On 9 juin 2016, at 15:31, Michael Domino wrote: > Hi all, > > I have a signed app that had a flaw (something was changed after signing). > When downloaded directly to a Mac from the server, the app was scanned on > startup (the "Verifying" alert appears), the flaw was detected and the > Gatekeeper assessment failed as damaged. However, when the same dmg is > downloaded to a Windows system and then copied to the Mac, the app launches > normally. The "Verifying" alert does not appear at all. So the questions are: > > 1. How can that happen?
As long as the Quarantine flag is not set, Gatekeeper does nothing. Last time I checked, when you download your app on a Mac using curl, the quarantine flag won't be set. Therefore Gatekeeper won't inspect the app, dmg, zip, etc. If you downloaded the dmg on a Windows system, the Quarantine flag is obviously not set by the Windows system. If you then copy it to your Mac using a USB key, the flag will not be set by the Finder. > 2. Is that a security hole in the Gatekeeper system? It's a known limitation. This security layer is efficient only when the quarantine flag is set. _______________________________________________ Do not post admin requests to the list. They will be ignored. Xcode-users mailing list (Xcode-users@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/xcode-users/archive%40mail-archive.com This email sent to arch...@mail-archive.com