Many MacOS users are probably used by now to the annoyance that comes with unsigned applications, as they require a few extra steps to launch them. This feature is called Gatekeeper and checks for an Apple Developer ID certificate. Starting with MacOS Sequoia 15, the easy bypassing of this feature with e.g. holding Control when clicking the application icon is now no longer an option, with version 15.1 disabling ways to bypass this completely. Not unsurprisingly, this change has caught especially users of open source software like OpenSCAD by surprise, as evidenced by a range of forum posts and GitHub tickets.
↫ Maya Posch at Hackaday
It seems Apple has disabled the ability for users to bypass application signing entirely, which would be just the next step in the company’s long-standing effort to turn macOS into iOS, with the same, or at least similar, lockdowns and restrictive policies. This would force everyone developing software for macOS to spend €99 per year in order to get their software signed, which may not be a realistic option for a lot of open source software.
Before macOS 15.0, you could ctrl+right-click an unsigned application and force it to run. In macOS 15.0, Apple removed the ability to do this; instead, you had to try and open the application (which would fail), and then open System Settings, go to Privacy & Security, and click the “Open Anyway” button to run the application. Stupidly convoluted, but at least it was possible to run unsigned applications.
In macOS 15.1, however, even this convoluted method no longer seems to be working. When you try and launch an unsigned application in macOS 15.1, you get a dialog that reads The application “Finder” does not have permission to open “(null)”, and no button to open the application anyway appears under Privacy & Security. The wording of the dialog would seem to imply this is a bug, but Apple’s lack of attention to UI detail in recent years means I wouldn’t be surprised if this is intentional.
This means that the only way to run unsigned applications on macOS 15.1 is to completely disable System Integrity Protection and Gatekeeper. To do this, you have to boot into recovery mode, open the terminal, run the command sudo spctl --master-disable
, reboot. However, I do not consider this a valid option for 99.9% of macOS users, and having to disable complex stuff like this through recovery mode and several reboots just to launch an application is utterly bizarre.
For those of you still stuck on macOS, I can only hope this is a bug, and not a feature.
I don’t think I’ve tried to run any unsigned apps [yet]. But, then again, MacOS is not currently my primary OS.
On the other hand, what would you expect from a closed source company that sells “pro” monitor stands at $999 ?
Maybe this is their way of checking what the backlash will be without officially making the change. Underhanded way to worn about this likely possibility.
I was thinking the same thing.
It’s not the first time they’ve “broken” this. And likely won’t be their last.
From their perspective, unsupported software has broken so likely barely touches their regression suites.
I can’t see that many buisness condoning using unsigned software, so it’s going to be technical home users who are affected. A very small group.
They’ll wait until some enterprising individual finds a work around, then enable it again, while closing that loophole.
This is the result of doing nothing about Apple’s increasingly user-hostile and developer-hostile actions. They are shooting themselves in the foot by making it even more difficult and expensive to develop for their OS which already has a lack of apps compared to the alternatives, not to mention showing what they really think of their developers and users.
Not unsigned apps, it flags “quarantined” apps that have been downloaded from arbitrary websites. Apps that don’t have the “mark of the web” quarantine flag will run just fine. For example if you compile something yourself, it runs fine:
$ gcc test.c -o test
$ uname -a
Darwin XXXX.local 24.1.0 Darwin Kernel Version 24.1.0: Thu Oct 10 21:03:15 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T6000 arm64
$ ./test
test
You can remove this flag from CLI too:
xattr -d com.apple.quarantine $FILE
It makes it slightly more difficult to download and execute arbitrary binaries, which decreases the chances of users falling victim to phishing. Windows has a very similar feature too, and Linux traditionally required that you chmod +x anything you downloaded which achieved a similar result.
Agreed. This is a 100% justifiable security move that would be read that way — as a security enhancement rather than as user hostility — if it were implemented in Ubuntu or Fedora.
In TYOOL 2024 there are like zero good reasons for users to download and run software from whatever rando website. If we’re just talking about MacOS and iOS, we ought remember that nonprofits, schools, and government already get free developer certificates. There’s no good reason for a project like OpenSCAD to be running without one.
Downloading and running random scripts from GitHub (or other sources) is becoming VERY common as consumers (particularly gamers) start moving in to Linux. This is not an amazing trend, but also – it needs to continue to be at least possible, even if there are hoops to jump through.
