Many MacOS users are probably used by now to the annoyance that comes with unsigned applications, as they require a few extra steps to launch them. This feature is called Gatekeeper and checks for an Apple Developer ID certificate. Starting with MacOS Sequoia 15, the easy bypassing of this feature with e.g. holding Control when clicking the application icon is now no longer an option, with version 15.1 disabling ways to bypass this completely. Not unsurprisingly, this change has caught especially users of open source software like OpenSCAD by surprise, as evidenced by a range of forum posts and GitHub tickets.
The issue of having to sign applications you run on MacOS has been a longstanding point of contention, with HomeBrew applications affected and the looming threat for applications sourced from elsewhere, with OpenSCAD issue ticket #880 from 2014 covering the saga for one OSS project. Now it would seem that to distribute MacOS software you need to have an Apple Developer Program membership, costing $99/year.
So far it appears that this forcing is deliberate on Apple’s side, with the FOSS community still sorting through possible workarounds and the full impact.
Thanks to [Robert Piston] for the tip.
Looks like Linux is back on the menu
Freedom not to buy Apple products and be in charge of your own choices.
And for the others, a jealously exclusive nanny keeping locked you in on the pretext she is watching over your computer security.
It never was gone from menu. It was the meal of the year, since 1998.
People simply didn’t order it often, because they couldn’t get used to the musty taste.
That’s right. Every year for the last 25 has been the year of Linux on the desktop. ™️
Primary driver except for games since 2000, the only driver since ~2020 here. So almost I guess?
I’ve been Windows free for many years at home — servers, laptops, desktops, SBCs…. All run a version of Linux. Hasn’t been ‘musty’ around here. More like cutting edge :) .
Never did see how Apple has/had any appeal being a closed eco system hardware/software. Just like the i-phone. Never quite understand that. But, obviously, that is just me as you see a lot of apple ‘users’….
Well, most Linux software can be compiled and run on Apple Macos, seeing as Macos is Unix and Linux is almost Unix.
I personally find Macos to be the serious brother of Linux. I have all Macos and Linux in my house. And one Windows laptop from 2005, running Windows 7. Ok, and one old Pentium 233MHz desktop computer running Windows 98se, for the really old stuff (things like writing TRS-80 floppies).
For the rest I agree. It’s a nuisance, but it does help to secure down the computer, for those people who do not really know what they are doing. For other people, I’m sure there is a workaround. Having said that, I haven’t found any problem yet. I’ve been running all Sequoia 15.1 betas.
I love Linux. Have used it exclusively on the server side for decades, on the desktop side also for almost as long.
Switched to MacOS on the desktop about 10 years ago. Needed a stable and polished desktop without fear of things breaking each time I upgraded.
Except Apple Silicon won’t let you dual-boot, so new MacBooks can’t run it unless they want to put it into a VM and split their RAM between two operating systems.
On M1 or M2 you can dualboot it with Linux with Asahi
actually, dual booting with Asahi Linux: https://asahilinux.org/ is a nice option (they discourage completely removing your macOS partition even, due to the fact that only it can apply firmware updates iirc)
Windows at least offers a somewhat functional Bash shell that you can use. This makes OS X completely unusable for devs and I was forced to move on from OS X because of exactly these issues.
When they stopped letting me compile Python 2.7 it meant I couldn’t continue to use my M1 MacBook pro for work. Clearly 2.7 had been deprecated for years but taking away the option for me to compile it myself was a step too far.
OS X used to be the most flexible and powerful OS for years and now it’s completely unusable.
I’ve been using Ubuntu for several years now for my personal and work machines and I’ll never go back.
I understand there’s now a halfway decent Linux distribution that will run OK on some of Apple’s hardware.
I mean, until they start demanding signed kernels or whatever.
Why do people buy this stuff?
It’s best to just stay away from Apple hardware. They probably want to lock down their computers like they do their phones. I would imagine that locked bootloaders will be next.
Their products should carry a warning label: “This vending machine is addictive and can cause severe loss of money.”
The M processors aren’t bad per se, though.
Their shared memory concept removes bottlenecks very well.
x86 is best to be stayed away, though. Intel wants to ruin it with x86S soon.
Because people – the people who buy Apple’s products, not you or I – don’t care about this.
They care that it works. They care that it denotes status. They don’t care that they can’t run anything not Apple-approved.
