{"id":33146,"date":"2021-07-15T16:26:20","date_gmt":"2021-07-15T20:26:20","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=33146"},"modified":"2024-10-21T14:14:47","modified_gmt":"2024-10-21T18:14:47","slug":"distributing-unnotarized-mac-apps-in-an-rtfd-file","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/07\/15\/distributing-unnotarized-mac-apps-in-an-rtfd-file\/","title":{"rendered":"Distributing Unnotarized Mac Apps in an RTFD File"},"content":{"rendered":"<p><a href=\"https:\/\/lapcatsoftware.com\/articles\/textedit-gatekeeper.html\">Jeff Johnson<\/a> (<a href=\"https:\/\/twitter.com\/lapcatsoftware\/status\/1378166769802706944\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/lapcatsoftware.com\/articles\/textedit-gatekeeper.html\"><p>Gatecrasher is an empty Mac app that I created in Xcode in a few minutes. It has no code other than the standard <code>NSApplicationMain<\/code> and the default <code>MainMenu.xib<\/code> file with the main menu and window. Gatecrasher isn&rsquo;t signed with an Apple code signing certificate and isn&rsquo;t notarized; it has only an &ldquo;ad hoc&rdquo; (<code>codesign -s -<\/code>) code signature with no identity. I compressed Gatecrasher into a zip file, but as you&rsquo;ll see, that&rsquo;s not what you&rsquo;re downloading. Instead, I embedded the zipped app into a &ldquo;rich text&rdquo; document (<code>.rtfd<\/code> file) in TextEdit and then compressed it. <em>That&rsquo;s<\/em> what you&rsquo;re downloading. You can unzip the <code>rtfd<\/code>, double-click to open it in TextEdit, follow the simple instructions written inside, and you&rsquo;ll end up with an app that you can double-click to launch &mdash; all without <em>any<\/em> macOS Gatekeeper alert, and all without any Developer ID or notarization.<\/p><p>[&#8230;]<\/p><p>You can distribute an unsigned, unnotarized <code>.pkg<\/code> file inside an <code>.rtfd<\/code> file, and when you double-click the package (after saving to remove the quarantine), TextEdit will run the macOS installer.<\/p><p>[&#8230;]<\/p><p>I&rsquo;ve been told that double-clicking an embedded <code>.zip<\/code> file doesn&rsquo;t work right if a third-party app such as The Unarchiver is the default handler for archives on your Mac rather than the built-in Archive Utility. However, after removing the quarantine on the <code>.zip<\/code>, you can still drag it out of TextEdit and drop it into Finder, and then unarchive it to bypass Gatekeeper.<\/p><\/blockquote>\n\n<p>This relies on his previously reported issue where saving a document in TextEdit removes the quarantine attribute. (Apple did not consider this a security issue and thus wouldn&rsquo;t pay the bounty.)<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/07\/15\/leaking-files-with-textedit\/\">Leaking Files With TextEdit<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/04\/28\/mac-sandbox-escape-via-textedit\/\">Mac Sandbox Escape via TextEdit<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2021\/03\/08\/distributing-mac-apps-without-notarization\/\">Distributing Mac Apps Without Notarization<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Jeff Johnson (tweet): Gatecrasher is an empty Mac app that I created in Xcode in a few minutes. It has no code other than the standard NSApplicationMain and the default MainMenu.xib file with the main menu and window. Gatecrasher isn&rsquo;t signed with an Apple code signing certificate and isn&rsquo;t notarized; it has only an &ldquo;ad [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2021-07-15T20:26:10Z","apple_news_api_id":"a4837637-ef80-46c5-bd6e-c8059bed56e1","apple_news_api_modified_at":"2024-10-21T18:14:50Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAQ==","apple_news_api_share_url":"https:\/\/apple.news\/ApIN2N--ARsW9bsgFm-1W4Q","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2098,131,2095,465,30,1609,1666,1891,1842,355,820,48,1050,2673],"class_list":["post-33146","post","type-post","status-publish","format-standard","hentry","category-technology","tag-apple-security-bounty","tag-bug","tag-exploit","tag-gatekeeper","tag-mac","tag-macos-10-14","tag-macos-10-15","tag-macos-11-0","tag-notarization","tag-privacy","tag-rich-text-format-rtf","tag-security","tag-textedit","tag-zip-archive"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=33146"}],"version-history":[{"count":2,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33146\/revisions"}],"predecessor-version":[{"id":33150,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/33146\/revisions\/33150"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=33146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=33146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=33146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}