The problem starts when the inevitable enshittification commences and Apple starts banning software that goes against their business interests as a content provider. DVDFab and MakeMKV come to mind. MakeMKV is already not signed by Apple, presumably because the MakeMKV people don’t want to be beholden to a content provider for signing:
https://www.makemkv.com/download/
What Apple is doing is bait and switch, plain and simple.
Honestly I thought apple would use the transition to ARM to implement stronger owner restrictions, but they didn’t…I suspect they thought about doing that but maybe they concluded that it would have derailed their jump to ARM when it was strategically important to apple that their ARM PCs be seen as a legitimate successor to their old x86 lineup. In the long run I still believe that apple’s goal is to finish imposing IOS restrictions onto macos, but to do it slowly enough that there won’t be a tidal wave of protests. They’ll keep making it harder for normal users to bypass apple’s restrictions, but with small incremental changes until the gate can be locked.
True, ever since the power grab attempted with iOS was an unmitigated success (with the OS vendor being the sole gatekeeper of the apps you can install on your device in iOS), every OS vendor has been trying to do the same. I was actually surprised Apple allowed any kind of “sideloading” on Apple Silicon Macs instead of saying something like “sideloading was an x86 compatibility quirk”, and even more surprised they allowed unsigned software to run at all.
That said, changing the behaviour of Gatekeeper in a minor release is a bait-and-switch.
Also, considering the lack of communication from Apple about this “bug”, it’s probably intentional.
Zero good reasons to download software from the web? For macOS? We do not use the same software apparently. A lot of Open Source for macOS could be considered “software from whatever rando website”.
for a downloaded app like openscad I had to extract it, remove the flags from within that .app-bundle and start the binary inside the bundle directly. there was no way to get it to start the bundle directly. very cumbersome to start the app when you just cant start it from spotlight or from the dock.
I have converted that command into a script I call macRun found here: https://github.com/xeoron/macRun
Look like everyone is preparing for mass censorship due to wartime necessities (external or internal) of a failing economic system.
Nah, communist china and north korea have censorship already figured out, fam.
I appreciate the reporting on this but I take issue with this quote:
“This would force everyone developing software for macOS to spend €99 per year in order to get their software signed, which may not be a realistic option for a lot of open source software.”
That is simply not true. Developer certificates for MacOS and iOS are free for government, schools, and nonprofits,* and so the only open-source projects that would need to pay for developer certificates are those organized as businesses, or those that sell good or services using their applications. That all seems pretty reasonable.
* You can see the details here: https://developer.apple.com/support/fee-waiver/
Brainworm,
I took a look at the link, and you’ve omitted a very significant part:
You can choose to defend apple’s position or not, but their policy sucks for small FOSS projects. The majority of FOSS accounts on github are really individuals. They are NOT legally registered non profits. Even if they wanted to be, now they’d have to apply for and maintain that legal status with the government. And they’d have to follow non profit accounting rules, deal with yearly IRS filings, possibly hire corporate accountants, etc.
I believe owners should be entitled to sign software for their own hardware for free without any vendor restrictions. Otherwise it’s a significant slap in the face for FOSS rights.
Why should tech companies be able to tell owners what they can run anyway? Lock it down by default, but it should be an owner’s right to overrule apple.
We all know that commercial software is not owned by the end user, it is licensed. With this move, Apple seems to want to move towards a licensed hardware situation, by making the hardware subservient to the software, and ultimately to Apple themselves. They are publicly (though begrudgingly) embracing right to repair, but privately they do things like this which only make headlines in the smaller tech news websites.
It should certainly be an owner’s right to overrule their OS, and things like this make my future hardware purchase decisions for me. I already have a mini PC smaller than the new Mac mini, and more powerful as well. The fact that I can run literally any software on it either bare metal or through virtualization, and that I can have complete control over that software, makes me 100% likely to never buy another Apple product again. They won’t notice my efforts, but I certainly noticed theirs. And I’m not alone.
I agree with what you’re saying. gatekeeper is a closed source application so they are allowed to make whatever changes they want to it, and in all fairness they do allow it to be turned off.
i just hope they change it back. this will make using certain apps such a pita. i don’t have time to be worrying about signing apps or getting some correct version when im on a deadline and i need to get work done. macs are meant to be easy and efficient so changes like these just baffle me. this over controlling behaviour feels like downgrading and i wonder what is the limit they’ll stop at..
