsigned, even if the compressed binary file has an attached signature.
    
    Should I report it? Not to Apple… upx is i.a. used by malware, and it’s a common setting for AV scanners to warn when they detect a compressed binary, so I assume that Apple pulled the plug completely on this.
    
    Maybe there’s a workaround. You split the two architectures, then compress each one individually, then join the compressed archs again, then sign properly. (Or even sign before joining them.) I’ll have a look if there are some discussions regarding upx directly. Until now I’ve only read user reports that some (very few) upx-modified apps, even Intel-only apps, don’t run in Big Sur.
    
    LikeLiked by 1 person
    - 5
      
      hoakley on January 26, 2021 at 11:02 pm
      
      I think the answer is that upx isn’t designed to work with macOS. HFS+ and APFS do have transparent on-disk compression, but to the best of my knowledge that’s not available to third-parties. Trying to do this any other way than in the file system is doomed to failure.
      Howard.
      
      LikeLike
  - 6
    
    Joss on January 26, 2021 at 11:31 am
    
    upx -d /path/to/executable is of course a solution, followed by re-signing, but that only works if upx was applie using default parameters.
    
    LikeLiked by 1 person
7

Thomas Tempelmann (@tempelorg) on January 26, 2021 at 11:19 am

Ouch! I agree that this is very misleading, and needs to be fixed by Apple. Have you, by any chance, filed a bug report with Apple?

LikeLiked by 1 person
- 8
  
  Joss on January 26, 2021 at 11:36 am
  
  Hey, Thomas. Love FindAnyFile… best file search app on the market imho. Happy customer here. 🙂
  
  LikeLiked by 1 person
- 9
  
  hoakley on January 26, 2021 at 11:00 pm
  
  No: this is a bad time of year, as it’s tax return time! I’ve got 3 filed, 1 to go, and just to make life even busier I’ve had 7 pages of articles to write as well.
  But if no one in Apple has spotted this obvious error, I’ll be shocked.
  Howard.
  
  LikeLike
10

Miles on January 28, 2021 at 12:12 am

Hi Howard, thank you for the insightful article. Curious to know if you can recommend a work around or knowledge on how to approach Intels running into this issue on Big Sur other than the one mentioned in the previous post by Joss.

LikeLiked by 1 person
- 11
  
  hoakley on January 28, 2021 at 12:16 am
  
  You need to discover the signature error, which you can do using Taccy or ArchiChect. The precise error will reveal whether there’s a solution. The other thing to consider is stripping the signature using code sign.
  Howard
  
  LikeLike

Share this:

Related