Mac Client: Gatekeeper Information

Jump to navigation Jump to search

The Mac Client and Gatekeeper

From Apple Developer notes for Sierra (September 4, 2016)

Technical Note TN2206
macOS Code Signing In Depth

Gatekeeper Changes in macOS 10.11 (Sierra) and Later

On macOS 10.11 and later, signatures that don't cover the entire code are rejected. This should not affect anyone using normal build tools.
Gatekeeper also rejects apps containing symbolic links that:
  • point to nowhere
  • point to places that are legitimately excluded from the app's signature
  • point outside the app bundle, except to locations in /System and /Library.

Shipping your Signed Code

The preferred way to ship a signed app is via the Mac App Store. The Mac App Store provides a secure channel for app delivery and installation that requires minimal action on the part of the user.
For distribution outside of the Mac App Store, the preferred options are to use a signed disk image (DMG) or signed installer package. Signing these allows validation of the contents and their source. ZIP archives may also be used, but this is discouraged.
If using a disk image to ship an app, users should drag the app from the image to its desired installation location (usually /Applications) before launching it. This also applies to apps installed via ZIP or other archive formats or apps downloaded to the Downloads directory: ask the user to drag the app to /Applications and launch it from there.
This practice avoids an attack where a validly signed app launched from a disk image, ZIP archive, or ISO (CD/DVD) image can load malicious code or content from untrusted locations on the same image or archive. Starting with macOS Sierra, running a newly-downloaded app from a disk image, archive, or the Downloads directory will cause Gatekeeper to isolate that app at a unspecified read-only location in the filesystem. This will prevent the app from accessing code or content using relative paths.
Do not ship apps using ISO images. There is no provision for signing these.

Gatekeeper defined

Gatekeeper is a security feature introduced by Apple in OSX Lion (10.7).
Neither Turbine nor Happy Cloud is recognized by Apple as a "Known Developer."
This means that the OSX Download security - Gatekeeper - will not allow the downloaded .dmg file to mount or the Game Client (or Launcher) to launch when using the default OSX security settings.
  • In Mountain Lion (OSX 10.8.2), Gatekeeper has a "known bug" in that the error message output when attempting to verify and mount a downloaded .dmg file is NOT the correct error message. It incorrectly indicates a corrupt download file, and the appropriate Gatekeeper dialog is not displayed. (Fixed in Maverick, OSX 10.9, upgrade your version of OSX!)
  • Images of Gatekeeper windows are shown on this page: Mac Client: Gatekeeper Information
  • The installation is a two phase process (until Turbine and Happy Cloud become a Registered Developer with Apple):

Gatekeeper and Yosemite (OSX 10.10.x) or El Capitan (10.11.x)

Phase 1 - allow the downloaded .pkg file to launch

1- Selecting "Play Instantly On Mac" or "Mac Download" will download the 7.5 MB "Happy Cloud Install Pkg" --

LOTRO_MAC_4.46.pkg to your Mac.

2- Proceed to double click on the .pkg icon. This will attempt to launch The Happy Cloud Installer installer:

  • Under Lion (OSX 10.7.5) and later versions of OSX (Mountain Lion, Maverick, Yosemite), all files downloaded from the Internet are blocked from opening - either automatically or by double-clicking on the .pkg file icon - by Apple's Gatekeeper: see: Mac Client: Gatekeeper Information for more details on Gatekeeper.
When you first launch the Happy Cloud installer, you should get the pop-up
"LOTRO_MAC_4.46.pkg” can’t be opened because it is from an unidentified developer. Your security preferences allow installation of only apps from the Mac App Store and identified developers." (Screenshot: Gatekeeper Warning-2)
Before you click OK:
2.1 Under the Apple menu, select System Preferences
2.2 Under "General" (top row of icons) select "Security & Privacy" - a House icon
2.3 Select: the General Tab
2.4 When you click "OK" - you should see a message appear in the lower portion of the panel:
"LOTRO_MAC _4.46.pkg" was blocked from opening because it is not from an identified developer." (Screenshot: Gatekeeper Warning-3)
2.5 Simply click "Open Anyway."
2.6 The installer installer will now proceed to install the Happy Cloud downloader and to install the LOTRO Launcher and Game client consolidated app.

Phase 2 allow the installed LOTRO Client to launch

(You can also simply skip the phase 1 section above and go directly to phase 2. Just remember what you have done so that you can reset your security once the installation is completed, as the download and patch process for LOTRO can take several hours!)

  1. Under the Apple menu, select System Preferences
  2. Under "General" (top row of icons) select "Security & Privacy" - a House icon
  3. Select: the General Tab
    • You will need to "Click the lock to make changes" and supply your Administrator Name and Password to enable the change.
  4. Select: Allow applications downloaded from: "Anywhere"
    • Answer the pop-up box ... NOTE that the "Allow From Anywhere" box is NOT highlighted (meaning, you MUST click on it, not simply hit return) and that it is on the LEFT side of the alert box.
    Now the .pkg file should launch and the install complete with no problems.

  • Once you have verified the .dmg file and launched the game client the first time, you can reset this to the default setting: Mac App Store and identified developers
  • Note that this only needs to be done once. Gatekeeper will remember that you have authorized this application to run.

Gatekeeper screenshots

These are two pop-ups from Gatekeeper.

  • The screenshot on the left is the warning you SHOULD be getting when you download the Mac Client and attempt to mount it. (under Gatekeeper's default setting)
  • The one on the right is the "normal" warning you get from Gatekeeper when you download an item from a recognized source.
  • See Apple's Gatekeeper documentation for other error messages. Learn about Gatekeeper.
Gatekeeper Warning-1: The "normal" warning pop-up from Gatekeeper
Gatekeeper Warning-2: The warning pop-up Gatekeeper should give on launch of the Happy Cloud Installer
Gatekeeper Warning-3: The "Open Anyway" dialog from Gatekeeper for Happy Cloud
Gatekeeper Warning-4: The warning pop-up Gatekeeper should give on download of the Beta client

When "disabling" Gatekeeper, you should see screens like these:

The Security & Privacy System Preferences screen
Gatekeeper Action Verification pop-up box.

Other Gatekeeper Error Screens

These errors will also randomly occur because of Gatekeeper. They should go away if the permissions are set to "Anywhere."

Another "normal" warning pop-up from Gatekeeper
The "Move to trash" warning pop-up from Gatekeeper

An alternative "fix"

If you are comfortable using the terminal, the following command can also be used to "fix these problems caused by Gatekeeper. (Applies to Happy Cloud Installer)

sudo xattr -rd /Applications/