And yes, that’s a problem.
It doesn’t work if you want to run a program from somebody who refuses to pay the Apple tax and jump through Apple’s hoops.
And the only way to actually remove all ways to bypass it would be to prevent you from writing your own program, of any kind, to run on your own computer. Including scripts that ran outside of some ridiculously tight sandbox that made them useless.
At that point, it’s not a computer and it’s fraudulent to sell it as one.
90% of Apple users don’t want to run any such software. Let’s not delude ourselves that we, the more technical users, are somehow the majority – or even a significant enough niche – for anyone to care.
That’s why they are getting away with these things, whether it is all the anti-repair stuff, locking down of everything and extracting rent via the Apple Store or this application signing.
They aren’t even the first in this space – remember the uproar when Microsoft started to introduce the Trusted Computing model, etc.? Fortunately they weren’t able to pull it through despite things like requiring signed drivers, Secure boot, etc. because there are simply way too many deeply pocketed users of Windows where this would cause major problems.
Apple has no such qualms (and market issues), so they are milking their users who are happy to get milked. ¯_(ツ)_/¯
Indeed as long as a basic office suit of software, media player and a functional browser exist most users won’t care, their needs are met. With in many cases only the last program actually being important.
Though gaming is becoming more universally popular and not being able to do that might just get enough folks to leave Apple to play what they want to play.
Such hate…
We don’t care about status; no one sees laptops these days because everyone WFH post Covid.
We like it because Mac laptops are tools that just work – and work very nicely. I’ve used windows and Linux in the past; still use Linux on a number of devices. But just like most of the population want a car that turns on and runs reliably, rather than a project car, we like having a laptop that just works.
And the “tax”? $99/y is a joke for a developer. It’s peanuts – 2h wages. And I’m 90% sure you can self-sign anyway if you compile; certainly can for iOS. Besides, so much stuff is written in us or python anyway.
The up-front cost is certainly high (though not so much compared to a premium windows laptop brand), but the Apple hardware lasts better. From my experience, over the life of the device, the cost/year is similar or better than most windows laptops.
And the other big plus for me vs windows and android is the privacy focus of Apple.
Come to the dark side… we dont have cookies!
You must not remember or be aware of the major iCloud breach that leaked hundreds of celebrity nudes online. Or the instances of Apple-authorized repair centers also stealing people’s nudes.
Privacy? Bullshit. GNU/Linux offers privacy, not these assholes. They simply steal money and offer nothing in return. Apple and macOS are trash.
Well said. Another 100% Apple user here. I use Linux and Windows time to time but I my main OS is MacOS. It just works. The hardware is great. Gazillion of apps available, all the needed ones.
The reason why Apple users use Apple, is that they like it the most. No problemos paying extra for good hw & sw.
I really don’t understand the hate after all these years.
Honestly if you look at the performance it’s the cheapest hardware on the market and you get all of apples basic software free as well, I actually prefer most of them to office which is just way to cluttered and complicated now. Love my Mac and never going back.
As an ex-apple user, I get the hate.
I’ve never been more frustrated with any operating system than Apple’s MacOS.
It doesn’t play nice with industry standards (Displayport Multistream for one), decent window management just isn’t there (apparently they finally included something decentish in the last version?). More than not I’ve encountered hangs. You have no tools to diagnose it. It’s a closed box…
If you use non-mac hardware (think keyboard, mice, screens) you encounter weird issues. I still find it mind-boggling to have to install an app to get my forward/back mouse buttons to work – this just works OOTB on nearly every other OS.
The “fullscreen” is really retarded when you have multiple monitors – the rest go black… like, ehh, no?
It doesn’t integrate decently in a cross-platform environment. It’s hackish at best.
The only thing I really liked was the battery life. But Linux is my main go-to personally, Windows in the corporate world, and .. they just work better (for me).
Luckely we have choice. And I choose hardware that I can install what I want on it and an OS that is really free (Linux), while still supporting the creators through donations.
I hope Asahi linux succeeds at being completely functional and that Apple doesn’t decide at one point they’ve had enough and just do a rug-pull (which they 100% can).
Regarding the privacy: this is also only because you don’t live in an oppressive regime. Apple is more than willing to bend the knee and give the keys to those (China for example).
