Monday, January 25, 2021

Hazel Codesigning and Notarization Woes

Paul Kim:

The biggest problem at launch was some users getting an “Unidentified developer” alert when opening the dmg. I had various users send in logs, but it was only when someone found a log message pertaining to the rpath for one of the binaries in the bundle that I was able to identify the problem. Strangely enough, that person didn’t receive the “Unidentified developer” error alert.


When translocated, the binary is no longer on the disk image, instead it is copied to a temp location on disk. Hazel is unaware of this and as a result, doesn’t run the installer. Why was Hazel being translocated? I’m still not sure. It’s my understanding that if an app and its containing dmg is signed and notarized, it shouldn’t be translocated.


Logs from users showed that the quarantine flag was still set on the helper and that was preventing it from being run. When the user copies an app, like say from a disk image to /Applications, the quarantine flag should be cleared for the app and everything inside but for some reason it was not clearing it for the embedded binaries. Note that unlike when a user launches an app from Finder where they will be asked to run the app, a login item helper will fail to launch without any prompt.


Lastly, none of the tools or processes in place (codesign, spctl, notarization) catch these cases. These are all issues related to the static structure of the app bundle so it seems like they should be detectable.

I’ve also seen a lot of customers with quarantine issues lately. They drag and drop the app to their Applications folder, but Finder doesn’t clear the xattr for some reason. When they try to launch the app, macOS reports it as damaged even though everything except that xattr is fine.


Update (2021-02-05): A customer recently found that one of my apps had been unexpectedly translocated, despite being notarized and distributed on a signed disk image. It still had the quarantine attribute in the Applications folder.

Comments RSS · Twitter

Leave a Comment