[smoldesu]

Gatekeeper is one of the most frustrating things I have to fight whenever I try using MacOS. It feels like DRM for my applications, which in turn makes everything feel clunkier, and less integrated. I would genuinely pay Apple extra for a version of MacOS that just trusts me and lets me install what I want without the some esoteric mechanism stopping me at every step of the way...

[Wowfunhappy]

Then turn it off. Open the Terminal and run:

    sudo spctl --master-disable

That's it, it will never bother you again, unless you turn it back on or reinstall the OS from scratch. If macOS is still too limiting, you can also turn off System Integrity Protection, at which point you can do just about whatever the heck you want.

I personally kept both Gatekeeper and SIP turned off, back when I used modern macOS. But if they are turned on, they ought to work.

[jcelerier]

No, this still keeps some gatekeeper checks, popups when downloading files, weird arguments being passed to apps on first launch, etc. Even if doing it in the root recovery mode.

[joshspankit]

Does turning those off still leave the logs redacted?

Or do you also have to install the profile after you tell it to get out of your way?

[Wowfunhappy]

I don’t use Big Sur but I don’t think it has any affect on logs. Without SIP, you could patch the kernel or something and change whatever you want, but that would of course be nuts.

I share your curiosity. If your computer isn't already managed, installing an MDM profile in order to view logs is ridiculous. I don’t even think there’s a way to do it without paying money.

[comex]

That page is somewhat misleading. MDM is one way to install configuration profiles, but you can also install them by hand. No signing required, either. You can just stick that XML in a file with extension .mobileconfig, then double-click the file, and it will prompt you to install it.

Or download a signed version from here (not my site):

https://georgegarside.com/blog/macos/sierra-console-private/...

[azinman2]

That has nothing to do with log redaction. That's to prevent private data escaping apps and either being sent to Apple or readable by others. You want that on.

[unicornporn]

What would I need to get it down to a Mojave level of inconvenience?

[Wowfunhappy]

That I can't answer. The most recent version of macOS I've used for any length of time was High Sierra, because even Mojave broke something essential for me—Apple Events need to be authorized once for every combination of (1) the app being controlled and (2) the app sending the event. Combined with the fact that my authorizations were often reset when I edited a script, this made most of my Applescripts effectively useless.

But it's a very different problem from Gatekeeper. And from iOS, where the user legitimately has no control. If SIP is turned off, you could write an app that strips out every macOS behavior you dislike, because without SIP apps can patch whatever they want.

[gdavisson]

It's not that macOS doesn't trust you, it's that macOS doesn't trust the programs you're running. Specifically, it doesn't trust the programs to do what you want them to, and only what you want them to.

And it's not just a matter of protecting you against out-and-out malware (although that's certainly part of it), it's a matter of protecting you against developers whose interests don't entirely align with yours. Developers who really want to spy on their users seem to be the biggest group (see, for example, the recent Apple vs. Facebook kerfuffle).

Unfortunately, distrusting software does add friction, especially if you add (/update-via-unsupported-mechanisms) new software frequently. "Are you sure you meant to run this program? It looks weird to me; I think you should get rid of it. Should it really have access to your contacts/camera/etc?" macOS is acting a little like an overprotective parent here, and it's certainly annoying. But the threats it's trying to protect you from are real. You can turn the protections off (with a certain amount of work), but then you're vulnerable to all the stuff it's there to protect you from.

P.s. I don't mean to completely defend Apple here. Their preferred solution is to have all software distribution go through their App store... where they get a cut of the price. Which means they're also on the list of developers whose interests don't entirely align with yours.

[smoldesu]

I understand what Apple's intentions here are, but abstracting away a security risk is only inviting disaster, and it's kinda endemic of an issue throughout Apple's ecosystem: their whole game is about reducing the power of the end user. It makes sense from some angles, security being one, but it also impedes the freedom of choice. Instead of engineering their software to appeal to the lowest common denominator, they should be empowering people who want to push beyond that envelope and offering extensibility to those who want to take advantage of it.

[kevincox]

This is a weird way to justify it.

I told macOS to run that program because I trust it. If macOS trusts me then it transitively trusts the program I told it to run.

In other words macOS doesn't trust me to validate programs before I try to run them.

[kstrauser]

What frustrates you about it? I rarely bump into Gatekeeper and I'm doing the normal dev things.

[Isthatablackgsd]

I'm assuming you don't use the package manager like Homebrew or MacPorts? this is where the gatekeeper will annoy the hell out of me. Apps installed via Homebrew often will encounter Gatekeeper alerts. Half of them will give the option to open it and the other half, the gatekeeper --demands-- gently ask me to put it in the Trash without the option to open it.

