Running unidentified developer Applications as a Non-administrator

I am used to Windows but recently started using a restricted(can't run apps from unidentified developers) OS X machine and want to make it full featured without having to reformat, reset/recreate admin, etc.

I have MagicPrefs installed by just putting the file in a Programs folder under my user account and it just runs but gedit has a unidentified developer error and even a right click open requires admin privileges (I can not turn off gatekeeper from System Preferences)

Portable versions of OS X applications might be a solution for major apps.


Solution 1:

The only way to 'self sign' an app for Gatekeeper is to enroll in the Apple Developer Program (currently $100/annually), sign up for a code-signing certificate, and install XCode to create "your" app.

You could then create an App in XCode and just include the contents of the other app you really are wanting to run in your app bundle, then sign it with your certificate. This app would able to launch anywhere (though you would possibly be violating the license of the original software).

Obviously this is not very practical. The method suggested in another answer here to copy the contents to another app's bundle will not, in itself, circumvent Gatekeeper. The 'Known Developer' check requires the the app bundle to contain a _CodeSignature subfolder, and an app ID which corresponds to the signed developer in the bundle's Info.plist file. Both of these will be destroyed if you replace all the contents, and selectively replacing the contents will result in an app which has a code signature that does not match that of the app it is claiming to be.

If this 'transplant' method does work, it is not because it tricks Gatekeeper; rather because it prevents Gatekeeper from ever being invoked. Regardless of whether an app bundle is signed, the Gatekeeper system will only check apps that are 'quarantined'. This means an extended attribute flag has been added to the file which indicates it was downloaded from the internet or else-wise from an unknown source. Safari and Mail will add this flag to downloaded files, but there is no requirement that all apps must behave this way. You can see this flag by running the command ls -l@ on the directory containing your app bundle:

drwxr-xr-x@ 3 self  wheel      102 Jul  7  2013 My Sketchy App.app
    com.apple.quarantine         57 

If you copy the contents of an app into another app's bundle, the newly-created app has whatever extended attributes the bundle did beforehand. So if it did not have a quarantine flag, neither will your new app and you will be able to launch it. But if it did have a quarantine flag, it still will, and Gatekeeper will be in effect.

Transplanting the app contents is just a roundabout way of removing this flag. You can accomplish the same thing by simply removing the quarantine flag from the app directly, like so:

xattr -d com.apple.quarantine "./My Sketchy App.app"

or you could indirectly remove the quarantine flag by launching/allowing the app on another Mac (which does not have Gatekeeper restrictions in effect, or where you have an admin account which allows you to override it), then copying it to the restricted machine via a method that does not recreate the flag (apps copied from a SMB share, for example, will not be quarantined).

Long story short: the right-click 'Open' (or "Open Anyway" from Security screen of System Preferences) adds an exception to Gatekeeper for the app in question, which requires admin privileges. Removing the quarantine flag from an app only requires write permissions to the app bundle, and prevents Gatekeeper from ever getting involved.

Solution 2:

Take an application you normally run, like one from the app store or the internet. Make sure you have permission to change it. For this, I recommend downloading a simple internet application like Keka, and dragging it to your desktop.

Duplicate the application by right clicking on it and selecting Open Package Contents. Drag out the contents of the application and fill the empty app shell with the content of the application from a unidentified developer.

The system reads it as an application created by a identified developer, and you can run it normally.