73 comments

[ 4.0 ms ] story [ 69.8 ms ] thread
Try to open the file, say ok to the ‘can’t check for malware’ prompt, go to settings, security, approve running the software.

Annoying, but if you’re delivering your app to semi-technical users, not really a problem.

Notarize the application and staple the receipt to your app bundle. It won’t trigger the Gatekeeper warning.
Any user who does not like Gatekeeper can turn it off on their machine in ten seconds by running this in a Terminal:

    sudo spctl —-master-disable
People will say, no, that’s too big a hammer, it’s not safe… but then, like, what do you actually want? Either you keep Gatekeeper because you like the friction it introduces, or you don’t like that friction and you should go turn it off. Pick one, you obviously can’t have both!

Of course, you as the developer can’t make this choice for your users… but isn’t that as it should be? The user decides what code is allowed to run on their machines. And the default setting is restrictive because anyone who knows what they’re doing can easily change it.

P.S. Meanwhile, on iOS there’s no way to install unsigned software at all, and on Android (starting soon) the process takes 24 hours instead of ten seconds. That is actually ridiculous because it’s taking away user choice.

P.P.S. To be clear, modern macOS has plenty of other restrictions which can’t really be turned off and which I find super annoying. Gatekeeper just isn’t one of them.

Edit: I’ve just learned that as of Sequoia, you have to also tick a box in Settings after running the Terminal command. So maybe it takes 30 seconds instead of ten seconds. That’s mildly more annoying, but still doesn’t really seem like a big deal to me.

> Pick one, you obviously can’t have both!

Obviously you can, and you actually could earlier where you could click a bypass button for a specific app without any of this terminal nonsense

> turn it off on their machine in ten seconds

You forgot to add the time to learn that it's possible and to find the right command

> So maybe it takes 30 seconds instead of ten seconds. That’s mildly more annoying, but still doesn’t really seem like a big deal to me.

That's because you keep ignoring the actual effort/cost even after you've learned your first simplistic estimate was a mistake

> but then, like, what do you actually want?

As an author of some homebrewed Go software in the past and trying to distribute in all 3 big OSes, I completely understand the blog post author's points. The problem is not Gatekeeper per see, it is just the combination of things that makes everything infuriating:

- I could justify going for the whole "Apple Developer Program" even with all the bullshit things you need to do to get certified if this was a one time payment like in Google Play Store. But it is yearly. Like the author, I would probably get 0 (or close to 0) dollars in recurrent revenue for those apps, I could justify a one time payment but a yearly one is ridiculous, it is not like Apple needs this money to be profitable (they probably get a much higher margins on selling things on Apple Store)

- Gatekeeper UX is infuriating. The equivalent on Windows (SmartScreen, as the author also cited) is still basically the same as Gatekeeper as far I understand (e.g., you need to have a valid certificate on your app or SmartScreen will deny the app execution until you clear the safety bit). But SmartScreen, different from Gatekeeper, has an actual good UX, as the error messages are clear and actionable (and also don't require a command line command to bypass)

- The author was still in a more "happy path" than me since their app seems to be a CLI only app. In this case just removing the quarantine bit with `xattr` works fine. In my case I was trying to distribute a desktop app, and I needed some special permissions to show notifications. This means I need to package my app in a proper `.app` bundle, include the required XML requesting the permissions and I am now required to sign the app. And since I am required to sign my app, I either pay the yearly payment fee to Apple to get a certificate to sign my app or I ask the users to resign the app with a self-signed certificate before launching

So really, I don't want that much actually. I can definitely handle all bullshit Apple wants, but I want at least a cheaper way to develop apps in their ecossystem. Maybe a new basic certification program that you have a one time fee and you can sign your apps but not notarize them. That way Gatekeeper would still complain, but at least my app would work without resign.

Or limit notarization to X amount of users (non-stabled notarized apps talks with Apple servers during the app first run, so they could just limit the amount of allowed tickets to X amount of users). If my app ever pass X amount of users, I will gladly pay the Apple tax, but 99USD/year for something that I will never see it back is too much.

Edit: BTW, I know, maybe 99USD/year doesn't seem too much for some. But Apple also doesn't do any regional pricing as far I know, and 99USD/year is crazy expensive in the country where I come from for example.

Edit 2: I am sure things are better nowadays with Claude/ChatGPT, but also trying to understand how to do the correct thing for your app is very difficult, especially if you're not using Xcode, since Apple assumes you're using it so all documentation refers to Xcode.

(comment deleted)
I just wish Homebrew was not planning to remove packages because of this.