[crazygringo]

That's... unusual.

I use Homebrew constantly and have never seen such a thing in my life, in any version of macOS/OSX over the past several years. Not in building from source, not in casks.

Like another commenter the only security change I have is "Allow apps downloaded from" set to "App store and identified developers" -- which I'd assume virtually every Mac user on HN has also set.

Perhaps you have some kind of unusual configuration? Or there's some very specific subcategory of Homebrew packages that encounter this problem?

[dimmke]

Same, I install almost all new software via Homebrew and I've never had this problem.

[HandstandMick]

What works for me is to ignore the trash message, in Finder, find the App, right click open, macOS displays a warning and open prompt, click Open, next time around do the same and post it seems to be fine.

[kstrauser]

I use Homebrew daily. In System Preferences, I have Security & Privacy > General > Allow apps downloaded from: App Store and identified developers, and I don't remember the last time I got a Gatekeeper alert.

[Isthatablackgsd]

I have that option enabled since the first booting of my Macbook Air M1 and gatekeeper alert is still showing. And I am sure we are not using the same apps that ran into those alerts. I have Vivaldi, Alfred, AppCleaner, EasyFind, iTerm2, KeepassXC, MacPass, Keka, MediaInfo, NoMachine, Numi, OBS, odrive, Signal, Slack, TexStudio and VLC ran into those alert.

I am genuinely curious why people are singing that "I don't have that such problems in my computer!" slogan repeatedly? Some of us have that problem and just because we have the same OS and possible the same hardware didn't mean it is impossible. I wish people change that particular mindset and be aware that those problems does exist.

[kstrauser]

You're hugely misreading my intentions. I'm an engineer: I see something unexpected, I want to figure out what's happening. You and I are both using the same software and you're seeing problems that I didn't even know affected some people. I'm not saying "this works for me so I don't know what you're complaining about". I'm saying "huh, this works for me. I wonder what's different between our systems? Is this something that's going to spontaneously start affecting me if I click the wrong toggle somewhere?"

Obviously the problem is possible. It's happening to you. I'd like to find out why so that I can troubleshoot and fix the problem if it starts happening to me or my friends or coworkers. And really, I'd like to help you fix it, too, if I could figure out what's causing it.

[Isthatablackgsd]

Apologies for misreading you, I'm just frustrated and accepted the fact that it is by design.

I been reading other comments and as someone (xrisk) pointed out that it is Homebrew Casks which it made sense since all of the gatekeeper alerts is coming from 'Cask-ed' apps. I could disable Gatekeeper but I rather not because MacOS is not my daily driver. I rather to keep Gatekeeper active to protect itself from moronic me.

[setr]

Because if they can’t reproduce, then much more likely than not, the problem is not inherent to the platform. In this case, there’s probably a deviation in config settings.

Additionally if they can’t reproduce, they can’t offer any advice or help.

It’s highly unlikely that MacOS behaves specially for your existence.

[nomel]

The latest time I had a Homebrew package fail to install, due to security restrictions that work just fine for the other thousands of packages there, it was the package trying to do something it shouldn’t have, and was promptly fixed. You may have run into a similar scenario.

[xrisk]

He’s talking about Homebrew Cask.

[fryktelig]

I've been having issues with non-cask Homebrew packages getting blocked by some Gatekeeper/SIP related watchdog on my new M1 system. Stuff would just get insta-killed at load. Anyway, it seems to have been sorted now, and through identifying which packages were having the issue in Console and reinstalling them, I've resolved the issues.

[Someone]

Slightly educated guess: did you install the x64 emulator between when you had the problems and when they went away?

I can see brew trying to run x64 code while the emulator isn’t there blocking code from running in weird ways.

Alternatively, it might be that package updates fixed the packages that behaved incorrectly. Again, just a slightly educated guess.

[oivey]

Even more specifically, the only time I’ve ran into Gatekeeper is with apps that install into /Applications and have a GUI. I’ve never had this issue with stuff I only access via CLI.

[xrisk]

You have to Ctrl+right click the app, then click Open.

[herrkanin]

I'm using homebrew all day long, and I don't remember ever having this issue.

[xrisk]

Homebrew cask.

[ezfe]

I use Homebrew Cask and don't run into any unusual problems with Gatekeeper. The flow is always the same as if I manually downloaded it (meaning I sometimes get a prompt on first run, but that's expected).

[na85]

Homebrew apps only ask for permissions when they get updated because gatekeeper treats it like a fresh install, I guess.

