Re: Gatekeeper and code signing question
Re: Gatekeeper and code signing question
- Subject: Re: Gatekeeper and code signing question
- From: Stéphane Sudre <email@hidden>
- Date: Fri, 10 Jun 2016 09:02:03 +0000
- Thread-topic: Gatekeeper and code signing question
On 9 juin 2016, at 15:31, Michael Domino wrote:
> Hi all,
>
> I have a signed app that had a flaw (something was changed after signing). When downloaded directly to a Mac from the server, the app was scanned on startup (the "Verifying" alert appears), the flaw was detected and the Gatekeeper assessment failed as damaged. However, when the same dmg is downloaded to a Windows system and then copied to the Mac, the app launches normally. The "Verifying" alert does not appear at all. So the questions are:
>
> 1. How can that happen?
As long as the Quarantine flag is not set, Gatekeeper does nothing. Last time I checked, when you download your app on a Mac using curl, the quarantine flag won't be set. Therefore Gatekeeper won't inspect the app, dmg, zip, etc.
If you downloaded the dmg on a Windows system, the Quarantine flag is obviously not set by the Windows system.
If you then copy it to your Mac using a USB key, the flag will not be set by the Finder.
> 2. Is that a security hole in the Gatekeeper system?
It's a known limitation. This security layer is efficient only when the quarantine flag is set.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden