Hacker News new | past | comments | ask | show | jobs | submit login
macOS gatekeeper and file quarantine bypass (objective-see.com)
351 points by robertkrahn01 8 months ago | hide | past | favorite | 119 comments

Fascinating article. Short version: there was a bug in the part of Apple’s Gatekeeper code that checked whether a file was an application bundle. Bundles that only contained a script, and not a plist file, were considered “not a bundle,” and this bypasses the Gatekeeper checks.

The issue is fixed in the latest version of Big Sur. Be sure to upgrade. It’s being exploited in the wild.

What about macOS Catalina users? Any updates / fixes for them? Do you happen to know?

It appears this behavior was introduced in Catalina, so I’d assume a complimentary fix to 11.3 will be available for 10.x - no word on timing AFAIK.

Security Update bundles were released for Catalina and Mojave as well.

The list of security fixes for the Big Sur update 11.3 has three entries mentioning Gatekeeper: https://support.apple.com/en-us/HT212325

...whereas the list for Catalina has only one: https://support.apple.com/kb/HT212326

The bad thing is: They patched Catalina less than Big Sur with the new update :(

Compare "Gatekeeper" fixed issues here:

https://support.apple.com/en-us/HT212326 Catalina

https://support.apple.com/en-us/HT212325 Big Sur

Feels for me that they only patched one part of it on Catalina but gates are more open on the older macOS. Really don't like that.

Is this how early versions of the Zoom installer bypassed gatekeeper for a zero-click install?

That worked by using the preinstall check that Installer.app invokes to do the installation. It would finish by force quitting Installer.

> Be sure to upgrade.

This is a technical crowd, so some of us don't need to rush to download things like this. I'll upgrade when it's convenient, thank you very much.

Funny that when you started with "this is a technical crowd" I thought you will continue with "we don't need to be reminded to upgrade".

I usually hack the hackers first

We may be technical, but we are beholden to products we use as well. Being technical can also mean we are more aware of the dangers of upgrading too soon.

Why is the technical crowd less in need of an upgrade? My proverbial “grandmother” only accesses her gmail and one news page. Arguably she’s at less risk than someone testing new software.

Given the ease and severity of this I don't think being technical does anything for you.

I am grateful for the "upgrade now" message being pushed it. As a technical user I can't trust my skills and knowledge to truly keep me safe from this one.

How did you ever survive all that time where you had to decide for yourself whether to run a program or not, without Gatekeeper holding your hand?

Gatekeeper is one of the most frustrating things I have to fight whenever I try using MacOS. It feels like DRM for my applications, which in turn makes everything feel clunkier, and less integrated. I would genuinely pay Apple extra for a version of MacOS that just trusts me and lets me install what I want without the some esoteric mechanism stopping me at every step of the way...

Then turn it off. Open the Terminal and run:

    sudo spctl --master-disable
That's it, it will never bother you again, unless you turn it back on or reinstall the OS from scratch. If macOS is still too limiting, you can also turn off System Integrity Protection, at which point you can do just about whatever the heck you want.

I personally kept both Gatekeeper and SIP turned off, back when I used modern macOS. But if they are turned on, they ought to work.

No, this still keeps some gatekeeper checks, popups when downloading files, weird arguments being passed to apps on first launch, etc. Even if doing it in the root recovery mode.

Does turning those off still leave the logs redacted?

Or do you also have to install the profile after you tell it to get out of your way?

I don’t use Big Sur but I don’t think it has any affect on logs. Without SIP, you could patch the kernel or something and change whatever you want, but that would of course be nuts.

I share your curiosity. If your computer isn't already managed, installing an MDM profile in order to view logs is ridiculous. I don’t even think there’s a way to do it without paying money.

That page is somewhat misleading. MDM is one way to install configuration profiles, but you can also install them by hand. No signing required, either. You can just stick that XML in a file with extension .mobileconfig, then double-click the file, and it will prompt you to install it.

