{"id":48489,"date":"2025-07-15T15:13:08","date_gmt":"2025-07-15T19:13:08","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=48489"},"modified":"2025-07-16T09:23:17","modified_gmt":"2025-07-16T13:23:17","slug":"gatekeeper-change-in-macos-15-4","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2025\/07\/15\/gatekeeper-change-in-macos-15-4\/","title":{"rendered":"Gatekeeper Change in macOS 15.4"},"content":{"rendered":"

Jeff Johnson<\/a> (Mastodon<\/a>):<\/p>\n

On macOS 15.2, I was able to drag the exact same downloaded WebP file to TextEdit and BBEdit with no Gatekeeper alert! Thus, it appears that the Reddit poster was correct, and something did change recently.<\/p>

[…]<\/p>

I perused the unusually long Apple support document About the security content of macOS Sequoia 15.4<\/a>, but nothing in there jumped out at me as the probable cause of the Gatekeeper change.<\/p>

[…]<\/p>

The appearance or nonappearance of Gatekeeper alerts depends entirely on the downloaded file’s extension. I edited the WebP file with a hex editor to make it into a plain text file, but it still triggered a Gatekeeper alert on opening in an app. On the other hand, when I kept the file contents the same, in WebP format, but changed the file extension to .txt<\/code>, the Gatekeeper alert no longer appeared.<\/p>

Overall, this feels like more security theater in macOS.<\/p>

[…]<\/p>

My test app will open any and every file type without a Gatekeeper alert, as far as I’ve seen, when the CFBundleDocumentTypes<\/code> has a single entry declaring the generic public.data<\/code> in its LSItemContentTypes<\/code>. The Gatekeeper alerts begin when I add a second entry with certain types, such as com.apple.webarchive<\/code> or public.unix-executable<\/code>. With just two declarations, one “safe” type such as public.data<\/code> and one apparently “dangerous” type such as com.apple.webarchive<\/code>, I see Gatekeeper alerts when trying to open any file, with any extension: .webp<\/code>, .png<\/code>, or even .txt<\/code>.<\/p><\/blockquote>\n\n

He thinks the change in behavior may be a bug.<\/p>\n\n

Thomas Tempelmann<\/a>:<\/p>\n

The problem (which has been around since macOS 10.0) is that it considers any file without a recognized extension to be an executable instead of being conservative and considering it something less. I always thought that to be a bad assumption. You cannot launch such executables directly from Finder anyway, so what’s the use case for this?<\/p><\/blockquote>\n\n

Yesterday, I saw a variation on this dialog that was new to me. I was trying to open a compiled nib file with Archaeology, and it said:<\/p>\n

Apple could not verify “[file].nib” is free of malware that may harm your Mac or compromise your privacy.<\/p><\/blockquote>\n

The only two buttons were Done<\/strong> and Move to Trash<\/strong>. This is a document<\/em> file, not executable code, and the only way I could open it was to delete the com.apple.quarantine<\/code> xattr.<\/p>\n\n

Previously:<\/p>\n