Why some apps won’t run in Ventura and how to fix it

I have previously mentioned a significant change coming in Ventura’s security, specifically in Gatekeeper, which I now realise isn’t widely known. Some articles which mention it also recommend workarounds which at best are ineffective, and at worst could leave your Mac open to attack by most malware. This article explains this in more detail, and what you can safely do should you encounter problems.

Cast your mind back to the likes of Mojave, and what happens when you run non-App Store apps that have a quarantine flag set. This is normally the first time the app has been run since it has been downloaded, and the Gatekeeper security mechanism runs full checks, including code signature checks. If those fail, you’re warned, and running the app is blocked.

Fast forward to Ventura in a few weeks time, and not only are there notarization checks, introduced in Catalina, but every time you run that app the same checks on its signature and notarization are made as if it was undergoing first run. If the app doesn’t pass those, you’ll see similar dialogs to those when the problem has occurred on first run, and Gatekeeper will block that app from running on your Mac.

What could possibly go wrong?

There are three likely reasons for an app failing Ventura’s additional Gatekeeper checks:

  • an app has modified it for benign reason, normally when trying to update it in place;
  • the user has modified the app, or it has become unintentionally damaged;
  • the app has been modified by malicious software.

Note that Apple states that these new checks are only made on apps which are notarized: if you run unnotarized software, such as your own, then it doesn’t appear to be subject to them.

Many apps distributed outside the App Store incorporate a mechanism, commonly using Sparkle, to update them in place. In some older cases, that leaves the updated app with discrepancies in its code signing and/or notarization. If that happens, the best solution is to visit the app’s website and download a fresh copy of the new version, which should be correctly signed and notarized. Trash the updated copy of that app and replace it with the fresh copy. If that still has signature or notarization problems, then please let its developer know. Don’t attempt to ‘force’ it to run, as it could be broken or even malicious.

The same solution applies to those apps which might have become damaged unintentionally, or which you have tried to modify yourself. Prior to Ventura, some users have taken to performing minor surgery on their apps once they have cleared first run Gatekeeper checks. If you do this in Ventura, the most likely consequence is that the app won’t be usable any more, and will have to be reinstalled from scratch.

Apple explains the various dialogs and messages you could encounter during Gatekeeper checks in this article. If you’re not already familiar with them, they are worth reviewing whichever (recent) version of macOS you’re running now.

If you develop apps which update themselves using Sparkle or any other mechanism, other than providing a complete signed and notarized copy of the app, then you need to study Justin Sagurton’s presentation What’s new in privacy from WWDC22. In particular, he explains how apps can be modified by other apps signed by a different developer team.

What shouldn’t you try?

Some of the few websites that seem to have noticed this significant change in Ventura also recommend two other solutions, one of which is ineffective and potentially damaging, and the other invites your Mac to run malicious software.

Because Ventura is extending Gatekeeper’s checks to apps which have already successfully completed their first run, stripping any quarantine flag or all extended attributes from the app is pointless, and doing so to try to avoid first run checks is equally futile. Every time you launch a notarized app, it will now undergo full Gatekeeper signature and notarization checks.

Because the recommendation is often to strip all extended attributes using the command line, there is also a significant risk of damaging the app, although extended attributes are outside the scope of code signatures (otherwise the quarantine flag would be an insurmountable problem to them).

The other workaround I have seen recommended is turning Gatekeeper checks off altogether, inviting catastrophe. Because Gatekeeper now runs these checks whenever an app is started, the moment that you enable the checks again, that app will be just as broken as it was before you turned them off. So this is only a ‘solution’ if you leave Gatekeeper off permanently. As it’s your Mac’s primary defence against malware, without Gatekeeper almost any malicious software can be installed and run without any protection, other than XProtect Remediator trying to repair the damage afterwards.

Any website which recommends either of those workarounds cannot be trusted. Suspect that site may be encouraging you to remove your Mac’s defences so that it can install malicious software on it.

How likely is this?

Unless you run third-party apps supplied outside the App Store that are notarized but use an old mechanism to update themselves, you shouldn’t ever encounter these problems in Ventura.