Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for adding an application to Gatekeeper automatically #85164

Closed
cycomachead opened this issue Jun 29, 2020 · 3 comments
Closed

Support for adding an application to Gatekeeper automatically #85164

cycomachead opened this issue Jun 29, 2020 · 3 comments
Labels
outdated

Comments

@cycomachead
Copy link

Description of feature/enhancement

macOS requires you to allow an app to run when you download it from the internet. While I think the policy makes sense, it would be nice to "pre-approve" an application I download.

I would propose an --approve-gatekeeper flag that I can use when installing an application.
Secondly, it would be really great if this could be captured in the bundle, such that reinstalling a bundle captures this information.

Justification

I think it's import a tool like this be opt-in (hence the command line arg). It is useful when writing scripts to be able to say "I know what this cask is doing" and you can bypass system dialogs.

The commands that you need to run are not terribly difficult, but they're obscure and they rely on knowing the path to the application. If integrated into brew cask, this would make it easier to script and ensure that if something like an application path changes.

Example use case

I have no specific attachment to the name, but something like:

brew cask install atom --approve-gatekeeper

or in a Brewfile

cask "atom", :approve_gatekeeper

More info

Most apps can bypass the app launch modal with the command by running: xattr -d -r com.apple.quarantine /Applications/Atom.app/. There some extensions that are not signed and there is a second command for those. See these two links:

To me, an allowance per-app seems like the right trade-off between security and annoyance. Allowing all apps in your application directory could be a valid option but that seems potentially less common to me.

Also, I tried searching for gatekeeper in the closed issues, but since it's commonly in the debug logs I couldn't tell if there has been a similar request. Apologies if so!
@miccal
Copy link
Member

miccal commented Jun 29, 2020
edited

There already exists the --no−quarantine flag, which prevents Gatekeeper from enforcing its security restrictions on a particular Cask. So you can run

brew cask install atom --no−quarantine

or you can set the environment variable HOMEBREW_CASK_OPTS="--no-quarantine" to make this a persistent option.

@cycomachead
Copy link
Author

Ah, yeah, thanks!

Is this documented anywhere? I tried looking at the docs in the repo and --help info and couldn't find it...just wondering if I missed something.

@miccal
Copy link
Member

miccal commented Jun 30, 2020

It is explained in the man page, found by running man brew-cask:

Screen Shot 2020-06-30 at 08 16 15

@Homebrew Homebrew locked as resolved and limited conversation to collaborators Dec 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cycomachead @BrewTestBot @miccal