On my macOS 15.1 laptop, bypassing Gatekeeper with unsigned apps continues to work just like it did with 15.0. May be an issue with specific unsigned apps, especially if there are multiple unsigned executables in a single package.
beosforever,
It would be nice to have a comprehensive article that documents the specifics in detail, including reproducible test cases. Without these details nobody is on the same page. I hate having to speculate about things that should be in the article, but is it possible you’d only see the change with new downloads?
I tested a new download, just to make sure.
I’d be surprised if existing downloads stopped working. As @bert64 said, you can manually remove the quarantine attribute in a shell, and once removed, it should stay removed indefinitely.
beosforever,
According to these discussions they can get around it from the terminal, but the Sequoia 15.1 change is that launching them through finder no longer works (without more steps) whereas it used to.
https://forums.macrumors.com/threads/finder-does-not-have-permission-to-open-null.2441374/
https://forums.macrumors.com/threads/anyone-with-14-7-1-does-it-have-the-equivalent-sequoia-non-developer-app-lockout.2441433/
You OWN the computer and can’t do what you want with it. Remember when Apple wanted people to develop apps for the platform? Now they charge you for it and want a cut. Any way for them to control you and make a buck off your work. People forget what apple did years ago, remember when you can alter the way OSX looked? they locked that down. They will restrict what you can do with the OS to the extent it’ll piss people off. It’ll scan your documents, your pictures, videos, report you to the cops, while saying it’s for YOUR protection. as while their own system is being hacked to steal content to blackmail and take advantage of people as again feigning innocence and not taking any blame. There is so much under the hood spyware that Everyone ignores or doesn’t know about. Apple Does know what’s going on, on your Mac. Your just too ignorant to care about it.
You can do what you want with the computer. You may not be able to do what you want with macOS. Install Fedora Asahi Remix on M-series Macs, if you want more control. Apple only takes a cut of sales for Mac apps if you sell apps in the Mac App Store. You’re free to distribute Mac apps however you want. macOS does not scan your documents/pictures/videos and report contents to the police. There *was* discussion about doing that if you uploaded those to Apple’s iCloud storage, and frankly, all major data storage providers with physical servers in the USA are required to do this. Just don’t upload your data to 3rd-party servers, if you don’t want your data scanned. True regardless of operating system.
>You’re free to distribute Mac apps however you want.
You can still offer them for download, but that’s completely pointless if the users won’t be able to actually run them.
They *can* run them. What has changed is the *way* you run them.
Before there was a way to run them via the UI, but this has been disabled. Instead, you have to run remove the quarantine flag via the terminal. But they still run perfectly well.
For now there exists a commandline workaround, but no doubt they will continue to restrict it further in subsequent versions. They are deliberately making it more and more difficult by removing interfaces etc. using a gradual “frog-boiling” strategy.
> no doubt they will continue to restrict it further in subsequent versions.
There are three options here:
1. Apple made a mistake
2. Apple intends to make our machines more secure, without stopping people making their own decisions when they understand the implications
3. Apple want have introduced this measure as a means to control users and make money.
Maybe we should wait for a statement from Apple before we jump to conclusions? Otherwise we’re just spreading fear, uncertainty, and doubt?
> They are deliberately making it more and more difficult by removing interfaces etc.
They’ve removed *one* interface. That’s not “more and more difficult”. At this stage, there is no, “etc.”.
> using a gradual “frog-boiling” strategy.
An interesting choice of words; the frog-boiling analogy is based on a myth, too.
kramii,
Even if this instance is a mistake (which, we’ll see), apple are already at #3 to begin with.
https://github.com/openscad/openscad/issues/880
Just look at the dialog box in the link, There’s no link to settings or more information, an insulting “move to bin” button. We can definitively say it’s designed to be an objectively bad experience for independent software.
It’s just an expression of speech that nearly everyone is familiar with. Sometimes these OS failures teach us about macos control mechanisms that would have gone unnoticed…
https://tidbits.com/2020/11/13/apple-network-failure-destroys-an-afternoon-of-worldwide-mac-productivity/
Of course they needed to fix the outages of the day, but that alone doesn’t necessarily address the underlying concerns of apple designing macos to phone home to apple HQ to ask for permission to run 3rd party software. The incremental changes are relatively small and it’s not that hard to dismiss them individually, but that may be missing the point of the frog story. If each step that apple (or microsoft, google, etc) takes etches away at owner independence, then more and more technology will end up eventually reaching IOS level of restrictions. This is what makes corporate apologists extremely dangerous for consumer & owner rights in the long term and they may not even be aware of how important they are to these corporate control strategies.
