How do I revoke Gatekeeper permission to launch from an unsigned app? [duplicate]

macos gatekeeper extended-attributes

Solution 1:

You can copy an existing com.apple.quarantine attribute of an arbitrary file to a proxy file and then apply it to arbitrary other files. If you open certain file types (e.g. .txt files) the quarantine attribute will be ignored though.

Example:

xattr -p com.apple.quarantine /Users/user/dnscrypt-osxclient-1.0.12.dmg > quarantine.attr
xattr -w com.apple.quarantine "`cat quarantine.attr`" test.command

This will apply the data gathered from the .dmg to the .command file - including download date and download app of the original dmg file. The original download date/app of the .command won't be restored though.

Source: Using xattr to set the Mac OSX quarantine property

Format of the quarantine attribute:

flag;date;app_name;UUID;
  1. at least 0001-0003 rises the "Do you really want to open this file..." dialog, but 0062 doesn't.
  2. date (in Unix hexadecimal timestamp at least 00000000-1c000000 are unknown dates, an early date which works is 1d000000: 02 Jun 1985 05:47:44 GMT)
  3. app (any app name allowed)
  4. A UUID related with a file download which can be found in /Users/user/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 (obviously facultative)

So using 0001;55555555;Klanomathiner; in the proxy file mentioned above and applying it to a file (in the example test.command) will rise:

enter image description here

or 0001;66666666;A Cyborg from the future;

enter image description here

After opening the file the first "flag" will be set to 0041 and reopening it won't rise anything.

With some bash/SQL-magic you may even recover the original UUID and the download date/app by querying for the file name in the sqlite database - which the file com.apple.LaunchServices.QuarantineEventsV2 represents - and restore the original quarantine attribute. But I'm too lazy to draw this up now. Someone else has done similar/related work already:

Read com.apple.quarantine

/usr/bin/xattr -p com.apple.quarantine "${file}"

Set com.apple.quarantine

application="cURL"
date=$(printf %x $(date +%s))
uuid=$(/usr/bin/uuidgen)
/usr/bin/xattr -w com.apple.quarantine "0002;${date};${application};${uuid}" "${file}"

Insert UUID into Database

download_url="http://example.com/file.zip"
date=$(($(date +%s) - 978307200))
/usr/bin/sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "INSERT INTO \"LSQuarantineEvent\" VALUES('${uuid}',${date},NULL,'${application}','${download_url}',NULL,NULL,0,NULL,'${url}',NULL);"

Check if UUID exists in Database

/usr/bin/sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "SELECT * FROM LSQuarantineEvent WHERE LSQuarantineEventIdentifier == '${uuid}'"

Solution 2:

I like klanomath's answer a lot as it helped me understand what goes down under the hood.

However, I found a simpler way of resetting the quarantine: Just drag the application onto a new browser window and "re-download" it. It will have the quarantine flag added back to it.

If your application was notarized, the UI warnings won't come up. This is the same behaviour as klanomath's copy-quarantine-attribute technique.

Related

Apple Mail always needs to "rebuild" Exchange mailbox for new mails
What is the chance that jailbreaking my iPhone will brick the phone?
Why won't iTunes stream 320 kbps audio across a network?
How to get Finder in Lion to set group permissions to read/write by default?
Why is my Time Machine backup failing to fire at the hourly interval?
Is it possible to sort the user accounts in the login dialog?
Wifi drops when screen is locked
iOS 5 change AppStore language
ItemTouchHelper with RecyclerView in NestedScrollView: Drag scrolling not work
I already have a CUDA toolkit installed, why is conda installing CUDA again?
How to correctly configure resources with jersey programmatically
How to install openjdk-8-jdk on Debian 10 (Buster)?