Or download a signed version from here (not my site):


That has nothing to do with log redaction. That's to prevent private data escaping apps and either being sent to Apple or readable by others. You want that on.

What would I need to get it down to a Mojave level of inconvenience?

That I can't answer. The most recent version of macOS I've used for any length of time was High Sierra, because even Mojave broke something essential for me—Apple Events need to be authorized once for every combination of (1) the app being controlled and (2) the app sending the event. Combined with the fact that my authorizations were often reset when I edited a script, this made most of my Applescripts effectively useless.

But it's a very different problem from Gatekeeper. And from iOS, where the user legitimately has no control. If SIP is turned off, you could write an app that strips out every macOS behavior you dislike, because without SIP apps can patch whatever they want.

It's not that macOS doesn't trust you, it's that macOS doesn't trust the programs you're running. Specifically, it doesn't trust the programs to do what you want them to, and only what you want them to.

And it's not just a matter of protecting you against out-and-out malware (although that's certainly part of it), it's a matter of protecting you against developers whose interests don't entirely align with yours. Developers who really want to spy on their users seem to be the biggest group (see, for example, the recent Apple vs. Facebook kerfuffle).

Unfortunately, distrusting software does add friction, especially if you add (/update-via-unsupported-mechanisms) new software frequently. "Are you sure you meant to run this program? It looks weird to me; I think you should get rid of it. Should it really have access to your contacts/camera/etc?" macOS is acting a little like an overprotective parent here, and it's certainly annoying. But the threats it's trying to protect you from are real. You can turn the protections off (with a certain amount of work), but then you're vulnerable to all the stuff it's there to protect you from.

P.s. I don't mean to completely defend Apple here. Their preferred solution is to have all software distribution go through their App store... where they get a cut of the price. Which means they're also on the list of developers whose interests don't entirely align with yours.

I understand what Apple's intentions here are, but abstracting away a security risk is only inviting disaster, and it's kinda endemic of an issue throughout Apple's ecosystem: their whole game is about reducing the power of the end user. It makes sense from some angles, security being one, but it also impedes the freedom of choice. Instead of engineering their software to appeal to the lowest common denominator, they should be empowering people who want to push beyond that envelope and offering extensibility to those who want to take advantage of it.

This is a weird way to justify it.

I told macOS to run that program because I trust it. If macOS trusts me then it transitively trusts the program I told it to run.

In other words macOS doesn't trust me to validate programs before I try to run them.

What frustrates you about it? I rarely bump into Gatekeeper and I'm doing the normal dev things.

I'm assuming you don't use the package manager like Homebrew or MacPorts? this is where the gatekeeper will annoy the hell out of me. Apps installed via Homebrew often will encounter Gatekeeper alerts. Half of them will give the option to open it and the other half, the gatekeeper --demands-- gently ask me to put it in the Trash without the option to open it.

That's... unusual.

I use Homebrew constantly and have never seen such a thing in my life, in any version of macOS/OSX over the past several years. Not in building from source, not in casks.

Like another commenter the only security change I have is "Allow apps downloaded from" set to "App store and identified developers" -- which I'd assume virtually every Mac user on HN has also set.

Perhaps you have some kind of unusual configuration? Or there's some very specific subcategory of Homebrew packages that encounter this problem?

Same, I install almost all new software via Homebrew and I've never had this problem.

What works for me is to ignore the trash message, in Finder, find the App, right click open, macOS displays a warning and open prompt, click Open, next time around do the same and post it seems to be fine.

I use Homebrew daily. In System Preferences, I have Security & Privacy > General > Allow apps downloaded from: App Store and identified developers, and I don't remember the last time I got a Gatekeeper alert.

I have that option enabled since the first booting of my Macbook Air M1 and gatekeeper alert is still showing. And I am sure we are not using the same apps that ran into those alerts. I have Vivaldi, Alfred, AppCleaner, EasyFind, iTerm2, KeepassXC, MacPass, Keka, MediaInfo, NoMachine, Numi, OBS, odrive, Signal, Slack, TexStudio and VLC ran into those alert.

