Hi! I am wondering about certain features that I witnessed today.
Base scenario: I created a developer certificate signed version of my installer package and then downloaded it via the internet. It has not been notarized.
As expected, macOS prevented the opening of the package, stating that it could not be determined whether it contained for malicious content.
But, several operations I then performed made this package trusted by macOS:
- I moved the package through a file-sharing service via Finder, namely OneDrive. The recipient machine immediately opened the unsigned package, without any interruption from the operating system. This sounds extremely unsecure. I checked manually with
xattr, and indeed, the com.apple.quarantine attribute has been removed on the recipient side. - I used
pkgutilto explode the package, modified some files in it, then recompiled it.xattragain confirmed that the quarantine attribute has been removed. Why can pkgutil operate on untrusted packages?
I have personally been extremely surprised operations as simple as these remove security hurdles in macOS. These scenarios can be harmful for end-users who have little IT knowledge. Why are they allowed? Are these scenarios considered the responsibility of end-users? Why do we notarize and sign with precious distribution certificates if it's this simple to bypass any security check on macOS? :(