Because the hw is often not that good for the price and often the software is there just to lock you in.
i think the article perfectly describes one clear example of what gets hated on. i use apple hw everyday but i already pay for that privilege i’m not gonna stand up for a company that would never value me and who expects it’s users to jump when they say to. maybe if i didn’t already have to sell my kidneys just to afford something that i’ll have to replace in 5 years just to stay in their club. the 4(!) macbooks i’ve bought since 2007 mean nothing to them when i can’t afford a fifth one after this one can’t update anymore
Don’t forget that “peanut cost” is an extra 100 bucks/year for a developer who does the open source software for free, on their own free time – and frequently only thing they get is a hate and flaming from entitled users who think they owe them something. Those are the people we are talking about, not professional developers of Apple software, who have the Apple account anyway in order to get all the required tooling.
E.g. I am co-maintaining the Wiiuse library – while it can be currently built on Mac, I am certainly not going to pay the Apple tax out of my own pocket only so that the examples can run there when it is a platform I otherwise don’t use and don’t regularly develop for.
If Apple keeps this policy with no exceptions available, then Apple will not have majority of the open source software available anymore. Their choice ¯\_(ツ)_/¯
At work we have actually recently killed off Apple support for our large industrial application because the expenses required to support this platform are simply not justifiable anymore. Not only in terms of the Apple ID costs (which is negligible in this context) but in terms of HW costs required, the IT/infrastructure costs to integrate all this into the regular builds and the various insanity and hacks regularly imposed by Apple in order to keep things working. All that while we have more desktop Linux customers than Mac ones.
And brew?
Windows 7 and then the initial upgrade version of 10 was a nice reliable car but Microsoft kept chipping away at it. A bit here, a bit there..
I’m sure OpenSCAD will gladly accept your yearly donation of $99 for the Apple tax, which you only have to pay… forever :)
That’s a great idea, just charge $99/year/Apple user since it doesn’t bother them.
You clearly haven’t watched Louis Rossman break down all the major issues that affects Apple hardware if you think it lasts better.
Linux literally “just works” the only computer I have ever had issues with that required substantial hacking was an AliExpress umpc…. Which is absolutely expected being from AliExpress and all. But ended up fully functional. Most of my computers aren’t mainstream either. Chromebooks converted to Linux, minisforum computers that use a mix of laptop and desktop parts…
$99 a year is nothing for a developer making money. I am a developer for both work (financial automation) and hobby in the RF space. My hobby work is FOSS, and no way I am paying $99 a year for other people.
Actually, run of the mill Windows laptops, often chosen by IT staff, underperforms at the same price point as most Apple Silicon Macs. Price just isn’t an excuse these days.
Let’s run with your comparison to a car that “just works.” Now imagine that you were unable to install a radio (or whatever they’re called today) only to find out that Shangsin hasn’t joined and paid for the Ford Loyalty program, so no Shangsin radio for your car. Same goes for radar detectors, GPS units or any other additional electronics that you want to use. You need gas… hope you stopped at a station that supplies Ford gasoline. God forbod you try using any oil other than Ford MotorOil! Your car will simply refuse to run until you take it to a Ford authorized dealer to have the system flushed and refilled with Ford approved oil.
The point is… wanting something that “just works” is fine. Accepting something that is locked to a company that decides what you can and cannot do with your own hardware that you bought and paid for is … unconscionable.
I’m not a developer, but 15 years ago I made a tool using AppleScript and put it up for free on my website. It was very niche but every year I’d get a few effusively grateful people. And then the complaints started coming in about error messages, so I had to add instructions of how to get around it. And the instructions kept changing as Apple got stricter and stricter. Now they want me to pay US$99 a year to sign a tool I’ve never made any money from? I guess my tool’s now dead.
I used to love Apple but over the years they’ve made it progressively harder.
Yup. Live by the Walled Garden, die by the Walled Garden. Unless you’re running *nix or some other FOSS OS, you don’t own your hardware, you merely paid a large upfront price for rental rights which can be taken away at any time. Heck, even with Linux, things like IME make true ownership tenuous at best.
What is IME?
Just wanted to mention that Apple is ‘*nix’, and Linux is not…
https://www.opengroup.org/openbrand/register/
sudo spctl –master-disable
Does it still work in 15.1? And does it still have the same authority?
