{"id":43993,"date":"2024-07-05T16:16:51","date_gmt":"2024-07-05T20:16:51","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=43993"},"modified":"2025-07-18T13:42:54","modified_gmt":"2025-07-18T17:42:54","slug":"sequoia-removes-gatekeeper-contextual-menu-override","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/07\/05\/sequoia-removes-gatekeeper-contextual-menu-override\/","title":{"rendered":"Sequoia Removes Gatekeeper Contextual Menu Override"},"content":{"rendered":"<p><a href=\"https:\/\/zeppelin.flights\/@jsnell\/112719231341410760\">Jason Snell<\/a>:<\/p>\n<blockquote cite=\"https:\/\/zeppelin.flights\/@jsnell\/112719231341410760\"><p>Here&rsquo;s a thing I noticed today. macOS Sequoia changes how non-notarized apps are handled on first launch. I couldn&rsquo;t override by doing the control-click &gt; Open &gt; yes really Open dance. Instead, I had to go to the Settings app, to the Security screen, and click there to allow it to open. At which point it asked me AGAIN if I wanted to open it, and then had to put in my password!<\/p><p>I get the impulse about making it harder to socially engineer bad apps from opening, but&#8230; this is ridiculous.<\/p><\/blockquote>\n<p>Apparently, after the first time of going through System Settings, you can just use the contextual menu like before. But who&rsquo;s going to figure this out on their own? It&rsquo;s another take on security through obscurity.<\/p>\n<p>With Mac notarization increasingly difficult to bypass, it becomes even more important that Apple not add a <a href=\"https:\/\/mjtsai.com\/blog\/2024\/03\/17\/ios-notarizations-human-review\/\">human<\/a> element to it, like with iOS, where it could be weaponized to &ldquo;review&rdquo; apps that aren&rsquo;t in the Mac App Store.<\/p>\n<p>Meanwhile, the more pressing concern for me is that a significant number of my customers continue to encounter the <a href=\"https:\/\/mjtsai.com\/blog\/2020\/12\/14\/damaged-apps-that-cant-be-opened\/\">Gatekeeper<\/a> <a href=\"https:\/\/mjtsai.com\/blog\/2024\/01\/16\/resolving-trusted-execution-problems\/\">bug<\/a> where it refuses to launch (notarized!) apps because it incorrectly reports them as damaged. The Control-click bypass never worked in this case. I don&rsquo;t know how to reproduce the bug except that it seems to be related to downloading a new version of an app that had previously been installed.<\/p>\n\n<p><a href=\"https:\/\/mastodon.social\/@lapcatsoftware\/112719286724628849\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@lapcatsoftware\/112719286724628849\">\n<p>Apple keeps twisting the screw to lock down the Mac.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/07\/05\/apple-removes-vpn-apps-from-russian-app-store\/\">Apple Removes VPN Apps From Russian App Store<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/06\/14\/utm-blocked-outside-app-store-via-notarization\/\">UTM Blocked Outside App Store via Notarization<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/05\/02\/altstore-pal\/\">AltStore PAL<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/03\/17\/ios-notarizations-human-review\/\">iOS Notarization&rsquo;s Human Review<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/01\/16\/resolving-trusted-execution-problems\/\">Resolving Trusted Execution Problems<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/07\/06\/how-ventura-checks-the-security-of-apps-and-tools\/\">How Ventura Checks the Security of Apps and Tools<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2020\/12\/14\/damaged-apps-that-cant-be-opened\/\">&ldquo;Damaged&rdquo; Apps That Can&rsquo;t Be Opened<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/12\/16\/catalina-removes-malware-assurance\/\">Catalina Removes Malware Assurance<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/11\/26\/gatekeeper-override-for-indirect-launching\/\">Gatekeeper Override for Indirect Launching<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/10\/17\/catalina-notarization\/\">Catalina Notarization<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/04\/22\/the-true-and-false-security-benefits-of-mac-app-notarization\/\">The True and False Security Benefits of Mac App Notarization<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2019\/04\/08\/macos-10-14-5-requires-new-developers-to-notarize\/\">macOS 10.14.5 Requires New Developers to Notarize<\/a><\/li>\n<\/ul>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2024-07-08\">Update (2024-07-08): See also: <a href=\"https:\/\/news.ycombinator.com\/item?id=40885683\">Hacker News<\/a>.