Thursday, July 15, 2021

Distributing Unnotarized Mac Apps in an RTFD File

Jeff Johnson (tweet):

Gatecrasher is an empty Mac app that I created in Xcode in a few minutes. It has no code other than the standard NSApplicationMain and the default MainMenu.xib file with the main menu and window. Gatecrasher isn’t signed with an Apple code signing certificate and isn’t notarized; it has only an “ad hoc” (codesign -s -) code signature with no identity. I compressed Gatecrasher into a zip file, but as you’ll see, that’s not what you’re downloading. Instead, I embedded the zipped app into a “rich text” document (.rtfd file) in TextEdit and then compressed it. That’s what you’re downloading. You can unzip the rtfd, double-click to open it in TextEdit, follow the simple instructions written inside, and you’ll end up with an app that you can double-click to launch — all without any macOS Gatekeeper alert, and all without any Developer ID or notarization.


You can distribute an unsigned, unnotarized .pkg file inside an .rtfd file, and when you double-click the package (after saving to remove the quarantine), TextEdit will run the macOS installer.


I’ve been told that double-clicking an embedded .zip file doesn’t work right if a third-party app such as The Unarchiver is the default handler for archives on your Mac rather than the built-in Archive Utility. However, after removing the quarantine on the .zip, you can still drag it out of TextEdit and drop it into Finder, and then unarchive it to bypass Gatekeeper.

This relies on his previously reported issue where saving a document in TextEdit removes the quarantine attribute. (Apple did not consider this a security issue and thus wouldn’t pay the bounty.)


Comments RSS · Twitter

Leave a Comment