Thursday, March 31, 2016

Gatekeeper Bug in Mac OS X 10.11.4

Paul Kim:

Gatekeeper seems to be broken for non-app bundles. Heads up to devs shipping prefpanes, screensavers, plugins, etc.

spctl complains about an “obsolete resource envelope”.

Update (2016-03-31): Daniel Jalkut notes that this even affects Apple’s own Network Link Conditioner preference pane.

Daniel Jalkut:

This is a minor annoyance for folks trying to install an obscure development tool, but it’s a major issue for developers like Noodlesoft whose entire livelihood is built on the distribution of software packaged as a preference pane. The scary wording in the dialog casts doubt on the reputation of the developer, and for the more savvy, on the reputation of Apple’s ability to properly assess the trustworthiness of software that we download.


Let’s hope Apple can address this problem soon. Although it doesn’t pose a security risk, it seems appropriate that they could include this in a security update. After all, it has everything to do with preserving trust between users, developers, and Apple.

Update (2016-04-06): Paul Kim:

After filing a DTS incident, Apple confirmed it as a bug (I’ve filed rdar://25466753). There was no information about when a fix would be made available and given that Apple is not known for being nimble about these things and that I was losing customers, I followed the advice of some colleagues and took matters into my own hands.

The result is that starting with Hazel 3.3.8, it will ship with an installer app. The installer app still goes through System Preferences as I still think that its installation process works well.


One can debate how much Apple cares about non-app-bundled software but when the workaround is to suggest people bypass Gatekeeper, they should be very concerned. False positives only erode the confidence people have in your security systems and you don’t want them to get in the habit of casually bypassing them.

Update (2016-05-17): Paul Kim:

10.11.5 fixes the Gatekeeper/prefpane issue. I’ve already switched to shipping an installer app but might be helpful to others who haven’t

5 Comments RSS · Twitter

You'd think Apple has setup some automatic testing for these types of Gatekeeper bugs by now. A co-worker was unable to get a .xctest bundle code-signed on 10.11.4 today. Wonder if that's related.

Still holding out on 10.11.3 for now. :(

Apple doesn't even validate its own apps:

spctl -a -v /System/Library/CoreServices/
/System/Library/CoreServices/ a sealed resource is missing or invalid

Why would they care about 3rd party bundles?

"Apple doesn't even validate its own apps"

Heh. Caviar for some. Dog food for others...

"Apple doesn't even validate its own apps"

Well, this only seems to apply for consumer facing apps. Devs get the same dog food as anyone else, even from Apple:

Surely, if anybody could get this right, it would be Apple! Their “Network Link Conditioner” is the only downloadable preference pane I could think of, and what do you know, it was updated as part of the Hardware I/O Tools for Xcode 7.3 download package, released on March 20. I downloaded a fresh copy to be sure I had the best that Apple could offer, located the preference pane, and double-clicked it.

You know it’s bad when even Apple’s own downloads are portrayed as untrustworthy.

It appears that Apple not only does not consider this as a bug - but brags that this failure is a "feature" and a part of a "general hardening process". So the fact that policy validation always fails for Apple's own signed binaries somehow "hardens" the system. (I want to smoke what they are smoking :).

From Radar 25618668:
Gatekeeper (as of 10.11.4) rejects anything that isn’t an app (or “like” an app, such a widget). This is part of a general hardening effort.

To confirm on 10.11.4 (comments unnecessary):

$ codesign -vvv /bin/ps
/bin/ps: valid on disk
/bin/ps: satisfies its Designated Requirement
$ spctl -a -vvv -t exec /bin/ps
/bin/ps: rejected
source=obsolete resource envelope
origin=Software Signing

Leave a Comment