One question: we have gotten signing, notarisation and stapling working for our app in our CI pipeline. One thing though, on the build Macs we use a separate keychain file with the certs for signing etc. To get the separate keychain file into the keychain search list we use the security "-s" option to add it.
The problem is when we remove it. It feels very risky to reset the whole keychain search list just to remove one item from the list ? What we fear is that the removal operation might clear out the whole keychain search list if some kind of error happens.
Is there another more fail-safe way to remove entries from the keychain search list ?
Post
Replies
Boosts
Views
Activity
The steps are:
Open the Terminal
Open the "App Package -> Contents -> MacOS -> in the finder (do not double click it)
Drag the executable to the Terminal window and press
Dialogs will appear, click "Done", don't select to move it to the trash
Open the "Privacy & Security" pane in the "Systems Settings...", scroll down and click the "Open Anyway" button in the little area that has appeared with the . Nothing happens
In the Terminal redo 2) -> 3) again, this should open your app (barring security dialogs appearing).
After that opening should be done like 2) -> 3). This time no dialogs should appear.
We have been able to create a workaround for launching our application under macOS 15.1.
The workaround consists of the following steps:
Launch the app executable from the Terminal (the executable in the MacOS folder of the package).
Dismiss the alerts shown (click "Done")
In "System Settings" in "Privacy & Security" click the "Open Anyway"
Dismiss any alerts shown
Launch the app executable from the Terminal again (the executable in the MacOS folder of the package). Enter admin username & password to accept the app
This launches the app under macOS 15.1.
Launching it again requires the use of the terminal as in 1) above.
We have created a small Automatic app encapsulating the workflow above.
Obviously this is not ideal...seems that the issue is with the Finder ?
Our application is a pure Intel application. So I guess the following applies to our application:
"...macOS can run ad hoc signed (or unsigned, on Intel) code. If the code is quarantined then you need to bypass Gatekeeper, but there’s a documented process for doing that..."
Not sure how to interpret "...or unsigned, on Intel..." does that mean that a pure unsigned Intel application should be able to run on both Intel and Apple Sillicon Macs ? Or does it mean that it's only on Intel based Macs that a pure unsigned Intel application can be launched ?
All of the above of course using the "...documented process..." for launching the application.
It is a macOS application that we develop.
It's based on the Eclipse RCP framework and is not signed.