Hazel 3.3.8: Getting Past The Gates

In case you haven’t been keeping up with the Twitter feed or the forums, Apple introduced a glaring bug in Gatekeeper in 10.11.4. Any non-app bundles (that includes preference panes, screensavers, plugins, etc.) are rejected by Gatekeeper regardless of whether they are signed or not. For those of us that ship such bundles, this is what I’d consider a big deal.

The workaround itself isn’t so bad: either right-click and select “Open” or drag the pref pane into System Preferences. For users curious enough to email support, it’s not such a bad thing as I can suggest one of the workarounds. The problem it gives new users installing it for the first time a bad impression of the software, not realizing that it’s actually Apple’s fault. I can’t really measure this type of thing but I think it’s safe to say a good number of them just nope out of there without contacting me. The result is that my software has an association with being untrusted.

Daniel Jalkut gives a more detailed account of the mechanics of it here so I won’t go retread that ground.

After filing a DTS incident, Apple confirmed it as a bug (I’ve filed rdar://25466753). There was no information about when a fix would be made available and given that Apple is not known for being nimble about these things and that I was losing customers, I followed the advice of some colleagues and took matters into my own hands.

The result is that starting with Hazel 3.3.8, it will ship with an installer app. The installer app still goes through System Preferences as I still think that its installation process works well. Note that an installer package was also an option but I couldn’t figure out if/how to make it use a previous install location if the software was already installed (If anyone knows, I’d be happy to hear about it just in case I have to resort to it in the future). Hopefully now I can direct my efforts back to getting Hazel 4 shipped.

One can debate how much Apple cares about non-app-bundled software but when the workaround is to suggest people bypass Gatekeeper, they should be very concerned. False positives only erode the confidence people have in your security systems and you don’t want them to get in the habit of casually bypassing them.

Category: Hazel, OS X, Software 4 comments »

4 Responses to “Hazel 3.3.8: Getting Past The Gates”

  1. Trygve Inda

    This bug is affecting our app (a prefPane) too. What are you using for an installer since the prefPane has to be packaged in a way that GateKeeper can’t see as code (perhaps a zip that gets copied into ~/Library/PreferencesPanes)

  2. mr_noodle

    A fairly simple process. The pref pane is inside the app wrapper as a resource (the code isn’t really run directly by the app so I believe this should be fine). The pref pane is copied to a temp location, the quarantine flag stripped (make sure to do it recursively), and then handed off to SysPrefs to open.

    Feel free to email me if you need more details.

  3. mr_noodle

    Oh, and the copy is only needed if you ship on a (read-only) dmg. If you package it in a zip instead, you can do the rest of the steps in place. Actually, in that case, the quarantine may already be stripped for you once you run the installer.

  4. Trygve Inda

    I do ship on a read-only dmg. I sent an email to you through your support form for clarification of the code… not sure the best way to hand it to System Prefs or to remove the quarantine. You have my email.



Leave a Reply

Back to top