> $ brew doctor

> Warning: Some installed casks are deprecated or disabled. You should find replacements for the following casks:

> alacritty

> librecad

Is there workaround? Probably. But macos lost benefit of OS X's "it just works". Time to move elsewhere I guess.

> People will say, no, that’s too big a hammer, it’s not safe… but then, like, what do you actually want? Either you keep Gatekeeper because you like the friction it introduces, or you don’t like that friction and you should go turn it off. Pick one, you obviously can’t have both!

Refusing to let you open an app isn't friction, it's complete obstruction. How about warning you and letting you run it this one time or allow it to run normally from there on?

My favorite is when someone discovers they haven't yet granted Zoom screensharing permission, and that they need to exit the call to re-launch the application with the permission granted.
> I'm sure that other countries also have plenty of similar services for ID and age verification

laughs in Bundesdruckerei

> I can use SmartID to verify my ID (and age) in about 20 seconds when buying an energy drink at the local grocery store

Where do you have to show ID for that??

I think almost all of Europe. Have you ever tried teaching a room of 30ish teenagers all high on quadrupled RDI of caffeine? It makes distributing software on macOS seem like a walk in the park
I don't get the part about Homebrew. If you're using Homebrew, it doesn't make a ton of sense to use Itch.io. Just use Homebrew. Seems like a more appropriate place to distribute a dev tool anyway. You could set up a patreon and print a link to it when appropriate. That's basically what Vim does.

I agree that Apple is dumb of course.

I am not entirely against the whole notarization thing.

If it is good for the end-user, it is usually also good for the ecosystem a a whole, trust is valuable.

But ffs, they are rich enough to make this a lot less painful and hostile for developers.

And this is not a new thing, I used to develop games for iOS, from the very beginning, and while the process somewhat simplified over time, it was a huge cortisol inducing process, not to mention the regular forced OS+SDK updates where the procedures changes almost every time and could fail in not-so-evident ways.

So, Linux gets a free pass for requiring chmod +x to run his tool, but needing to run xattr on MacOS is somehow worthy of an entire blog post to complain about it?

Serious question - Is it really true that Windows 11 will run an untrusted .exe without a warning?

I think that's the most important part in the whole article.

This is a Claude Code tool for developers. I'd assume that any potential user for this tool should be perfectly able to run that xattr command (and if they are not, they probably shouldn't be playing around with Claude Code either... yup, some additional "gatekeeping" from my side here).

You could probably even make some curl -sL https://github.com/myrepo/installme.sh | bash script for these users which takes care of the xattr command.

Your typical macOS enduser does not use command line tools. Or they use something like Homebrew.

Btw the proper way to distribute binary would probably be pkg installer.

I went through this recently. Got as far as verifying my identity, which Apple happily accepted as verified from my UK driving license. Unfortunately, they then automatically set my first and last name from that identity verification step, and some how managed to use a section of my driving license number as my surname - a string of random uppercase letters and numbers - and it's impossible to edit it. So fuck them, that's $99 they've lost.
Tangential but this made me appreciate how Gatekeeper is perhaps a notorious example of a great naming choice for a piece of software.
Apple's ID verification failed for me and I am now banned for life. There is no opportunity to appeal this or to ever participate in the Developer Program for me. Which sucks because I am now permanently locked out of developing seriously for any of the Apple ecosystem, ever.
It's a backwards walled garden which I mostly avoid to avoid problems like this
I have been developing software for Macs and PCs as an Indie for 20 years now. I sympathize with the author of the post. You get the feeling that Apple thinks you should be grateful that they allow you to develop apps for their platform.

The author didn't mention Apple's contempt for backward compatibility. Apple like to regularly nuke their entire developer system from orbit. Try running an app developed 10 years ago on the latest version of macOS. It probably won't run.

Microsoft are much better at backward compatibility and they don't force you to join a developer program. But you get totally reamed every time you have to update your authenticode digital certificate for Windows. Just the digital certificate will cost you more than $99 per year. It is a total racket.

It's much more expensive on Windows side of things. DigiCert and Sectigo are now in the $700--$1000 range per year for regular OV code signing certificate.

Microsoft has it's own Azure Artifact Signing which is comparable to Apple yearly cost (give or take), but since a month ago installers signed with it often display SmartScreen warnings [1]. Even though Microsoft controls both pieces!

Store option is not free for organizations (although it's a one-time setup fee), but the worse thing is it forces you to its simplified licensing/trial model, typically not compatible with B2B software where paid upgrades, yearly support contracts, controlled updates, extended trials are used.

[1] https://github.com/Azure/artifact-signing-action/issues/128#...

