Why My DMG is not getting opened without asking security popup

Question

I created a DMG .this has 640 and apache permissions. once i uploaded it to internet some extended attributes are getting added to it. Because of that when customer downloads it they are getting a pop up

"There may be a problem with this disk image. Are you sure you want to open it?

Opening this disk image may make your computer less secure or cause other problems."

I don't want quarantine attribute to be added to it.so what should i do to my dmg before uploading it to internet such that quarantine attribute will not be set.And also why this pop is not coming for other dmg's downloaded from net. I downloaded google chrome.dmg, for that quarantine attribute is not set.can any one help me out with better solution

Which certificate(s) specifically did you use to sign your pkg? Also, no extended attributes should be added to your dmg if you create it as read-only. — l'L'l, Jun 12 '14 at 06:44
I used Developer ID Installer:my company cert.this is confidential so i am not sharing. how to create dmg as readonly — MacDeveloper, Jun 12 '14 at 07:18

score 1 · Accepted Answer · edited May 23 '17 at 10:29

1

Did you sign the entire DMG as well as the .app file? I believe this is a new requirement if you have additional files in the DMG besides the signed .app.

(Copied from my answer at Mac DMG oddity - signing and "damaged" applications)

In addition to signing the .app bundle:

codesign -f -s "Developer ID Application: Your Dev ID Here" -v "Your App.app"

you should also sign the created DMG as well:

codesign -f -s "Developer ID Application: Your Dev ID Here" -v YourProgram.dmg

I didn't put quotation marks around the dmg file path because it's less likely that you have spaces in the dmg name. If you do, don't forget to escape them on the command line, or wrap your file path in quotes.

edited May 23 '17 at 10:29

Community

1
1

answered Jul 21 '14 at 23:38

Kelly

1,096
12
22

actually my problem here is my app is code signed in MAC and dmg creation is done in Centos using hfsutils commands.Later i copied this app in to centos portal, and here along with app remaining two files are also copied in to dmg(which was created previously in centos). When MAC customer downloads it from centos portal i am getting this damage issue. What i found is it is not possible to codesign dmg in centos.And i have no option to copy all files to dmg from my mac itself before uploading to centos portal.As the files to be copied are common for various operating system. – MacDeveloper Jul 23 '14 at 09:10

jww · Answer 2 · 2014-06-12T04:48:09.127

0

I don't want quarantine attribute to be added to it.so what should i do to my dmg before uploading it to internet such that quarantine attribute will not be set.

Distribute it through the App Store or sign it with your Apple developer account.

And also why this pop is not coming for other dmg's downloaded from net.

The other DMGs are probably distributed through the App Store or signed it with an Apple developer account.

Here's the settings of interest:

enter image description here

The best you can do is distribute through the App Store (in Apple's opinion).

I settle on the App Store and Identified Developers. There's no difference between the two in my opinion - in both cases, I rely upon Apple to check the developer and binary. Where it comes from (App Store vs Internet) does not matter to me.

However, I trust some developers more than Apple's assertion. For example, I have more trust for the Wireshark folks than anything Apple has to say about an unknown developer. I would install Wireshark even if it was not signed (xattr -r -d "com.apple.quarantine" <app> to the rescue).

edited Jun 12 '14 at 04:48

answered Jun 12 '14 at 04:40

jww

97,681
90
411
885

I signed it with apple developer id. But still the problem is arising – MacDeveloper Jun 12 '14 at 04:45
I did signing while building my package with pkgbuild command with Developer Id Installer:my certificate. when i checked it using pkgutil it showed that it got signed.My dmg contains this package antd two more supporting files in it. @jvvvv – MacDeveloper Jun 12 '14 at 04:49
@syammala - what settings are your customers using who are experiencing the problems? Are they set to "Mac App Store"? Or "Mac App Store and Identified Developers"? – jww Jun 12 '14 at 04:49
Actually right now i am doing testing from my side.I have set "Mac App Store and Identified Developers". – MacDeveloper Jun 12 '14 at 04:52
xattr -r -d "com.apple.quarantine" .yeah using this we can remove that attribute. but when it goes to end customer he cant do all these. even it doesn't look fair to ask him to run this command. I want this not be set at all from my developing side – MacDeveloper Jun 12 '14 at 05:20
Moreover this pop is not at all related to signing.As in settings i kept Allow applications download from anywhere.Still this pop up appears.it is something related ti disk image download. when i made this dmg manually it opens without any pop up. but once i upload it to internet and download this message appears and some extended attributes are getting added to my dmg. – MacDeveloper Jun 12 '14 at 06:47

score 0 · Answer 3 · edited Mar 20 '17 at 10:18

0

I don't think this is related to the extended attributes or quarantine at all. That error message indicates that the filesystem in the disk image is corrupt, probably because the image was damaged during uploading/downloading (see this previous SU question). Can you checksum the image before and after uploading & downloading it to see if it's been changed somewhere along the path? Also, using Disk Utility to verify the volume would be useful.

As far as quarantine is concerned: the quarantine attribute is added when the image (or any other file) is downloaded; there is nothing you can do to prevent this. If there were a way to avoid this, the bad guys would be using it on their malware to evade the quarantine security checks -- and Apple would consider this a bug, and fix it. Your customer can remove the quarantine after downloading the image, but this should not be necessary. (Although you may want to sign some/all of the files inside the image to comply with gatekeeper's restrictions.)

edited Mar 20 '17 at 10:18

Community

1
1

answered Jun 13 '14 at 00:32

Gordon Davisson

118,432
16
123
151

Can u help me to do this.Like what to do to checksum the image before and after downloading.i manually copied the damaged dmg to new one using disk utility. It worked fine . but only problem is occuring when i upload and download it. I Tried running fsck too, but i lost my files. I think there is some proper method to do,which i am missing – MacDeveloper Jun 13 '14 at 05:51
VERIFYING VOLUME “EXAMPLE” Verifying file system. Checking HFS volume. Checking extents overflow file. Checking catalog file. Reserved fields in the catalog record have incorrect data Reserved fields in the catalog record have incorrect data Reserved fields in the catalog record have incorrect data Checking catalog hierarchy. Checking volume bitmap. Checking volume information. The volume EXAMPLE was found corrupt and needs to be repaired. File system check exit code is 8. ERROR: THIS DISK NEEDS TO BE REPAIRED. CLICK REPAIR DISK. – MacDeveloper Jun 24 '14 at 04:59
I got the above message when i verified my dmg with disk utility. Need some ones help to resolve this issue. Its like how to build my dmg for mac in non-mac platform and mount it without any damage. – MacDeveloper Jun 24 '14 at 05:03

Why My DMG is not getting opened without asking security popup

3 Answers3