“Starting from macOS 15, you can no longer use sudo spctl –master-disable to disable Gatekeeper. Instead, you need to use Configuration Profiles.”
Worked for me on 15.2 beta 1
Great, now only real hackers can install malicious software.
Yeah, but only “certified” hackers with an Apple ID. ;)
There was never such an incentive to steal signing keys from companies before. Apple has now essentially encouraged bad actors to start to try to steal these.
This seems more likely to be a bug than anything. Sequoia did disable the ability to launch unsigned apps via right-click (control-click) > open, moving approval of an unsigned app to a location that only appears when you try to launch an unsigned app, at the bottom of System Settings > Security. A lot of these forum posts don’t seem to understand that, and are misunderstanding others that are giving correct advice.
It seems unusual for Apple to add an entirely new process for approving unsigned apps only to drop it one minor version later. An intentional removal would have been big news, and would have arrived with the first betas of Sequoia.
After trying this myself, it does seem the approval section in system setting is not appearing as intended in 15.1, so a bug likely slipped in with the latest release. Annoying, but not an intentional removal like how this news is being characterized.
(Note that the Settings option is not new and was occasionally necessary in some weird edge cases even before Sequoia.)
“A bug” …more like Apple testing the waters to see what the backlash is.
Apple has done this sort of thing before.
“moving approval of an unsigned app to a location that only appears when you try to launch an unsigned app, at the bottom of System Settings > Security”
To be honest, I didn’t even know until today that you could control-click to open unsigned apps. I have always gone directly to System Settings -> Privacy & Security, to authorize unsigned apps to run.
And that still works, I’m running Macos 15.1 even from beta, and just yesterday I had downloaded an app that needed authorization, and did it through the menu.
I am beginning to think that all the people here who are cussing on Apple actually have never had a Mac in their life, don’t know what they are talking about, and are just repeating what they heard from others.
I’ve been an iOS developer by trade for 12 years now. Just to make clear that I know what I’m talking about, having been using Macs as development platform for 12 years, and have been running all sorts of unsigned homebrew and open software, some of it my own. Didn’t find any problem in Macos 15.1 yet.
I’d this was on purpose and not a bug like another comment suggests, then I wonder how long until they get into legal hot water. If they don’t make a free method for signing I could easily see the FTC coming after them.
The regulations in the EU could find them in trouble first. The EU has cracked down on them sooner in many cases like RCS messaging.
Since 2006 I have had 2 mac pros, 4 imacs, 5 macbooks, 2 mac minis, and several iphones, ipads and one apple watch. Loved having a unix like underbelly with high quality mix of commercial and open source software. If this stupidity of forced signatures cannot be bypasses… (1) I stop upgrading macos from 14, (2) never ever buy a mac again, and likely (3) drop the entire apple ecosystem from now on. I am sure I am not the only one. Time to dump my apple stock too…
They already have you. You will not do one of your mentioned actions. You are to deep in their ecosystem. As a result of the protest, they will come up with some additional hoops you have to go through to install unsigend software. Apple is constantly working to worsen the situation for consumer rights in the past years and you are still with them.
It’s only hard to escape the ecosystem if you don’t want to. Everyone has a different limit of what they will accept, a determined user can quickly move away if theirs is reached.
“Loved having a unix like underbelly”
I am starting to get a bit annoyed now of people saying Macos is unix-like and Linux is unix.
Macos is unix, Linux is not. At most Linux is unix-lke, but it really doesn’t even share as much as people are thinking.
https://www.opengroup.org/openbrand/register/
I’m running macOS 15.1 and was just able to run an unsigned application downloaded from the web. The process for doing it was a bit more confusing than it used to be, but it worked just fine. What’s different is you can no longer just ctrl-click the app and select “Open,” now you have to try to open it, then open the System Preferences app and open the “security” tab, where it then prompts you to allow running the program.
Alternately, you can open Terminal, type “xattr -d com.apple.quarantine ” and then drag the application icon onto the Terminal window and then press enter.
It’s officially no longer an option, so you must not be current unless their online documentation is lying .
Their documentation literally says how to do it. What are you talking about?
I’m updated, just installed two, clicked on “open anyway” in security settings like I always have, worked fine.
https://support.apple.com/en-ca/guide/mac-help/mh40616/mac
Didn’t even know about the shortcut.