I am genuinely curious why people are singing that "I don't have that such problems in my computer!" slogan repeatedly? Some of us have that problem and just because we have the same OS and possible the same hardware didn't mean it is impossible. I wish people change that particular mindset and be aware that those problems does exist.

You're hugely misreading my intentions. I'm an engineer: I see something unexpected, I want to figure out what's happening. You and I are both using the same software and you're seeing problems that I didn't even know affected some people. I'm not saying "this works for me so I don't know what you're complaining about". I'm saying "huh, this works for me. I wonder what's different between our systems? Is this something that's going to spontaneously start affecting me if I click the wrong toggle somewhere?"

Obviously the problem is possible. It's happening to you. I'd like to find out why so that I can troubleshoot and fix the problem if it starts happening to me or my friends or coworkers. And really, I'd like to help you fix it, too, if I could figure out what's causing it.

Apologies for misreading you, I'm just frustrated and accepted the fact that it is by design.

I been reading other comments and as someone (xrisk) pointed out that it is Homebrew Casks which it made sense since all of the gatekeeper alerts is coming from 'Cask-ed' apps. I could disable Gatekeeper but I rather not because MacOS is not my daily driver. I rather to keep Gatekeeper active to protect itself from moronic me.

Given how ubiquitous your problem is, I would be suspicious that security alerts are going off because you have a real security problem. I've seen similar problems when a piece of malware keeps trying to inject itself into various things, and Gatekeeper is catching it. The variety of places where you're getting alerts is a testament to the persistence of the malware, and not the fact that everything is actually broken.

That's OK. If I were in your boat, I'd probably be pretty frustrated.

Does the method of right-clicking on an app, then "Open", in Finder work to tell Gatekeeper to quit complaining?

Probably the simplest thing then would be to alias brew install to something like spctl —master-disable; brew install $1; spctl —master-enable

`spctl --master-disable` requires root permissions (sudo).

You could edit sudoers so the command doesn't require a password. But really, at that point I'd just leave Gatekeeper off.

Is it possible you do this on a corp machine that has Google's Santa running & it's just a language precision issue? Google Santa will definitely prompt on nearly everything & is extremely annoying for Homebrew. Google Santa != Gatekeeper though.

Because if they can’t reproduce, then much more likely than not, the problem is not inherent to the platform. In this case, there’s probably a deviation in config settings.

Additionally if they can’t reproduce, they can’t offer any advice or help.

It’s highly unlikely that MacOS behaves specially for your existence.

The latest time I had a Homebrew package fail to install, due to security restrictions that work just fine for the other thousands of packages there, it was the package trying to do something it shouldn’t have, and was promptly fixed. You may have run into a similar scenario.

He’s talking about Homebrew Cask.

I've been having issues with non-cask Homebrew packages getting blocked by some Gatekeeper/SIP related watchdog on my new M1 system. Stuff would just get insta-killed at load. Anyway, it seems to have been sorted now, and through identifying which packages were having the issue in Console and reinstalling them, I've resolved the issues.

Slightly educated guess: did you install the x64 emulator between when you had the problems and when they went away?

I can see brew trying to run x64 code while the emulator isn’t there blocking code from running in weird ways.

Alternatively, it might be that package updates fixed the packages that behaved incorrectly. Again, just a slightly educated guess.

I had Rosetta well before I ran into these issues, I think Homebrew still required it when I got the computer.

Before I figured out the way to identify the offending dependencies I sorted the issue through signing the executable with codesign, in a way that required me to disable part of SIP. So the code was working, it was just not being allowed to run.

Even more specifically, the only time I’ve ran into Gatekeeper is with apps that install into /Applications and have a GUI. I’ve never had this issue with stuff I only access via CLI.

You have to Ctrl+right click the app, then click Open.

I'm using homebrew all day long, and I don't remember ever having this issue.

Homebrew cask.

I use Homebrew Cask and don't run into any unusual problems with Gatekeeper. The flow is always the same as if I manually downloaded it (meaning I sometimes get a prompt on first run, but that's expected).

