The app and the DMG are both code sign properly, but after installing on Sierra, the app is still quarantine. Is this normal behavior?
Yes, after some time it will be released from quarantine.
Does it have to wait until a Doctor sees it? sounds like installing Sierra might be a serious mistake
I have no clue but it is true. For some reason any correctly codesigned app will be released after a while - maybe after x launches, x days, … I noticed this with several apps including my own.
Every time you download something (eg. Safari, Chrome) or unpack something (eg. .zip, .rar .dmg), the com.apple.quarantine extended attribute is set for the file.
If your app/dmg is properly signed, this attribute will be removed the first time it’s opened. If it’s not properly signed, it won’t remove it and won’t open it.
You can see what attributes are set with:
xattr -l MyApp.app (or .dmg or .whatever)You can check if your App is properly signed with:
spctl -a -v MyApp.appYou can check if your .dmg is properly signed with:
spctl -a -t open --context context:primary-signature -v MyDmg.dmgAs I mentioned yesterday, your akpro.dmg is not properly signed.
spctl -a -t open --context context:primary-signature -v akpro.dmg
akpro.dmg: rejected
source=no usable signature
[quote=288894:@Marco Hof]Every time you download something (eg. Safari, Chrome) or unpack something (eg. .zip, .rar .dmg), the com.apple.quarantine extended attribute is set for the file.
If your app/dmg is properly signed, this attribute will be removed the first time it’s opened. If it’s not properly signed, it won’t remove it and won’t open it.
You can see what attributes are set with:
xattr -l MyApp.app (or .dmg or .whatever)You can check if your App is properly signed with:
spctl -a -v MyApp.appYou can check if your .dmg is properly signed with:
spctl -a -t open --context context:primary-signature -v MyDmg.dmgAs I mentioned yesterday, your akpro.dmg is not properly signed.
spctl -a -t open --context context:primary-signature -v akpro.dmg
akpro.dmg: rejected
source=no usable signature[/quote]
Marco
We know that AKPRO.DMG is not properly signed, but that’s not the one we are concerned about at this time.
The app is identified as properly signed, however, it is still reported as quarantine.
Well, if you don’t have an example, then it’s hard to say what is going wrong.
[quote=288894:@Marco Hof]
If your app/dmg is properly signed, this attribute will be removed the first time it’s opened. If it’s not properly signed, it won’t remove it and won’t open it.
[/code][/quote]
This is not correct. The quarantine flag is not removed when launching the first time.
Ok. So how is it supposed to work according to you then?
Only first launch it will verify the app. If code signed correctly it will not verify again on second launch. But still the quarantine flag is kept for some time - no idea why though.
You can do the test yourself using xattr
It happens with all apps you install (unless it comes from the AppStore)
Ah. No, the extended attribute itself isn’t removed but the quarantine flag is removed. Or better said, the flag is flipped from quarantined to not quarantined…
I can’t recall exactly but you can see it with xattr -l before and after you opened the App.
edit:
com.apple.quarantine: 0001;…etc. <-- Quarantined
com.apple.quarantine: 0061;…etc. <-- Not Quarantined