<\/p>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2024-08-08\">Update (2024-08-08): <a href=\"https:\/\/developer.apple.com\/news\/?id=saqachfa\">Apple<\/a>:<\/p>\n<blockquote cite=\"https:\/\/developer.apple.com\/news\/?id=saqachfa\">\n<p>In macOS Sequoia, users will no longer be able to Control-click to override <a href=\"https:\/\/developer.apple.com\/developer-id\/\">Gatekeeper<\/a> when opening software that isn&rsquo;t signed correctly or notarized. They&rsquo;ll need to visit System&nbsp;Settings&nbsp;&gt; Privacy &amp; Security to review security information for software before allowing it to run.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@lapcatsoftware\/112916473677170532\">Jeff Johnson<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@lapcatsoftware\/112916473677170532\"><p>It&rsquo;s gotten worse since the first macOS 15 beta:<\/p><p>In the first beta, once you allowed the first app to open in System Settings, subsequent apps could be allowed to open via the contextual menu.<\/p><p>In the latest beta, the rules don&rsquo;t change, and you can never allow apps to open via the contextual menu, only in System Settings.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/pxlnv.com\/linklog\/macos-sequoia-gatekeeper\/\">Nick Heer<\/a>:<\/p>\n<blockquote cite=\"https:\/\/pxlnv.com\/linklog\/macos-sequoia-gatekeeper\/\">\n<p>This is one of those little things which will go unnoticed by most users, but will become a thorn in the side of anyone who relies on it. These are likely developers and other people who are more technologically literate placed in the position of increasingly fighting with the tools they use to get things done. It may be a small thing, but small things add up.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/mastodon.social\/@monkeydom\/112916402060897273\">Dominik Wagner<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@monkeydom\/112916402060897273\">\n<p>The end of non-notarized software for regular users seems nigh.<\/p>\n<\/blockquote>\n\n<p><a href=\"https:\/\/daringfireball.net\/linked\/2024\/08\/07\/mac-os-15-sequoia-gatekeeper\">John Gruber<\/a> (<a href=\"https:\/\/mastodon.social\/@daringfireball\/112924109179096545\">Mastodon<\/a>):<\/p>\n<blockquote cite=\"https:\/\/daringfireball.net\/linked\/2024\/08\/07\/mac-os-15-sequoia-gatekeeper\">\n<p>I mean, if there are exploits running wild because unsophisticated Mac users are Control-clicking malware apps they&rsquo;ve somehow downloaded, where are they? I can only see two possible explanations for these changes: (a) these decisions that are making MacOS increasingly annoying for expert and power users are being made by cover-your-ass bureaucrats for no good reason, and no one who knows better is shooting them down within Apple; or (b) there&rsquo;s a serious rash of unreported abuse of these features and Apple is too timid to publicize them to justify the increased frequency and arduousness of these permission nags, lest they admit the Mac has any problems at all.<\/p>\n<\/blockquote>\n\n<p>See also: <a href=\"https:\/\/www.macrumors.com\/2024\/08\/06\/macos-sequoia-gatekeeper-security-change\/\">MacRumors<\/a>, <a href=\"https:\/\/appleinsider.com\/articles\/24\/08\/06\/apple-removes-control-click-option-for-skipping-gatekeeper-in-macos-sequoia\">AppleInsider<\/a>, and <a href=\"https:\/\/news.ycombinator.com\/item?id=41184553\">Hacker<\/a> <a href=\"https:\/\/news.ycombinator.com\/item?id=41185052\">News<\/a>.