I have a problem and I think I know what it is but am looking for some conformation.
My Xojo-created 64-bit app using a Helper App inside the bundle, created also in Xojo. I sign the app like I’m supposed to.
I distribute my app via a DMG, created in DropDMG, and that DMG is signed as well.
However, I often distribute private builds of my app, for bug fixes inbetween public builds. I simply zip up the app and upload it and give the user the URL.
Now, a certain user (running macOS 10.12) is complaining that the function that is served by the Helper App isn’t working. I sent him some private builds to try to fix the issue, but it still doesn’t.
My app has a logging function that writes logs into my appsupport folder. Upon looking at the logs, I notice that my app has been Translocated. Upon research I see that Apple does that to apps that may come from sources like unsigned DMG’s and ZIP files.
I also note that Translocated apps can’t run external resources, which now explains why my Helper App doesn’t run, perhaps. And that Translocated apps have been “quarantined”, meaning the app now has a attribute of com.apple.quarantine.
I note that clearing that attribute is like this:
sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app
Am I correct so far in my analysis, and should I suggest to the user to do this, to solve the issue?
My understanding is that the user need only move the app to somewhere else, like home/apps or even Desktop.
Make sure that hes not trying to run it from the DMG itself too.
Code sign and Notarize any build that you want to run on another’s computer.
For speed reasons I only do a codesign and then I have a blog entry what to do with the wonderful malicious warning.
I occasionally have users do this as well. The problem is you cant run the app from the same folder you unzip it into. They are concerned that the even though the app is signed there might be hidden libraries or other resources inside the zip file that could be unsigned but then loaded by the app or something like that. You must unzip and then move the app to some other folder, it doesnt appear to matter which one, just moving it out of the folder it unzipped to is enough.
I have switched to always sending DMGs now to avoid this.
My app is pretty big (288MB compiled), it takes 6-8 minutes for the whole process: AppWrapper signing, dmgCanvas making the .dmg, and Apple notarizing (including upload time). That’s all within AppWrapper, so it’s an easy single launch. I then upload it to Dropbox or my web site as needed. I do this for both public and private builds. This is on a 16" 2019 MBP.
There is no harm in using sudo xattr -r -d com.apple.quarantine. Also, a translocated app can determine where its original file is located, and act on that, like moving itself somewhere else, and/or remove the quarantine flags from itself using the xattr cmd.
See my project http://files.tempel.org/RB/Translocation_Handling.zip - it contains all the code for this, e.g. look for QuarantineHandling.ActualAppLocation