Yeah, I was finishing setting up a work laptop, never used Mac much before – it wanted me to either not open it or open settings so I did, went fine. Brew etc worked fine.
I have been in the beta and have basically noticed the same. I haven’t even had to approve apps in Settings. — Just removing the quarantine bit was enough for the binaries I encountered. Granted I don’t make a habit of running unsigned code, but the few times I have it’s been a non-issue.
More or less, Apple just removed the easiest way to bypass security (as well as control via spctl). Disabling SIP and manually approving apps still exist.
This is really only an issue for projects that don’t sign their code but target a non-technical audience. (Apparently, GPL licensed code is particularly cumbersome in this area as the terms for using the App Store the FSF seems to interpret as inhibiting the distribution of apps? Even if the app or its code is publicly available? Notarization is still possible; as is self-signing, which will trigger similar warnings to unsigned code, however.)
I just had to go through that for a bunch of VSTi — since they are plug-ins and you are already running the ap (your DAW) the pop-up window never appears.
Put this in your .zshrc:
alias approve=”sudo xattr -d com.apple.quarantine”
Now you can just open a terminal and say “approve” and drag the application into the window and hit Return.
Yeah I noticed that some applications I had to un-quarantine first on 15.1 — One could actually make an Automator or Shortcuts workflow that adds this as an option to the right-click menu. Could even throw in good ol’
open
as a command to remove the quarantine bit and open the application in one go.Moved from OSX back to Windows, not because Windows is a beacon of openness but because OSX became worse. Oh, don’t get me wrong, I’m sure Windows will soon catch up. And of course I tried dipping my toes into Linux on several occasions but as a daily driver it’s just been too frustrating for me to actually use. So I’m sticking with Wondows on my desktops until they do something terrible enough to force me off their OS.
Isn’t is already terrible enough that the last Windows was 8(.1) and the last good one was 7?
Their successors are “Spydows 10” and “Superspydows 11” after all…
Already “forcing” users to make their local user account an online M$ one and collecting everything you type/do in the taskbar / windows-start-menu.
Windows 7 was ugly, though. Directly compared to Vista, I mean.
The Longhorn development was such an interesting phase, I think.
Windows XP SP2 was “last good one” I think, it was a good descendant of Windows 2000.
That is easily fixable by searching how to do it. Yes it clearly sucks MS have those default settings.
What’s really bad is the new settings app which limits what can be done including some important settings, and some other problems like buggy multi-monitor handling.
That error dialog looks like it’s supposed to have something where (null) is, so at this point it’s likely a bug
It’s been a while since I’ve run MacOS, but I think that has always been what is shown when an unsigned executable not in an “app” is run.
$99 yearly sounds like nothing. Is this really a reason to complain?
Pretty much anything can be a reason to complain.
If you’re really cheap and only want signing (no Notarization, no Apple app store sales channel) you can pay the $99 fee once every 5 years, since the code signing certificates Apple issues have 5 year expiration.
But to give end users a smooth experience, you really do need either app store or notarization. That means paying $99 every year.
Keep in mind that $99/year is an extra $99/year that a developer of open source software that is doing it on their own time, not being paid for – and of software you are likely using for free – now has to pay out of their own pocket.
Especially when it is cross-platform software where support for Mac is only one of several platforms (and a major pain because of other things already), this could be the straw that breaks the camel’s back.
We are not talking about professional Apple software developers that are making money on the platform here.
(and don’t forget that the world isn’t just US and western Europe where $99/year is not that much money)
Right, the people acting like $99 isn’t much money are assuming that the only people who make software are well off people in well off countries, which is not the reality of software development, especially in the open source world. It’s kind of embarrassing to see people say it even, like it really suggests a very sheltered worldview.
Maybe it sounds like nothing to a well-off programmer in US or something, just like yearly paid code audits sound like nothing to Google, and establishing a legal company with all associated costs and paying additional $1500 yearly for an EV code signing blob sounds reasonable to Microsoft. For me it’s absolutely a factor in not buying a Mac in the first place.
That said, there are other problems here. I expect ToS actually requires you to have a thorough idea of what you’re signing (to prevent accont sharing without account sharing, so to speak), which makes CI/CD a problem.
Well, the complainers seem to forget that developers used to pay for SDKs, too.
If you wanted to order an SDK for, say, IBM OS/2 or GEM, you had to pay a few thousands.
