MAS generated webarchive quarantined?

UI Frameworks AppKit
gbrowning OP
Created Nov ’15
Replies 5
Boosts 0
Views 1.1k
Participants 5

I have an app, MyApp, which is distributed via the Mac App Store.


Via a browser bookmarklet the user can tell me to snarf up the contents of the currently viewed webpage. The URL for the webpage is sent to MyApp via a custom URL protocol. MyApp then generates a webarchive for the file using a hidden WebView and then save it to disk.

The problem is the user can't launch/open the webarchive file. Gatekeeper reports that "can’t be opened because it is from an unidentified developer. Your security preferences allow installation of only apps from the Mac App Store and identified developers. MyApp created this file today at 9:06 AM."


But MyApp is from the Mac App Store. And other files my app creates work just fine. I think it's just because the webarchive was downloaded using WebKit.


I can use "xattr -l" and see that the quanantine bit is set.


Techniques like setResourceValue:[NSNull null] forKey:NSURLQuarantinePropertiesKey don't work.

I've tried setting LSFileQuarantineEnabled to false in my Info.plist but, in private builds here, that doesn't seem to work. If I submit this to the MAS for approval will that do the trick (I kind of doubt it)?


What's the right way to do this?

Replies  5
Boosts  0
Views  1.1k
Participants  5
digitalmoksha OP
Mar ’16

gbrowning, did you ever find a solution to this problem? I'm running into the same thing...

0
Macho Man Randy Savage OP
Jun ’20

+1. I'm looking for a solution too.

0
john daniel OP
Jun ’20

To channel my inner Apple support engineer, webarchives are not an API. You would need to properly implement whatever it is you are trying to do without relying on private, undocumented Apple file formats.

0
Macho Man Randy Savage OP
Jun ’20

Maybe that's their position but seems pretty ridiculous to me if it is. Many apps have been writing .webarchives for years. It's not a problem with writing the file, it's just that the app is sandboxed.


This is definitely a bug; the problem isn't with the .webarchive file it's that macOS will refuse to *open* any .webarchive a sandboxed app touches. So even if you save a .webarchive with Safari...and you take that file and move it with a sandboxed app that supports drag and drop, macOS won't open that webarchive anymore even though the user created it with Safari. It will tell you whatever sandboxed app touched it last created the file and the system can't verify that this code signed app from a developer isn't malware, which is bogus.


Also as the original poster mentioned, WebView (public api) had support for .webarchive (yes I know it's deprecated) but it's just a plist. My app isn't using WebView to write the webarchive, but that's irrelevant to the bug.


If I were to guess there not not preventing sandboxed apps from writing .webarchives because it's some special proprietary format they want to protect. It's either a nasty bug introduced by accident or it's a nasty bug but they did it on purpose to circumvent a deeper security issue they didn't have time to properly fix.


Non-sandboxed apps don't have any problems writing or touching web archives.

0
Iomegan OP
Jan ’24

Why not use the com.apple.security.files.user-selected.executable entitlement?

0
MAS generated webarchive quarantined?
First post date Last post date
 
 
Q