Is there a way to disable notarization checks and gatekeeper?

Hello friends,


I want to install drivers to a Mac running macOS 10.14.5 that is not connected to the internet. These drivers that are installed using a .pkg file, have not been notarized. They never will be.


Is there a way to completely disable the Notarization checks and any Gatekeeper activity on the Mac I'm installing to? Presently, I can't install drivers that haven't been notarized to an offline Mac running 10.14.5.

Replies

These drivers that are installed using a

.pkg
file, have not been notarized. They never will be.

Why? If this

.pkg
file was previously distributed widely, you may be able to notarise it via the legacy path. See Notarize Your Preexisting Software in Notarizing Your App Before Distribution.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

So that's a no? There isn't a way to disable notarization checks and gatekeeper?

🙂

So that's a no?

No. There are various mechanisms to bypass Gatekeeper [1] but it’d be better to not do that. While Apple has committed to continuing to provide such mechanisms [2], it will be easier in the long term if you can avoid relying on them.

Which brings me back to my question: Why are you unable to notarise your software?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] The most obvious user-level one being to control click on the icon in the Finder and select Open from the contextual menu.

[2] To quote slide 40 of WWDC 2019 Session 701 Advances in macOS Security: “You can always choose to run any software on your system”.

The most obvious user-level one being to control click on the icon in the Finder and select Open from the contextual menu.


No, good sir, that does work. I see a dialogue:

"Driver notarization checks could not be completed. Please ensure you are connected to the Internet and reinstall blah".



To quote slide 40 of WWDC 2019 Session 701 Advances in macOS Security: "You can always choose to run any software on your system”.


And that is exactly my question. HOW does one "choose to run any software on your system"? The system in question being macOS 10.14.5.



Why are you unable to notarise your software?


Me: "Let's notarize everything".

Person in charge of builds (who is not me): "No".

🙂

Apple is a consumer electronics company. In 2019, that means the internet is connected - end of story.


If you want your devices to work differently, you'll have to choose another platform. You can expect similar, if not worse, problems there.

The errors I see when I attempt to install a package that isn't notarized occur when the mac is also connected to the internet.


So, in relation to my question, if the answer is "NO", then I'd like to clearly see this answer so I can stop searching. If the answer is "YES", I'd like to know how this is performed. Therefore, I humbly and most modestly ask the question again in the hope that I might receive a helpful response,


Is there a way to disable notarization checks and gatekeeper?

@eskimo or anyone else, do you have an answer to my question please?

You can always disable SIP if you want. That might cause other provides as side-effects, but it would give you (or rather your person in charge of builds) the answer being sought.


But I will reiterate. Apple is a consumer electronics company. They fundamentally don't care about your silly requirements. They really don't. If you want to use a computer and do it however you want, you can do it today, right now, no charge. Just download Linux and install. I'm sure that whatever "driver" you have on your Mac also runs on Linux. Like magic - all problems solved.


New problems created, certainly, but those aren't important, are they?

Thank you for your kind response, John. If by "disable SIP" you mean using the terminal command, "csrutil disable", no this doesn't work. Yes, the "driver" works on Linux but it is necessary to test the Mac specific dev builds on a MAC that are not notarized. But the reasons for doing this however silly they might appear, I declare, are superfluous and totally irrelevant to the question at hand. That question being:



Is there a way to disable notarization checks and gatekeeper?



The answer being sought does not warrant enquiry into the intelligence or state of mind of the asker. It does not beseech further questioning of one's motives or indeed their sanity.

I don’t know if there’s a way to disable Gatekeeper entirely. A quick search of the ’net reveals that there probably is, but a definitive answer about that would have to come from Apple Support.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yes, that is how you disable SIP. Otherwise, I'm sorry, but you are the one out in the deep end here. You can't just throw out "this doesn't work" and leave it at that. I don't care how big a font size you use.


If you are claiming that disabling SIP is ineffective, then that is something that someone else could test, verify, and maybe provide a workaround. But you will have to provide more specific details and, ideally, an easy-to-run test that reproduces the problem. This is something that should work. If it doesn't, that would be a bug for Apple to fix.


It is possible that just disabling SIP alone will not disable Gatekeeper. But I'm sure you will have to disable SIP to make further changes that will disable Gatekeeper. You will have to scour the internet for such suggestions, because this is not something that people normally do. Don't be upset if they don't work. I just found one suggestion on how to turn off Gatekeeper "defaults write com.apple.LaunchServices LSQuarantine -bool NO" but it was posted in a Sierra forum. It may not work on Mojave or Catalina. You can expect that any software update, no matter how small, will break your system.


Again, I have to question why you are doing this. You said "it is necessary to test the Mac specific dev builds on a MAC that are not notarized". But current Macintosh computers and the macOS operating system requires notarization. Therefore, your statement is invalid because you aren't testing on a "MAC" anymore. You are testing on your home-grown, customized operating system. There are people around who will help you do that and would find such a task interesting. But you probably aren't going to find them in this forum. I think that Apple would agree with me an acknowledge this as a bug, but that doesn't mean they will ever lift a finger to fix it.


At a real, fundamental level - you are on your own here. Rather than exploring the limits of this discussion forum's font sizing options, I suggest you spend the time to learn about how the operating system works at the lowest levels. Maybe buy the series of "MacOS and iOS Internals" books by Amit Singh. Learn how launchd works and try to figure out exactly which tasks are responsible for these security features you want to disable.


Good luck!

I don’t know if there’s a way to disable Gatekeeper entirely.

It turns out that there’s a definitive answer to this in the Xcode help. See Enable and disable Developer ID apps and Gatekeeper.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I give a **** about apple notarization and gatekeeper and all that ******** telling me how to use my mac.

Same would be if I were to use iPhone or any other gadget - I would allways jailbreak it.

If they want to force me to pay them money for self - developed software,

in order to be able to run it on my or any other mac, then I will either

**** that all gibberish , or chage the platform alltogether.

So disable SIP, kill gatekeeper and enjoy your life.

And don't let them frighten You about that dangerous spying software which will

ruin You if You do so, this whole **** is built into MacOS allready itself,

starting with spotlight, face recognition, user activity monitoring and so on.

is the .pkg trying to install kernel extensions?


there may be a way to disable the checks for specific kext via spctl. Install the driver as per normal. Then restart in Recovery mode afterwards run the following command, giving it the developer ID of the kext:


spctl kext-consent add [devID]


use the following to see a list of kext still needing consent:


spctl kext-consent list


Please let us know how this goes.