Homebrew apps only ask for permissions when they get updated because gatekeeper treats it like a fresh install, I guess.

This is because Homebrew Cask explicitly adds the quarantine attribute to things it downloads. Perhaps there is some easy way to disable it or patch out this functionality?

Ctrl+right click to get the option to open it.

Homebrew and MacPorts don't add the quarantine flag to the software they're installing. If you're getting Gatekeeper alerts for software installed this way, then something else must be going on.

Homebrew Cask does.

You need to disable gatekeeper like shown in another of the comments. It’ll permanently create a new option in your settings to allow installations from “anywhere” too.

Nitpick, I don't actually think the option in System Preferences is permanent? Is it still there if you change it back and restart System Preferences?

Not sure, I leave it on permanently on 'anywhere'. It still gives a prompt to confirm execution but it becomes a click through rather than anything actually trying to stop you doing stuff.

Did you install homebrew via a Rosetta Terminal?

M1/ARM code is treated more strictly than Intel, so I guess all my command line stuff is Intel.

A simple right click on the app and selecting the open dialogue and it works fine.

Macports doesn't give you any headaches, it follows Unix principles.

Homebrew is a keg of worms, if you excuse the bad pun. Sadly (because it seems to be easier to get started?) many developers prefer it over Macports...

As an end-user, I prefer Homebrew over MacPorts because Homebrew is simpler to get it installed and use in the terminal. MacPorts in other hand, takes some tinkering to get it working. It has problem detecting installed XCode because it was looking for a specific outdated version (this happened last month when I decided to give MacPorts a try and I uninstalled Homebrew before trying it out since both of them cannot co-exist together.)

It is likely that it is not the devs prefers it over MacPorts, it is likely that end-users prefers it and the devs are following what the end-users desires. Homebrew have huge catalog of software and libraries than MacPorts.

Sometimes I compile my program and when I move it to the Applications folder and trying to run MacOS says, you do not have permission to do it. May be it's not a gatekeeper, who knows.

The keyword here is sometimes This is what I Love about current state of MacOS.

To fix it nothing works until you delete it completely and only then if you lucky etc ... It just reminds me those old good days with Microsoft many years ago. Turn it off then turn it on few times .. it may work ...

Is this an Xcode project, or something outside of it?

I regularly build both and have run them in the same way you're talking about here, without issue... the latter migth be a bit more nuanced, but when set up properly does work fine, so I'm inclined to think this is more a problem with how you're doing things.

Yes it's pure XCode project, that I regularly build it and run in the same way. Who would expectg such sequence right? And no! it doesn't work fine all the time, because sometimes it doesn't as I desribed. And I do not bother to deeply search for the cause of it unless I must for my project and also because Apple would not pay me for that and next version would have another stupid bug anyway.

"I'm inclined to think this is more a problem with how you're doing things." Of course, who would expect to see bug in XCode right? I'll tell you the secret, this is not the first bug I've spotted in Apple product during 10 years.

Honestly I do not even know what their QA team is doing if I can find few bugs manually within 10 minutes of usage ... Yesterday I have found another one with sound system, because they didn't thouhgt about one scenario in their logic. They really should spend their money on people like me instead of wasting their money on QA team that doesn't work properly :) ...Or perhaps I should take a look at their QA team to spot bugs in their working process ))

I've always found it to be extremely consistent and never does anything strange like you're describing. Works for me.

Agreed. It's ridiculous that we can't even fully disable it in the latest macOS releases (the commands others posted below don't work in Big Sur to completely disable quarantine).

Thankfully there is a simple workaround: https://hiringengineersbook.com/post/disable-quarantine/

Note, the single command does turn off Gatekeeper. File quarantine is separate and needs a separate command. That is as it should be IMO, they’re completely different things.

Right, but do you know if there is a command to actually turn off quarantine? I mean really turning it off, not just removing it from already existing files. To my knowledge, that doesn't exist.