[saagarjha]

This is because Homebrew Cask explicitly adds the quarantine attribute to things it downloads. Perhaps there is some easy way to disable it or patch out this functionality?

[xrisk]

Ctrl+right click to get the option to open it.

[lilyball]

Homebrew and MacPorts don't add the quarantine flag to the software they're installing. If you're getting Gatekeeper alerts for software installed this way, then something else must be going on.

[saagarjha]

Homebrew Cask does.

[breakfastduck]

You need to disable gatekeeper like shown in another of the comments. It’ll permanently create a new option in your settings to allow installations from “anywhere” too.

[Wowfunhappy]

Nitpick, I don't actually think the option in System Preferences is permanent? Is it still there if you change it back and restart System Preferences?

[breakfastduck]

Not sure, I leave it on permanently on 'anywhere'. It still gives a prompt to confirm execution but it becomes a click through rather than anything actually trying to stop you doing stuff.

[herf]

Did you install homebrew via a Rosetta Terminal?

M1/ARM code is treated more strictly than Intel, so I guess all my command line stuff is Intel.

[mlindner]

A simple right click on the app and selecting the open dialogue and it works fine.

[mschuster91]

Macports doesn't give you any headaches, it follows Unix principles.

Homebrew is a keg of worms, if you excuse the bad pun. Sadly (because it seems to be easier to get started?) many developers prefer it over Macports...

[Isthatablackgsd]

As an end-user, I prefer Homebrew over MacPorts because Homebrew is simpler to get it installed and use in the terminal. MacPorts in other hand, takes some tinkering to get it working. It has problem detecting installed XCode because it was looking for a specific outdated version (this happened last month when I decided to give MacPorts a try and I uninstalled Homebrew before trying it out since both of them cannot co-exist together.)

It is likely that it is not the devs prefers it over MacPorts, it is likely that end-users prefers it and the devs are following what the end-users desires. Homebrew have huge catalog of software and libraries than MacPorts.

[lovelyviking]

Sometimes I compile my program and when I move it to the Applications folder and trying to run MacOS says, you do not have permission to do it. May be it's not a gatekeeper, who knows.

The keyword here is sometimes This is what I Love about current state of MacOS.

To fix it nothing works until you delete it completely and only then if you lucky etc ... It just reminds me those old good days with Microsoft many years ago. Turn it off then turn it on few times .. it may work ...

[Klonoar]

Is this an Xcode project, or something outside of it?

I regularly build both and have run them in the same way you're talking about here, without issue... the latter migth be a bit more nuanced, but when set up properly does work fine, so I'm inclined to think this is more a problem with how you're doing things.

[lovelyviking]

Yes it's pure XCode project, that I regularly build it and run in the same way. Who would expectg such sequence right? And no! it doesn't work fine all the time, because sometimes it doesn't as I desribed. And I do not bother to deeply search for the cause of it unless I must for my project and also because Apple would not pay me for that and next version would have another stupid bug anyway.

"I'm inclined to think this is more a problem with how you're doing things." Of course, who would expect to see bug in XCode right? I'll tell you the secret, this is not the first bug I've spotted in Apple product during 10 years.

Honestly I do not even know what their QA team is doing if I can find few bugs manually within 10 minutes of usage ... Yesterday I have found another one with sound system, because they didn't thouhgt about one scenario in their logic. They really should spend their money on people like me instead of wasting their money on QA team that doesn't work properly :) ...Or perhaps I should take a look at their QA team to spot bugs in their working process ))

[mlindner]

I've always found it to be extremely consistent and never does anything strange like you're describing. Works for me.

[cloogshicer]

Agreed. It's ridiculous that we can't even fully disable it in the latest macOS releases (the commands others posted below don't work in Big Sur to completely disable quarantine).

Thankfully there is a simple workaround: https://hiringengineersbook.com/post/disable-quarantine/

[Wowfunhappy]

Note, the single command does turn off Gatekeeper. File quarantine is separate and needs a separate command. That is as it should be IMO, they’re completely different things.

[cloogshicer]

Right, but do you know if there is a command to actually turn off quarantine? I mean really turning it off, not just removing it from already existing files. To my knowledge, that doesn't exist.

[minhazm]

You can disable Gatekeeper.

https://disable-gatekeeper.github.io/

[fiddlerwoaroof]

Apple has been moving toward a capability-based security model for a while now, I think: it’s a bit annoying because their implementation also acts like DRM, but I think the mode itself is a better security model than standard POSIX file permissions and ACLs