Maybe I'm too dumb, but I haven't figured out a good way to sign just a binary (or a tar/zip containing a few binaries). I zipped up the binaries, sent them off to Apple, Apple comes back and says "yup, notarized!", and they still trigger the popup. I'm probably missing a step. I guess I'm not currently stapling the ticket to the binary, but supposedly you don't have to if you are running with a network connection.
> I guess I'm not currently stapling the ticket to the binary, but supposedly you don't have to if you are running with a network connection.

AFAIK, you do in fact have to staple the ticket. The other thing I found is that you have to make sure you're using the right kind of certificate from Apple.

Sometimes I wonder why we don't just treat an installation script like curl https://alx.sh | sh as a universal option for distributing applications. The provenance is there via the HTTPS certificate, and if you're already about to trust an application that can compromise your system, why not trust the installation script as well?
It's interesting that sanctioned Russian banks still find the ways to push their apps into Apple repository by disguising them as a different app. They get removed several months later, but I assume it is done only because someone complains.
I love when my Mac declares random PDFs malware and deletes them when I try to open them.

On two occasions I've been completely dumbstruck when the software I was using was deleted out from under me. I'm not a fan of the overuse of "gaslight", but it sure felt like that when I had to restart Docker and the OS was like "what do you mean, Docker? You've never had Docker installed! What are you talking about? Are you feeling ok?"

https://news.ycombinator.com/item?id=42649790

I shared the author's frustration when figuring out how to ship such binaries to end users so I wrote a guide [0] detailing exactly how to do it. Apple's documentation is surprisingly poor and I couldn't find any blog posts so I ended up reverse engineering what works via trial and error as well as popular OSS projects on GitHub.

[0]: https://ofek.dev/words/guides/2025-05-13-distributing-comman...

Author here, just pushed a quick update to the article.

To be fair, compared to the prices of Certum and other providers if you ever want to sign something for Windows, perhaps Apple isn't uniquely overpriced (they all seem to be that way): https://www.certum.eu/en/code-signing-certificates/

Looking more into the Windows side of things, I also found Azure Artifact Signing which is supposedly affordable at 8.54 EUR per month, but unfortunately they don't actually support individual users in the EU (only in US & Canada, meanwhile EU only gets support for organizations). I'd probably have to set up a SIA (equivalent of Ltd.) here first - it was in the plans for later, but this is a bit of a roadblock for using Azure too: https://azure.microsoft.com/en-us/products/artifact-signing

My tone might have been frustrated, but I will absolutely say that the code signing industry needs to have a Let's Encrypt moment of some description - at least commoditize it like Azure Artifact Signing was trying to do, but also for individual developers, across all platforms! Sadly, that doesn't seem to be possible when the platforms are intentionally walled gardens. I don't hate the idea of code signing, though - if done right, it's a good idea, same as TLS for (many) websites.

Azure Artifact Signing and Apple's Developer program come out to similar costs. Apple's is probably still cheaper in that you can sign any number of things with it.

But yes, it would be nice to have some free signing options for open source developers.

How does anyone who cares about open source or even development more generally see this and go "Yeah that's the OS I want to use"?

I genuinely don't understand why so many developers are willing to compromise so much for a thin laptop.

> I genuinely don't understand why so many developers are willing to compromise so much for a thin laptop.

Because many developers never run into these issues? A Mac has been my primary development machine since the G4 PB days. I’ve tried to switch to Linux a few times, and it’s always been a worse experience. Then I see these types of stories on HN, and I’m reminded we all use our computers very differently from each other.

I use my Macbook for things other than dev work, and that's where Linux tends to fall flat. Weird hardware incompatibilities, jank, huge amounts of time required to maintain the machine rather than just getting work done.

Having to occasionally run xattr -d com.apple.quarantine to download some random low-userbase FOSS app is nothing compared to what Linux users go through.

You won't appear as hip and fashionable amongst your CA/SV peers lugging a "generic" laptop around.
As a user I actually like Gatekeeper. 95% of the time it's not a problem. the other 5% of the time I have to click a button in my settings to allow unsigned code. But at least it gives me pause to think about the source and if I really trust it (which is mostly offloaded to Apple the other 95% of the time).

Free business idea: get an Apple developer account and then agree to sign code for other people in exchange for a small piece of their income. I'm surprised that doesn't exist yet (or does it?).

The risk is that eventually you sign someone's malware and all of your customers have the certs that signed their apps revoked.
It has been like this forever and periodically someone complains, but then they just go out and buy another mac and keep producing software for macOS. If you want this to change, stop providing financial support.