You can disable Gatekeeper.


Apple has been moving toward a capability-based security model for a while now, I think: it’s a bit annoying because their implementation also acts like DRM, but I think the mode itself is a better security model than standard POSIX file permissions and ACLs

I will never understand why "Show all filename extensions" is unchecked by default in Finder.

It's also unchecked in Windows by default - I suspect that in reality the concept of extensions probably confuses some users, who end up changing the extension and then struggle to work out how to open their saved files.

( I always prefer to see the extensions too though :) )

Windows gives you a big warning when you change the extension, which seems to me both sufficient and better than hiding the extension altogether (which, like URL hiding, is a fairly dangerous and largely unnecessary convenience)

It works exactly the same way in macOS Finder as in Windows Explorer. Extensions are hidden by default. You can enable to show extensions (either by individual file, or globally). If a file has it's extension shown, you will get a confirmation prompt warning you of the consequences by changing the file extension.

I've learned to never underestimate users' ability to shoot themselves in the foot. People will click through any popup dialogue which might suggest that their decision to perform an action was wrong.

because most of them are clearly fearmongering by ms, apple et al, scaring you into staying subscribed to their particular product. If they abuse their own warning systems, why should we respect them?

The warning is a massive inconvenience. It reverts the file name if you cancel, so if you spent any effort on the new name, it will be wasted. Moreover, people often expect to change the file type by changing the name, and they get confused when it doesn't work (or it works for them in some case and they expect it will work here too). Lastly, users often don't read error messages, let alone understand them ("file extension" is hardly an easy concept...), so it's not necessarily helpful to them. Really, the number of cases where you'd need to change a file extension are so small compared to when you don't that I completely understand why they made this choice. It's imperfect, but I don't know of a better solution.

Users are well-trained to ignore warnings.

Like browsers, file navigation UIs could also just grey out the file extension.

Isn't it also confusing for the average user when they end up with identical looking files? I didn't realize that macOS had per-file extension hiding until I synced some images over from my iPad. I ended up with files that I couldn't tell apart at a glance because they had the same name but were different image file types. I'm now torn if I actually want to force all extensions to show because I think showing applications as "Foo.app" is ugly (I know, it's a stupid reason to dislike the option...)

Nothing stops you from putting the same label on multiple boxes in real life.

This is an outdated mindset. Literally everyone knows the difference between .docx and .jpg in 2021.

You're living in a beautiful bubble.

Is there any way to turn this off only for applications? Or even just in the applications directory? I find it irrationally annoying that everything in the applications folder shows the ".app" extension.

If you use the dashboard app switcher (iirc the F3 or F4 key), it hides .app in that list, it has a search field and I believe it accepts drag-and-drops.

That’s not exactly an answer to your question, but there’s a chance it’s an acceptable solution, so duly noted.

It's F4 on my MacBook Pro 2018 Catalina. :)

Genuine question, does MacOS actually care about file extensions? I would guess not, though there are probably some compatibility features that will do things if they are there.

Yes it cares. If you rename a folder to folder.app then it will change to look and "behave" like an app. Or if you change the extension of a video file to mp3 you'll loose the icon preview.

Finder does try to help with renaming and when you try to rename a file only the filename is selected and not the extension.

What you're describing is just Finder caring. Linux doesn't care at all about your file extensions but Nautilus sure does.

In GNOME for example gio handles opening files in the "correct" application by way of the MIME database in /usr/share/application/mimeapps.list and ~/.local/share/applications/mimeapps.list.

LaunchServices definitely cares about extensions. The Mac OS has a strange history with extensions (classic Macs didn't really support them, but they were still a common convention), but file extensions are more than a browser-level construct.

I was under the impression that unless a file contains some other metadata (most don't), that the extension is the way the OS chooses which app to use to open it.

Unix-based has almost always used internal metadata, and the "dot" is just another character. I thought Windows was unique in relying on the suffixes, but Wikipedia suggests MacOS inherited some form from NextSTEP.

