Distributing Unnotarized Mac Apps in an RTFD File
Gatecrasher is an empty Mac app that I created in Xcode in a few minutes. It has no code other than the standard
NSApplicationMainand the defaultMainMenu.xibfile with the main menu and window. Gatecrasher isn’t signed with an Apple code signing certificate and isn’t notarized; it has only an “ad hoc” (codesign -s -) code signature with no identity. I compressed Gatecrasher into a zip file, but as you’ll see, that’s not what you’re downloading. Instead, I embedded the zipped app into a “rich text” document (.rtfdfile) in TextEdit and then compressed it. That’s what you’re downloading. You can unzip thertfd, double-click to open it in TextEdit, follow the simple instructions written inside, and you’ll end up with an app that you can double-click to launch — all without any macOS Gatekeeper alert, and all without any Developer ID or notarization.[…]
You can distribute an unsigned, unnotarized
.pkgfile inside an.rtfdfile, and when you double-click the package (after saving to remove the quarantine), TextEdit will run the macOS installer.[…]
I’ve been told that double-clicking an embedded
.zipfile doesn’t work right if a third-party app such as The Unarchiver is the default handler for archives on your Mac rather than the built-in Archive Utility. However, after removing the quarantine on the.zip, you can still drag it out of TextEdit and drop it into Finder, and then unarchive it to bypass Gatekeeper.
This relies on his previously reported issue where saving a document in TextEdit removes the quarantine attribute. (Apple did not consider this a security issue and thus wouldn’t pay the bounty.)
Previously:
- Leaking Files With TextEdit
- Mac Sandbox Escape via TextEdit
- Distributing Mac Apps Without Notarization
