带证书的网闸隔离问题 [英] Gatekeeper quarantine issue with certificate

问题描述

我们的应用已经过代码签名.我们的Apple证书是最新的.我们应用的先前版本运行良好.

Our app has been code signed. Our Apple certificate is up to date. Previous versions of our app have run just fine.

但是，当用户下载DMG时，在某些Mac上，该应用程序将被隔离，但对于大多数用户而言，并非如此.因此，某些用户可以打开该应用程序，而其他用户则得到由于无法确认开发者的身份而无法打开X.app."

However, when the DMG is downloaded by the users, on some Macs the application is quarantined, but for the majority of users, it's not. So some users can open the app and others get the "X.app can’t be opened because the identity of the developer cannot be confirmed."

幸运的是，我这里有2台Mac，但都存在隔离问题，但我们找不到这些Mac与其他Mac之间的区别.还有其他人遇到这个问题吗?

Luckily I have 2 Macs here that have the quarantine problem, but we can't find a difference between these Macs and the others. Has anyone else run into this problem?

推荐答案

我认为您可能对隔离，代码签名和Gatekeeper的工作方式有些困惑.您看到的错误是来自Gatekeeper，它指示两个不同(且独立)的事物:1)应用被隔离(与下载方式有关，而不与签名方式有关)； 2)未登录符合安全性和安全性中定义的关守策略的一种方式隐私首选项.让我更详细地解释这两件事.

I think you may be a bit confused about how quarantine, code signing, and Gatekeeper work. The error you're seeing is from Gatekeeper, and indicates two different (and independent) things: 1) the app is quarantined (which has to do with how it was downloaded, not how it's signed) and 2) it is not signed in a way that complies with the Gatekeeper policy defined in Security & Privacy preferences. Let me explain these two things in more detail.

• 隔离是下载应用程序(或其所在的磁盘映像)的结果.使用浏览器下载文件时，浏览器将在文件上附加com.apple.quarantine属性，表明该文件来自不受信任的网络源.其他类型的Internet应用程序(电子邮件，聊天等)也应将此属性附加到下载的文件中.

• Quarantine is a result of the app (or the disk image it was in) being downloaded. When you download a file with a browser, the browser will attach a com.apple.quarantine attribute to it, indicating that it came from an untrusted network source. Other types of internet apps (email, chat, etc) should also attach this attribute to downloaded files.

但并非所有网络下载方法都将应用隔离属性.例如，使用Finder通过文件共享连接(例如AFP或SMB)复制文件时，不会将其标记为隔离区.此外，curl和wget之类的命令行工具不会应用隔离.

But not all network download methods will apply the quarantine attribute. For example, copying a file over a file sharing connection (e.g. AFP or SMB) with the Finder will not mark it as being in quarantine. Also, command-line tools like curl and wget won't apply quarantine.

对于您来说，当您下载.dmg文件时，它会被标记为已隔离；当您打开它时，该属性会传播到其内容，因此该应用程序也被标记为处于隔离区(如果将其复制到/Applications，则该隔离区属性会与其他所有内容一起复制).

In your case, when you download the .dmg file, it gets marked as quarantined; when you open it, the attribute gets propagated to its contents, so the app is also marked as being in quarantine (and if you copy it to /Applications, the quarantine attribute gets copied along with everything else).

要检查文件是否被隔离，请在文件上使用ls -l@并查找com.apple.quarantine属性.您在不同计算机之间看到的差异完全可能与磁盘映像的下载方式有关，因此也与应用程序是否被隔离有关.

To check whether a file is quarantined, use ls -l@ on it and look for the com.apple.quarantine attribute. It's entirely possible that the difference you're seeing between different computers has to do with how the disk image was downloaded and therefore whether the apps are quarantined.

打开隔离的应用程序时，Gatekeeper会检查该应用程序是否符合您计算机的安全策略子系统. 这是其中进​​行代码签名的地方.您可以在系统偏好设置"->安全性和安全性"中查看和更改策略.隐私窗格->常规选项卡->允许从以下位置下载应用程序"或使用spctl命令行工具.默认政策是允许隔离来自Mac App Store(即用Apple的应用商店密钥签名)或已识别的开发人员(即用Apple发行给注册开发者的开发者ID密钥签名)的隔离应用.

When you open a quarantined app, Gatekeeper checks to see whether it complies with you computer's security policy subsystem. This is where code signing comes into it. You can view and change your policy in System Preferences -> Security & Privacy pane -> General tab -> "Allow apps downloaded from" or with the spctl command-line tool. The default policy is to allow quarantined apps that are from the Mac App Store (i.e. signed with Apple's app store keys) or from an identified developer (i.e. signed with a developer ID key issued by Apple to a registered developer).

当您尝试打开已隔离的应用程序，并且未以符合该政策的方式签名时，您会收到一条错误消息，提示无法打开X.app，因为它来自身份不明的开发人员"或"...未从Mac App Store下载."如果已隔离但 符合该政策，则会收到一条消息，提示"X.app是从Internet下载的应用程序.确定要打开它吗?". (具有打开"按钮).如果未隔离，则不会执行检查，应用程序将直接打开.

When you try to open an app that's quarantined, and not signed in a way that complies with this policy, you get an error saying that "X.app cannot be opened because it is from an unidentified developer" or "... was not downloaded from the Mac App Store." If it's quarantined but does comply with the policy, you get a message that "X.app is an application downloaded from the internet. Are you sure you want to open it?" (with an Open button available). If it's not quarantined, the check is not performed, and the app opens directly.

您可以通过spctl --assess -vv /path/to/X.app(会告诉您它是否符合Gatekeeper策略)和codesign -dvv /path/to/X.app来获取有关应用程序的代码签名和策略状态的更多信息.

You can get more information about the code signing and policy status of an application with spctl --assess -vv /path/to/X.app (which'll tell you whether it complies with the Gatekeeper policy) and codesign -dvv /path/to/X.app.

总而言之，隔离是正常的，您应该期望用户能够体验到隔离(如果您在一台测试计算机上没有看到隔离，则您的测试方式有问题).网闸的错误取决于正确的签名(用codesign和spctl检查)和计算机上的网闸策略设置；都检查一下，看看发生了什么.

In summary, quarantine is normal and you should expect your users to experience it (and if you're not seeing it on one of your test computers, there's something wrong with how you're testing). Gatekeeper errors depend on both proper signing (check with codesign and spctl) and the Gatekeeper policy settings on the computer; check both to see what's going on.

这篇关于带证书的网闸隔离问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！