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/08\/08\/sequoia-screen-recording-prompts-and-the-persistent-content-capture-entitlement\/\">Sequoia Screen Recording Prompts and the Persistent Content Capture Entitlement<\/a><\/li>\n<\/ul>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2024-08-13\">Update (2024-08-13): <a href=\"https:\/\/eclecticlight.co\/2024\/08\/10\/gatekeeper-and-notarization-in-sequoia\/\">Howard Oakley<\/a> (<a href=\"https:\/\/x.com\/howardnoakley\/status\/1822172122401128954\">tweet<\/a>):<\/p>\n<blockquote cite=\"https:\/\/eclecticlight.co\/2024\/08\/10\/gatekeeper-and-notarization-in-sequoia\/\">\n<p>As there&rsquo;s some confusion as to exactly what&rsquo;s going on, this article explains how this should work, and what benefits notarization brings in return for this added inconvenience.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/08\/12\/the-mac-is-a-power-tool\/\">The Mac Is a Power Tool<\/a><\/li>\n<\/ul>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2024-08-14\">Update (2024-08-14): <a href=\"https:\/\/9to5mac.com\/2024\/08\/13\/security-bite-apple-finally-making-it-harder-to-override-gatekeeper-is-a-telling-move\/\">Arin Waichulis<\/a>:<\/p>\n<blockquote cite=\"https:\/\/9to5mac.com\/2024\/08\/13\/security-bite-apple-finally-making-it-harder-to-override-gatekeeper-is-a-telling-move\/\">\n<p>Malware authors are more clever than ever. One of the latest trends is cloning real applications, often productivity apps like Notion or Slack, and injecting malware somewhere in the code. Authors then create install screens like the one below, instructing the user to right-click and open the malware to get around Gatekeeper. The crazy part is that sometimes users will go on to use these applications for quite some time and never know their system has been infected. Persistence is key for cybercriminals.<\/p>\n<\/blockquote>\n<p>I don&rsquo;t understand how making the override more difficult solves the problem of the user being tricked by a fake app.<\/p>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2024-09-20\">Update (2024-09-20): <a href=\"https:\/\/sixcolors.com\/post\/2024\/09\/macos-sequoia-review\/\">Jason Snell<\/a>:<\/p>\n<blockquote cite=\"https:\/\/sixcolors.com\/post\/2024\/09\/macos-sequoia-review\/\">\n<p>Once again, I don&rsquo;t doubt that unsigned apps are a vector for malware and scamware and that Apple has the best intentions in trying to prevent people from launching them unawares. But this new approach, which involves nearly a half-dozen steps, goes <em>way<\/em> too far. It crosses a line, I think, between Apple trying to protect the user and Apple aggressively trying to poison any app that would defy its notarization scheme.<\/p>\n<p>Apple has promised to let you run any software you want on your Mac, but it never promised it wouldn&rsquo;t make the process painful, I guess. I don&rsquo;t like it. This is just too much.<\/p>\n<\/blockquote>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2024-10-01\">Update (2024-10-01): <a href=\"https:\/\/eclecticlight.co\/2024\/10\/01\/living-without-notarization\/\">Howard Oakley<\/a>:<\/p>\n<blockquote cite=\"https:\/\/eclecticlight.co\/2024\/10\/01\/living-without-notarization\/\">\n<p>When an app is being launched for the first time on that Mac, if it has been put into quarantine with a quarantine extended attribute, Gatekeeper will check whether it has been notarized. If it has, then its launch will progress to further checks such as those of XProtect. If it hasn&rsquo;t been notarized, then macOS will warn you of that, and halt its launch.<\/p>\n<p>[&#8230;]<\/p>\n<p>If you want to launch the app despite that warning, open Privacy &amp; Security settings, where you can click the button to <strong>Open Anyway<\/strong>.<\/p>\n<\/blockquote>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2024-10-02\">Update (2024-10-02): <a href=\"https:\/\/troz.net\/post\/2024\/sequoia_app_permissions\/\">Sarah Reichelt<\/a> (<a href=\"https:\/\/mastodon.social\/@troz\/113236163667292310\">Mastodon<\/a>):<\/p>\n<blockquote cite=\"https:\/\/troz.net\/post\/2024\/sequoia_app_permissions\/\">\n<p>The <code>spctl<\/code> command line utility used to allow full manual control of Gatekeeper. In macOS Sequoia, it has lost most of its power, but you can still use it to re-enable the <strong>Anywhere<\/strong> option in <strong>System Settings -&gt; Privacy &amp; Security -&gt; Allow applications from<\/strong> using this command:<\/p>\n<pre>spctl --global-disable<\/pre>\n<p>[&#8230;]<\/p>\n<p>As a developer, I realize that it is now virtually impossible to release any Mac apps without having a developer account.