Same was for SDKs for early computer game consoles.
The SDK also involved an hardware emulator and other accessories.
Quality testing (seal of quality) not even mentioned yet.
They didn’t ‘forget’.
It was an awful model that the world was, thankfully, moving away from in favour of interest in the common good.
The continued existence and maintenance of open-source software, you know, that stuff that people happen to rely on for everything from digital art to streaming (who doesn’t use OBS Studio for streaming these days?) to game development to server software, relies on the ability for the maintainers to continue to maintain it without being bled dry by companies who, frankly, should not have a say on the use of hardware they happen to manufacture.
Imagine a world where this had happened a few years ago and… IDK, Godot Engine was in a worse state because of it. Some people take a “we’ll just have to suck it up” approach when Unity’s draconian license change happened. Maybe some game developer studios shut down.
Sure, these are hypotheticals, but it should give you an idea of how undermining open-source software is not okay.
I find this funny. About in every article you have that “money on the mind people” that talk about buying cheap, taxes being theft and who are being somewhat super capitalist that it hurts.
On other side, though, you have Linux and FOSS fans that are against serious, logical business concepts.This is somewhat confusing.
What’s wrong with all the people? Why aren’t they legally competent?
Why aren’t they social and community-minded when it really matters instead?
Like raising their voices for a good healthcare system, fair working conditions and enough holidays for everyone? Sigh. 😞
You fail to realize that your notion of a super capitalist system for software is defined by your pre-existing biases. In reality, a super capitalist system for software would not have copyright protection at all. Copyright is an external rule imposed by governments to perpetuate the power of the ruling class in an anti-free-market way. Most Linux and FOSS advocates would be 100% in favor of a no-copyright, no-patent regime, as even though it’s not perfect it’s a hell of a lot better than what we have now (reverse engineering for example would be 100% unambiguously legal).
“Used to” is doing a lot of heavy lifting considering it suggests that people didn’t like that so found other ways.
“Quality testing”, as if Apple is actually going through and testing all of these and manually approving them.
Quality testing -> the type of approval big N would give to games in the 8-Bit era.
Games without the seal were unlicensed and legaly questionable.
It’s similar to how Apple approves certain Mac applications and their devs.
Just stating a fact here as a comparison: Microsoft charges $99/year and that is only for the Windows app store. If you publish an application for distribution outside of the Windows app store, signing may cost $200-$500/year (I’ve done this many times, but you can Google it).
Apple’s $99/year is less. Granted, Microsoft isn’t (yet) forcing signing, but could do so at any time.
“$99 yearly sounds like nothing. Is this really a reason to complain?”
If you are developing an open source app as a community project, then there is this problem: who is going to fork down the $99 out of their pocket every year to sign the app?
i think as long your developping free open source software you can get a free account: https://developer.apple.com/support/fee-waiver/
Where did you get that idea? Literally nothing in that link talks about open source. It even mentions that if you are an individual, sole proprietor or single person business then you are disqualified from the program. The only mention of “open source” is in fact in the footer of the page which is for Apple’s general statement about open source use at Apple.
Not a lot of FOSS devs run registered non-profit organisations – those take a lot of effort to do legally in most jurisdictions.
As it might be a bit inconvenient for some users, I do believe this is for security purposes for the general users. Most of these are being protected by this, so they don’t install fraudulent/unknown software. Signing it makes sure the origin is known and the users have an additional level of trust.
As stated above, is $99 yearly that much? Alternatively, it’s still an option to build OSS software locally, and the problem is also gone.
General users most likely already didn’t use the option that was taken away.
Does this affect homebrew or do they just cough up the money every year? What if you’re just running your own golang program or something?
I think the EU will have something to say about this!
I’m sure Apple doesn’t mind the control; but this seems like (yet another) occurrence of the problem that not just default-allowing random nonsense is actually a pretty good idea; but implementations tend to be tyrannical if they are too careful about who is on the allow list by default; and too leaky if the getting default allowed is too easy(even with what Apple is currently doing; there’s no way they are doing any vetting for $100/year; and, if the history of compromised authenticode certs is anything to go by, most of them are probably in the hands of people not being as careful as they should be); or if the process for the machine owner to provision other trusted certs or trusted roots is excessively easy or so common that you’ve got random people who can just about follow bad tiktok advice ramming mystery certs into their trusted roots list.
