Friday, July 5, 2024

Sequoia Removes Gatekeeper Contextual Menu Override

Jason Snell:

Here’s a thing I noticed today. macOS Sequoia changes how non-notarized apps are handled on first launch. I couldn’t override by doing the control-click > Open > yes really Open dance. Instead, I had to go to the Settings app, to the Security screen, and click there to allow it to open. At which point it asked me AGAIN if I wanted to open it, and then had to put in my password!

I get the impulse about making it harder to socially engineer bad apps from opening, but… this is ridiculous.

Apparently, after the first time of going through System Settings, you can just use the contextual menu like before. But who’s going to figure this out on their own? It’s another take on security through obscurity.

With Mac notarization increasingly difficult to bypass, it becomes even more important that Apple not add a human element to it, like with iOS, where it could be weaponized to “review” apps that aren’t in the Mac App Store.

Meanwhile, the more pressing concern for me is that a significant number of my customers continue to encounter the Gatekeeper bug where it refuses to launch (notarized!) apps because it incorrectly reports them as damaged. The Control-click bypass never worked in this case. I don’t know how to reproduce the bug except that it seems to be related to downloading a new version of an app that had previously been installed.

Jeff Johnson:

Apple keeps twisting the screw to lock down the Mac.

Previously:

Update (2024-07-08): See also: Hacker News.

16 Comments RSS · Twitter · Mastodon

If they move that app that they might be updating to the Desktop first and then Command+Drag it to the Application Folder would it make any difference?

We need to reject this. Apple has very clearly worked to lock down the Mac slow enough that people will get acclimated to it before they move onto the next increase in lockdown

It's pretty obvious their next step is making it impossible to run unsigned apps from the GUI at all, with the end goal of requiring the App Store to install apps at all

I'm sure some people will say I'm jumping to conclusions. I can't tell the future, but I can see patterns. Apple has been ratcheting up the locked down control of Mac OS

It's not going to stop until we speak up and say this is the line they can't keep crossing and they have to walk it back

Manx

That won't go over very well in the EU.

I'm too cynical and jaded to think there's anything we can do to convince Apple to change course. They haven't been listening to devs, much less users, for over a decade. They're not addressing bugs. All of their security theater has been disastrous and pointless. They seem to be full of institutional dysfunction.

Basically I expect that every release of macOS will continue to be worse than the last, as has generally been the pattern since at the very least macOS 10.14, until it finally becomes an unusable locked down mess like iOS.

and yet you/we keep buying Apple devices…

Adam Maxwell

Gatekeeper has been lying about downloads being damaged since before Notarization, I think, and I never figured out a pattern to it. Security updates be damned: Apple's security theater (and breaking 32 bit applications) is the reason I'm happy on Mojave at home. As a last resort, I've been toying with Linux on my 2008 MBP (El Capitan), just to get an up-to-date web browser. Not sure the hell of Linux graphics drivers for that ancient system is better or worse than a bunch of broken websites, but I expect it to be more solvable than Apple's decline.

I knew *instinctively* what was going on and just how to solve it.

The ratchet won't stop turning. The beatings will continue. Too many devs are apologists for Apple and can't turn back now. This was evident since the introduction of Gatekeeper. Sorry.

Apple's supported hardware path is great. A Mac is also the only way to run macOS and in particular the nice software for it. Til there's general-purpose ARM hw that you can run Linux and/or Doze on, with full out-of-box driver support, I think Macs are the least worst option. But by God, as soon as my options widen, I'll jump. The other guys need to understand that Apple's strength really is "the whole widget"; once they break that spell, techies will all swarm off a cliff, just like the lemmings in that commercial.

Any idea if manually removing the quarantine flag also works? Are we still allowed to turn off Gatekeeper?

@Bri Yes and yes, AFAICS. The CLI trick of "sudo spctl --master-disable" still works, but it re-arms after a time (I think 30 days), because reasons.

Apple will always do whys best for its customers.

A long time developer made a YT video highlighting the degradation, not specifically this issue, but the macOS in general:

https://www.youtube.com/watch?v=3uGeHdNMgL8

Old Unix Geek

@CowMonkey: very interesting video. Thanks!

@CowMonkey I wasn't expecting to watch the whole thing, but I did! I largely agree with him. He definitely gets what made classic macs so great.

Someone else

@old coot, is macOS an EU gatekeeper platform? If not, EU can pound sand.

Also, the golden age of desktop Linux is still a couple decades away. And frankly, we should be aiming for proper sandboxing, privacy dialogs, etc.

That it doesn’t work perfectly now doesn’t mean Apple should give it up… if anything, shows why we need to do it… malware is very lucrative.

@Someone else
Golden age of Desktop Linux has been, checks calendar, the last 9 years for me. It's so much easier than supporting an aging fleet of Macs that Apple had abandoned. Now I grab pretty much any computing device with an open boot loader and just run Linux. It's not perfect, but since I have to also maintain Windows systems too, let me tell you, it's not so bad sometimes either. MacOS and Windows have their own super annoying "quirks". To be clear, I've been using desktop Linux since 2004, first as a companion to my Mac use, this 11 years later, as a full replacement.

@CowMonkey
While I don't dislike Bryan Lunduke per se, he has some outlandish takes on many things tech adjacent. Also, to give you a deeper cut from the wayback, I have a personal distaste for how he and his buddy destroyed the Resexcellence.com website back in the day. Lot of cool Mac history was lost for good bit as they were busy running the site into the ground. The Linux Action Show wasn't too bad though. So there's that.

Leave a Comment