When upgrading to Mac OS Catalina the following error appears as a pop up when using aws-vault
“aws-vault-darwin-amd64” can’t be opened because Apple cannot check it for malicious software.
This software needs to be updated. Contact the developer for more information.
➜ ~ uname -a
Darwin MacBook-Pro.local 19.0.0 Darwin Kernel Version 19.0.0: Wed Sep 25 20:18:50 PDT 2019; root:xnu-6153.11.26~2/RELEASE_X86_64 x86_64
➜ ~ sw_vers
ProductName: Mac OS X
ProductVersion: 10.15
BuildVersion: 19A583
Don't know if it's related, but when compiling from source the following warning appears:
# github.com/keybase/go-keychain
cgo-gcc-prolog:203:11: warning: 'SecTrustedApplicationCreateFromPath' is deprecated: first deprecated in macOS 10.15 - No longer supported [-Wdeprecated-declarations]
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Security.framework/Headers/SecTrustedApplication.h:59:10: note: 'SecTrustedApplicationCreateFromPath' has been explicitly marked deprecated here
Apparently the application needs to be "notorised" https://developer.apple.com/news/?id=06032019i
Catalina requires all apps that are signed with developer IDs to be 'notarized' by Apple.
You can get round this by removing the quarantine Extended Attribute on the file:
xattr -d com.apple.quarantine /path/to/aws-vault-darwin-amd64
It's working for me with this command:
xattr -d com.apple.quarantine /usr/local/Caskroom/aws-vault/4.6.4/aws-vault-darwin-amd64
NOTE: This bypasses Apple's security precautions which exist to stop maliciously altered software from running.
Used @Tibi02 solution to get it working. Fingers crossed the repo doesn't go rogue.
I've installed aws-vault on a fresh installed mac os catalina and it works.
You only have to open it once via the finder:
Even simpler, @JoostSaanen. Good catch.
Having said that, it's probably best if the application can be signed somehow. Tbh I don't know what would be involved to make it happen, but doing so would add to the user friendliness and security of the tool.
Hey folks, I'm looking to get the binaries notorized
Well, it turns out notorizing a command line app is quite involved
And it means the binary will need to be packaged in a .dmg, .pkg or .app as individual binaries can't be stapled, which seems like a huge limitation for CLI tools
Brew Cask are considering disabling quarantining which would conveniently side-step the issue when using brew.
I've created a pre-release to test out the notorized dmg.
Please test this out with the instructions at https://github.com/99designs/aws-vault/pull/435#issuecomment-546596246 and give me your feedback. We need to test Catalina and also previous macOS releases, so all feedback welcome
Hmm appears I've jumped the gun as gatekeeper prompts are still appearing with the binary in the dmg... I'll have to have another look
The report of gatekeeper being activated with the dmg is here https://github.com/99designs/aws-vault/pull/435#issuecomment-546857856
I can reproduce this only when trying to launch the binary by double-clicking in the GUI. When running via the command line I don't get the Gatekeeper prompt. Can anyone else confirm this behaviour? The GUI behaviour I don't think is a problem... aws-vault won't be getting run via the GUI.
While gatekeeper still rejects the binary when executing from the GUI or via spctl
$ spctl --assess --type execute --context context:primary-signature -v --ignore-cache --no-cache ~/Desktop/aws-vault
/Users/michael/Desktop/aws-vault: rejected (the code is valid but does not seem to be an app)
it seem to execute fine on the command line, which is where it will be used
I had a go at adding the Info.plist to the binary to try to make gatekeeper happy with a standalone executable, but I didn't have much luck
Most helpful comment
Hey folks, I'm looking to get the binaries notorized