[Homebrew/homebrew-cask] Support for adding an application to Gatekeeper automatically (#85164)

From: notifications@github.com
Domain: IP info github.com
MX-server: IP info out-27.smtp.github.com
Size: 3584 Bytes
Create: 2020-06-29
Update: 2020-06-29
Score: 0
Safe: Yes

Outbound domains: github.com |

Description of feature/enhancement

macOS requires you to allow an app to run when you download it from the internet. While I think the policy makes sense, it would be nice to "pre-approve" an application I download.

I would propose an --approve-gatekeeper flag that I can use when installing an application.
Secondly, it would be really great if this could be captured in the bundle, such that reinstalling a bundle captures this information.

Justification

I think it's import a tool like this be opt-in (hence the command line arg). It is useful when writing scripts to be able to say "I know what this cask is doing" and you can bypass system dialogs.

The commands that you need to run are not terribly difficult, but they're obscure and they rely on knowing the path to the application. If integrated into brew cask, this would make it easier to script and ensure that if something like an application path changes.

Example use case

I have no specific attachment to the name, but something like:

brew cask install atom --approve-gatekeeper

or in a Brewfile

cask "atom", :approve_gatekeeper

More info

Most apps can bypass the app launch modal with the command by running: xattr -d -r com.apple.quarantine /Applications/Atom.app/. There some extensions that are not signed and there is a second command for those. See these two links:

  • https://osxdaily.com/2010/09/12/disable-application-downloaded-from-the-internet-message-in-mac-os-x/
  • https://osxdaily.com/2015/07/15/add-remove-gatekeeper-app-command-line-mac-os-x/

To me, an allowance per-app seems like the right trade-off between security and annoyance. Allowing all apps in your application directory could be a valid option but that seems potentially less common to me.

Also, I tried searching for gatekeeper in the closed issues, but since it's commonly in the debug logs I couldn't tell if there has been a similar request. Apologies if so!


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

Want to protect your real email from messages like this? Use TempM email and be more secure on the internet.