Certificate based default deny is honestly a pretty good security posture; it’s just that you either need to solve the problem of administering it; or deal with the consequences of ‘your’ computer belonging, in operational terms, to whoever does administer the execution policy.
And, in operational terms, the computer should belong to whoever forked over the money for it.
I’m all for criticism of Apple’s software quality, hardware expense, and their constant angling to get you into their rent-seeking app stores in the name of “security.” But please TRY to make informed criticisms 🤦♂️ This whole article is poorly researched FUD, as are most of these comments. Kudos to the commenters that have pointed out that you can still run unsigned applications, they have just deprecated the one method of doing so.
I stopped using macOS because the releases have become more buggy and flakey over the last several years. But all this speculation about locked bootloaders and requiring signed kernels is uninformed pearl-clutching horsecrap. The default boot security is locked down (ie. for macOS), and the boot chain is already signed. Including the kernel 😱
However, there is per-OS security so while the macOS boot chain remains locked down, if you add OpenBSD or Linux, you must explicitly enable permissive security FOR THAT OS ONLY.
Unsigned code can still be ran.
Per the notice, you just can’t control + click it anymore — “They’ll need to visit System Settings > Privacy & Security to review security information for software before allowing it to run.” which was the other way of running unsigned code IIRC. Albeit, applications don’t always show up there, and it is dependent on GateKeeper settings (IIRC If it is set to “App Store” it won’t show up, though don’t quote me).
You can also disable GateKeeper entirely still: https://discussions.apple.com/thread/255759797?answerId=260852615022&sortBy=rank#260852615022 — Just tested and the ability to run software “From Anywhere” shows up. Though adding exceptions via spctl with GateKeeper enabled is deprecated as of 15.0.
Albeit, I’ll admit, on ARM hardware if part of a binary is signed but part of it is not (or it is signed by different entities) it’ll error out and has the last few OS iterations. But this isn’t new, so I digress.
Realistically this only effects people with the default GateKeeper settings, and it doesn’t prevent unsigned software from running, it just adds extra steps to run it that you can’t just bypass anymore.
https://eclecticlight.co/2024/10/01/living-without-notarization/
Kindly read through Howard’s article and his response to this article.
I’m a little concerned at this article. As one or two others have pointed out, Apple in 15.0 changed the way that users authorise unsigned applications. You used to do it from a context menu, but in Sequoia that was removed and now there is a “Security” section in the settings that you use to allow them.
In my opinion, Apple are unlikely to have built an entire new system for doing this – just to then nuke it in a minor point release a few months later, with no announcement. Sure they might have, but given that the error message that accompanies it is “Finder does not have permission to open (null)”, then I think the most likely explanation is that this is a bug.
Writing the headline “Apple Forces The Signing Of Applications In MacOS Sequoia 15.1” seems quite presumptive until there is actually confirmation that Apple have done this deliberately.
I don’t understand how will that work? Does it mean that if I want to learn to code I will not run my compiled hello.c unless I pay 100$ a year?
Yes.
No. You can download Xcode for free and write and run programs for your own computer, all for free. No restrictions. And Apple even provides you with hundreds of tutorials and better documentation than Microsoft has ever done. And next to that, you can easily create commandline programs using standard Unix APIs, no restrictions there either. All development tools are completely free on Apple, and have always been. Up to the point that even Microsoft had to make Visual Studio free in order to be able to compete.
People see the expensive devices. But what nobody seems to see is how much support Apple gives to their developers, and that that has been the key to their success, even already in the Apple 1 times.
Can I download Xcode “for free” on my Windows computer? No? Do I have to pay $700+ to thou$and$ of dollar$ for hardware? Yes. Does Apple want to nickle-and-dime developers and charge them $100/year for the privledge to develop programs for their platform? Yes.
Obviously not. Everything you make is adhoc signed automatically by the infrastructure. You don’t need a developer account to run things on your own machine, you do if you want to distribute to other machines without a Gatekeeper popup.
gcc main.c
results in an ad hoc signed binary in Mac land. It runs on your machine with no issues, but if you send it someone else then they will be blocked running it until they go to Security to enable it. Or that is how it is supposed to work but in my opinion this is currently bugged, whereas Hackaday has taken the very bold stance that this is deliberate.Apple give you tools to remove the signature from an executable and add your own ad hoc signature, so were this not just a bug, then it would be trivially bypassed by like…a million routes.
@Ian Grey @RetepV
Thanks for quick and informative reply.
How long before someone writes a program to add forged signatures to programs or a program that sends a valid signature and then just executes whatever program you ask it to.
YOU CAN SUCK IT, APPLE!!!
Sequoia is what finally convinced me to make my next laptop a Windows/Linux machine. It adds so many new permissions checks that it has broken many legitimate apps and is constantly asking me for permission to do things that should be backgrounded. Apple seems determined to return Macs to the walled garden of the 90s, and that’s not what I want my PC to be.
It is still possible to bypass it, in an elaborate way. Michael Tsai covered it: https://mjtsai.com/blog/2024/07/05/sequoia-removes-gatekeeper-contextual-menu-override/
As a 12-year Mac user, I never even knew about control-click, and have always been using that ‘elaborate’ way. Come on: it’s only 3 clicks, and only once per app, no need for dramatizing it.
Now, if people actually complained about that it’s not possible to see which apps you have authorized in the past, then I’d say: yeah, that seems like something worth complaining about.
Damn! My Ryzen minipc died and I was going to go to Mac Mini for hardware reliability. Guess I will have to rethink that.
Side stepping the anti-Apple drama for a bit, it’s pretty easy to workaround all of this.
First go here to learn how to self-sign an app: https://stackoverflow.com/questions/27474751/how-can-i-codesign-an-app-without-being-in-the-mac-developer-program
Secondly, self-signing isn’t enough, you also have to remove the quarantine extended attribute.
To do that, the command is: sudo xattr -r -d com.apple.quarantine /Applications/AppName.app.
That’s it.
Somehow I don’t think that everyone on this thread has the same version of Sequoia 15.1 !! I hesitate to post this long message, as it smacks of some “how to fix it” Apple community discussion, but some responders above are not having the same experience that I am.
If anyone can give me VERY DETAILED instructions on what to do differently, please take pity on me and respond!
I am on a Macbook Air M1 2020, with an Apple M1 chip, running Sequoia 15.1
When I open my applications folder and double-click on Librewolf.app, I get two popup boxes, both of which say, ‘The application “Finder” does not have permission to open “(null).”’ Alternatively, I may get a popup that says, ‘”Librewolf.app” Not Opened, Apple could not verify “Librewolf.app” is free of malware that may harm your Mac or compromise your privacy.’ Then I am offered the opportunity to click “Done” or “Move to Trash”.
If I click on the “?” in the popup, “Tips” opens and tells me that if I want to override the security settings I should go to System Settings, Privacy and Security, Security and click on “open” and then on “open anyway.” “Open” and Open Anyway” do not appear there, for me.
When I open my applications folder and (using my trackpad) “two finger click” on Librewolf.app and choose “Open”, the same thing happens as when I double click.
While these popup boxes are open, if I open System Preferences, and go to Security Settings, there does not seem to be an option to “open anyway.”
In System Preferences, Security Settings, I can choose to allow applications ONLY from either “App Store”, or ” App Store and known developers”.
In System Preferences, Security Settings, Developer Tools, I can add applications to a list titled “Allow applications below to run software locally that does not meet the system’s security policy”. Adding Lilbrewolf.app to this list does not change the above behaviors when I try to open the application, even after a reboot.
When open Terminal and I try to run:
xattr -d com.apple.quarantine /Applications/LibreWolf.app
I am told, “No such xattr: com.apple.quarantine”.
I look forward to hearing from people more knowledgeable that I. Thanks!
hi Robert. you can try:
$ cd /Applications/LibreWolf.app
$ codesign –deep -f -s – . # ad-hoc sign the unsigned app (check out https://stackoverflow.com/questions/27474751/how-can-i-codesign-an-app-without-being-in-the-mac-developer-program if you don’t have any certificate set up for signing yet)
$ open .
dismiss the prompt asking to Move to Trash
$ open /System/Library/PreferencePanes/Security.prefPane
scroll down and click Open anyway
$ open . # LibreWolf will open now
I find it odd that most of the OpenSource sticklers are all about all tools open, all hardware open…. Why are they using macs?
I tried to open source a project I built and got so much crap because I used a compiler that wasnt free. After that, I just say here is source, use it if you want to otherwise stfu