Distributing unnotarized Mac apps in a text file

from blog The Desolation of Blog, | ↗ original
This isn't a late April Fools joke. (My April Fools joke that I got hired by Apple as a Swift Evangelist backfired with a profusion of congratulations.) This blog post is a kind of follow-up to some previous blog posts. Last month I wondered what's the best way to distribute Mac apps without notarization, and I decided that the best way was downloading with curl directly to the Applications folder. Unlike web browsers, curl does not add the com.apple.quarantine extended attribute to downloaded files. Still, this method is not ideal, because the app developer has to send users to the scary place: the command line! So I've continued to wonder if there's a relatively simple way to do it with a graphical interface. (If you think you can "just right click", well no, that's not quite how it works.) And then it finally hit me like a brick of gold wrapped in a lemon: I already knew how to remove the quarantine with a GUI, because this was my Mac sandbox escape! If you recall, a year ago I showed how to escape the sandbox by opening a maliciously crafted executable in TextEdit and then telling TextEdit via AppleScript to save the executable file. This causes the quarantine to be removed from the executable, because TextEdit has the special com.apple.security.files.user-selected.executable entitlement. I never received a bug bounty from Apple, and as far as I can tell this sandbox escape still exists in Big Sur. Which is actually good news for us right now, because we can use it to distribute Mac apps! For your enjoyment, I've created an example, which I call Gatecrasher:
This is a short summary. ↗ Open original to view full content

Related

Sandboxing and the Mac App Store
TrozWare | original ↗
App Store Review Times
TrozWare | original ↗
Small Mac apps I love
Muffin Man | original ↗
Your Computer Isn’t Yours
Jeffrey Paul | original ↗
Fix Missing Distutils on MacOS
Robb Knight • Posts • RSS Feed | original ↗
Nice Things that Apple doesn’t let us have (on an iPad)
Tao of Mac | original ↗
Why aren't the most useful Mac apps on the App Store?
Copper • A blog about conductive layers | original ↗
My Favorite Macbook Tools
Sebastian Witowski | original ↗
A window switcher on the Mac App Store? Is it even possible?
Copper • A blog about conductive layers | original ↗
Apple didn't steal your data, but also kinda did
The Dent | original ↗

More from The Desolation of Blog

Technology is never a substitute for consent
4 Jan 2025 | original ↗

This is a follow-up to my recent blog posts Apple Photos phones home on iOS 18 and macOS 15 and The internet is full of experts. I've read a lot of the discussion about and responses to my blog posts, which has forced me to hone my own thinking and arguments on the subject. I characterized Apple's new Enhanced Visual Search feature as a privacy...

The internet is full of experts
31 Dec 2024 | original ↗

My recent blog post Apple Photos phones home on iOS 18 and macOS 15 has received widespread attention, and perhaps inevitably, it has also received widespread criticism by random internet commenters. A common criticism is that I somehow discredited myself by stating, honestly, "I don't understand most of the technical details of Apple's blog...

Apple Photos phones home on iOS 18 and macOS 15
28 Dec 2024 | original ↗

This morning while perusing the settings of a bunch of apps on my iPhone, I discovered a new setting for Photos that was enabled by default: Enhanced Visual Search. (I manually disabled it before taking the screenshot below.) Apps > Photos"> This setting is also new to Photos on macOS Sequoia, and enabled by default. Oddly, this new feature has...

Deep dive into a macOS default web browser bug
20 Dec 2024 | original ↗

This blog post has undergone some revision and correction since first published. It turns out, contrary to my initial assumption, that the code signatures of the apps is largely irrelevant. Thanks to Avi Drissman of the Google Chrome team for assistance! According to the Apple Developer Documentation, "macOS Launch Services is an API that enables...

How Safari 18.2 https upgrade works
12 Dec 2024 | original ↗

Yesterday, Apple released Safari version 18.2, included with iOS 18.2 and macOS 15.2, as a separate update for macOS 14 and 13. I've already discussed one new feature of Safari 18.2, Copy Link with Highlight, in another blog post. Now I'd like to discuss another new feature, automatic https upgrade. From Apple's announcement: Safari 18.2 on iOS,...