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2024\/09\/23\/sequoias-spctl-and-csrutil\/\">Sequoia&rsquo;s spctl and csrutil<\/a><\/li>\n<\/ul>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2025-07-17\">Update (<a href=\"#sequoia-removes-gatekeeper-contextual-menu-override-update-2025-07-17\">2025-07-17<\/a>): <a href=\"https:\/\/www.macrumors.com\/2024\/08\/23\/cthulu-stealer-macos-malware\/\">Tim Hardwick<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.macrumors.com\/2024\/08\/23\/cthulu-stealer-macos-malware\/\"><p>Cato Security researcher Tara Gould <a href=\"https:\/\/www.cadosecurity.com\/blog\/from-the-depths-analyzing-the-cthulhu-stealer-malware-for-macos\">reports<\/a> that Cthulhu Stealer disguises itself as popular software to trick users into installing it. It might appear as CleanMyMac, <em>Grand Theft Auto IV<\/em>, or even Adobe GenP (a tool some users employ to bypass Adobe&rsquo;s subscription model). The malware comes packaged as a disk image (DMG) file.<\/p><p>If a user tries to open the fake app, macOS&rsquo;s built-in security feature, Gatekeeper, warns that the software is unsigned. But if a user chooses to bypass this warning, the malware immediately asks for the user&rsquo;s system password, mimicking a legitimate system prompt. This technique isn&rsquo;t new &#x2013; other Mac malware like <a href=\"https:\/\/www.macrumors.com\/2023\/04\/28\/atomic-macos-stealer-malware\/\">Atomic Stealer<\/a> and MacStealer use similar tricks.<\/p><\/blockquote>\n\n<p id=\"sequoia-removes-gatekeeper-contextual-menu-override-update-2025-07-18\">Update (<a href=\"#sequoia-removes-gatekeeper-contextual-menu-override-update-2025-07-18\">2025-07-18<\/a>): <a href=\"https:\/\/mastodon.social\/@iKyle\/114870645262876530\">Kyle Howells<\/a>:<\/p>\n<blockquote cite=\"https:\/\/mastodon.social\/@iKyle\/114870645262876530\">\n<p>Training users to expect seemingly random permission dialogs and requests to enter their system password is one of the worst security UX things Apple has done to macOS.<\/p>\n<p>It trains you to stop caring or paying attention to the permission requests, because there are just so many of them.<\/p>\n<\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2025\/07\/17\/notarized-atomic-stealer-amos\/\">Notarized Atomic Stealer (AMOS)<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Jason Snell: Here&rsquo;s a thing I noticed today. macOS Sequoia changes how non-notarized apps are handled on first launch. I couldn&rsquo;t override by doing the control-click &gt; Open &gt; yes really Open dance. Instead, I had to go to the Settings app, to the Security screen, and click there to allow it to open. At [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2024-07-05T20:16:54Z","apple_news_api_id":"10b8c058-5305-43d6-bbe8-91d69a4c9023","apple_news_api_modified_at":"2025-07-18T17:42:57Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAACg==","apple_news_api_share_url":"https:\/\/apple.news\/AELjAWFMFQ9a76JHWmkyQIw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[465,30,2385,2598,1842,48],"class_list":["post-43993","post","type-post","status-publish","format-standard","hentry","category-technology","tag-gatekeeper","tag-mac","tag-macos-14-sonoma","tag-macos-15-sequoia","tag-notarization","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=43993"}],"version-history":[{"count":12,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43993\/revisions"}],"predecessor-version":[{"id":48532,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43993\/revisions\/48532"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=43993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=43993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=43993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}