"Unix" OSes in my experience simply don't (universally) have a way to "open this file in the correct application". It's a foreign concept. Files are just sequences of bytes, and file paths are just addresses to those bytes. The file extensions are, then, purely for the sake of the user, as there is no (standard) way to store file metadata. There are specific filesystems with these metadata extensions, but otherwise, you need to resort to commands like file and libmagic for heuristics on determining file-type.

Or just use the file suffix, which is AFAIK what all the mainstream Linux desktop environments do, through Freedesktop's MIME implementation. I don't know if it supports using metadata or file magics instead, but a quick glance shows almost every MIME definition uses file globbing.

You can check this in the files located at "/usr/share/mime/application" and "/usr/share/mime/packages" on most distros. Most (all?) definitions use a "glob pattern" to match files.

I wonder if filesystems should be designed to store the MIME type alongside the file. Web browsers get MIME types alongside the data (and they do make use of that info).

OSX does care, but classic Mac OS didn't used to. It had a separate resource fork that described what the file was, and after that you could name it anything you liked.

Yes. Take a JPEG with extension. It opens fine. Get a file with .jfif macOS doesn't know what the hell it is. Same file format, weird extension. (For some reason twitter was saving files as .jfif for a while)

Unchecked by default is fine, what bothers me a lot is that it's impossible to display filename extensions on iOS/iPadOS.

Or how to navigate to /Users/<username>. You have to manually add it to the sidebar from Preferences.

That part is so perplexing. Apple wants you to use that folder! Multiple useful things are stored in it, but you have to jump through hoops to go do it. It should be added as a favourite by default.

Same on windows

Does anyone know how trustworthy this objective-see project is?

I remember once installing several of his apps, but then coming to the conclusion that i don't know enough - even though he consistently seems to find and fix flaws in OSX.

Why isn't Apple hiring this man?

EDIT: Why are people downvoting this question? If i'm implying something then i'm unaware of it.

The tools are legit, and the bugs are real, but he has a distasteful habit of feeding sensationalist quotes to outlets like Forbes and Vice.

This time, he told Forbes that "the hacks effectively take Mac security back a decade" [1], and Vice quotes him as saying "this is likely the worst or potentially the most impactful bug to everyday macOS users in recent memory". [2]

Forbes ran the story with the headline "The ‘Worst Hack In Years’ Hits Apple Computers", and that's bullshit.

1. https://www.forbes.com/sites/thomasbrewster/2021/04/26/updat...

2. https://www.vice.com/en/article/wx5855/massive-mac-apple-sec...

Thanks for the insight! Seems like quite a talented dude but with the mandatory eccentricity that seemingly often comes with . Great to know that the tools are legit.

I just think this is how the PR/Media flow goes with these things.

Some people don't want to be coerced into working remotely near Cupertino …

And that's fair, i wouldn't either, what i mean is they should seriously consider giving him some consultancy fees, bounties / whatever since he's consistently doing good work.

i don't get it

Is it me or Apple isn't even listing the patch in the 11.3 changelog? https://developer.apple.com/documentation/macos-release-note...

Security patches are in a separate article: https://support.apple.com/en-us/HT212325

Oh cool thanks!

I’m really disappointed that this blog post didn’t dive into why the bug vanishes with SIP disabled.

Does this mean we can trick Big Sur into not treating TypeScript files like DVD rips?

I feel that macOS has slowly become a mess. From Lion, more or less.

Overcomplicated and bloated security features, telemetry, iOSification of the UI, dumbed down settings, bugs..

Perhaps the time has come to shed some legacy and restart again from scratch (like Google Fuchsia) or to invest some of the hundreds of billions they have in refining the software so it actually works


Did Apple finally fix the bug where every Big Sur update nukes Xcode tools like Git?

No problems here - I'm on beta cycle so I get new Big Sur updates fairly often (every few weeks) and haven't had any git issues.

Somehow none of this is applied to packaged shell script into an .app which runs on double-click with no message whatsoever. Malware doesn't always have to be a binary...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact