On 9 juin 2016, at 15:31, Michael Domino wrote:

> Hi all,
>  
> I have a signed app that had a flaw (something was changed after signing). 
> When downloaded directly to a Mac from the server, the app was scanned on 
> startup (the "Verifying" alert appears), the flaw was detected and the 
> Gatekeeper assessment failed as damaged. However, when the same dmg is 
> downloaded to a Windows system and then copied to the Mac, the app launches 
> normally. The "Verifying" alert does not appear at all. So the questions are:
>  
> 1. How can that happen?

As long as the Quarantine flag is not set, Gatekeeper does nothing. Last time I 
checked, when you download your app on a Mac using curl, the quarantine flag 
won't be set. Therefore Gatekeeper won't inspect the app, dmg, zip, etc.

If you downloaded the dmg on a Windows system, the Quarantine flag is obviously 
not set by the Windows system.
If you then copy it to your Mac using a USB key, the flag will not be set by 
the Finder.

> 2. Is that a security hole in the Gatekeeper system?

It's a known limitation. This security layer is efficient only when the 
quarantine flag is set.



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list      (Xcode-users@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/xcode-users/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Reply via email to