I don’t disagree with you, but to be clear, unsigned apps are apps for which the developer isn’t paying Apple the $99/year for membership in Apple’s developer program. If the developer were paying that fee, the app would be signed by a certificate Apple has approved, which provides some level of assurance that the applications won’t be malicious (since Apple can revoke the certificate if an app is found to be malicious). Unsigned apps are from developers who are not in the developer program, and/or are not using XCode to develop apps. Using these apps are still possible, but Apple is making users really be explicit they want to use those apps. Your average user will never download an unsigned app, and if they did, they wouldn’t have meant to. Unsigned apps are generally for power users, written by devs who aren’t willing to be in Apple’s developer program. I personally would stop using a Mac if Apple made it impossible to open these apps. Like I said, for me, I can still download an unsigned app and use it through validating my preference in System Preferences. I know others are having a problem doing this. It’s clearly a bug.
And, to be clear, Apple doesn’t have to scan your app or approve your app for you to use your developer certificate. You just have to be willing to pay Apple $99/year to get a developer certificate. While I appreciate that OpenSCAD is a cross-platform app, built in XCode for the Mac, it’s also a bit ridiculous such a popular app would have its developer refuse to pay $99/year to be signed. Yes, you can choose to do that, but you really limit your audience of users when you make that decision.
beosforever,
It was already that way before, there’s no reason to keep making it worse unless they want to slowly kill it off.
Apple goes well being protecting users from accidental execution (which I wouldn’t mind). But they’re making users go through obnoxious hoops well beyond what could reasonably be labeled as accident prevention. There’s a huge difference between protecting users and coercing them, apple clearly falls into the latter.
Not for nothing, but we used to debate the restrictions on iphones and ipads, and they were defended on the basis that there was macos was for power users. Now that macos is also regressing in terms of making independent software harder to use, it begs the question at what point are apple fans going to stand up against apple’s push to make macos less friendly for independent software? I understand your answer to mean that you’ll keep jumping through hoops without complaining and stop using macs only after the fact. But do you consider the possibility that by then it could be far too late for your threat to have an impact?
It does look like a bug, but it’s unclear if the bug is that the software stopped running, or if the reduction in permissions was intentional and the bug is just in the error message. We’ll see how they fix it.
Unfortunately Apple user base is in general lost to any kind of reason so they in the end don’t care and so don’t i. The problem here, for me, would be if Apple would ever reach a market share on desktop that would start to affect me in some meaningful way. Luckily i don’t see on how GNU/Linux or even Windows user base would ever migrate to Apple desktop products. We both still do have some standards.
Several reports that this might be more an issue faced by the orginal article’s author than anything else:
https://news.ycombinator.com/item?id=42032444
Please do validate reports before spreading FUD to people. There are some that love to hate things, just because they don’t like them or agree with.
Not just the author. I just got a M4 Pro today and had a similar issue where the ability to run unsigned apps was basically disabled completely. Heck, even opening up my .zshrc file in a text editor was blocked. As a developer often working on new and custom tools, unsigned apps are a common occurrence for me and it is a huge PITA to have them constantly blocked.
That said, there is a workaround that is a lot more user friendly than the one this author found. Credit to the top ranking post here:
https://discussions.apple.com/thread/255759797?sortBy=rank
I can confirm that flow works and is a ton easier than booting into recovery.
—
Follow the order exactly:
1. Open up System Settings
2. In System Settings, navigate to “Privacy & Security”. Leave Window Open in the Background
3. Open up Terminal (as separate window). DO NOT CLOSE System Settings
4. In Terminal, run “sudo spctl –master-disable” –> Type Password –> Click Enter
5. In System Settings, navigate out of “Privacy & Security” Page (For Example — Click on “Lockscreen”), then navigate back to “Privacy & Security”
6. In System Settings –> Privacy & Security Page –> Scroll Down to bottom –> Select “Allow Application From” –> Select “Anywhere” (the option will now appear) –> Type Password
7. Completed
i use SuperSlicer from GitHub and a whole bunch of other 3D printing / AI stuff and now this OS update breaks them. as a long time Mac user since the late 90’s – i hate what Apple has turned into.