Bug 7371 - macOS 10.15+ complains that tlclient isn't checked for malware
Summary: macOS 10.15+ complains that tlclient isn't checked for malware
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client platforms (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.11.0
Assignee: Samuel Mannehed
Keywords: aleta_tester, prosaic
Depends on:
Blocks: 7439
  Show dependency treegraph
Reported: 2019-08-23 09:42 CEST by Pierre Ossman
Modified: 2019-11-25 14:16 CET (History)
2 users (show)

See Also:
Acceptance Criteria:


Description Pierre Ossman cendio 2019-08-23 09:42:49 CEST
Apple has decided to increase the requirements on what needs to be done with applications to avoid nasty warnings for users. Signing is no longer sufficient, the application also needs to be "notarized" (put through some automated checks by Apple).

Information here:


Their instructions are very Xcode centric, so not particularly helpful for automation, and even less helpful trying to get this done on a non-macOS machine. There are some command line tools that might be possible to integrate in to our current signing work flow though. We'll have to test.

Somewhat more concerning is that they have a list of requirements that must be met for the application to be notarized. I am not sure which of these we might fail to fulfil. One that is definitely a problem is "Link against the macOS 10.9 or later SDK."

They mention that the rules can be relaxed, but are vague as to when that can happen.
Comment 2 Pierre Ossman cendio 2019-10-16 13:09:08 CEST
10.15 is now out so we can start looking in to this.
Comment 3 Pierre Ossman cendio 2019-10-18 10:11:12 CEST
TigerVNC's entry for this:

Comment 4 Samuel Mannehed cendio 2019-11-15 13:43:35 CET
Just like with earlier versions macOS 10.15 only applies these checks to programs downloaded from the browser.

Given a ThinLinc client signed today you get the following message when trying to open it:

> "ThinLinc client" can't be opened because Apple cannot check it for malicious software.
> This software needs to be updated. Contact the developer for more information.
> Safari downloaded this file today at 1:16 PM from cendio.com
> [Show in Finder]  [OK]

It does not give you the option to run the file.

You can work around this by right clicking ThinLinc client from Finder and choosing "Open". After doing this you no longer receive the warning.
Comment 7 Samuel Mannehed cendio 2019-11-21 15:57:33 CET
Fixed now.

Tester should verify that you always get the option to start a signed macOS client that has been downloaded from a browser.
Comment 8 Samuel Mannehed cendio 2019-11-21 16:48:44 CET
Instructions for signing a client package can be found here:

Comment 9 Alex Tanskanen cendio 2019-11-25 10:33:46 CET
When using the script copy-sign-bundle it it returns an error saying "Failed notarization with status: ". However, there is no exit status and the script just continues anyway despite an error. Furthermore, the error seems to be a false alarm since macOS host reports notarization success.
Comment 10 Samuel Mannehed cendio 2019-11-25 10:39:35 CET
Part of my commits had been missed in a merge somewhere. Should be fixed now.
Comment 11 Alex Tanskanen cendio 2019-11-25 14:16:55 CET
I downloaded a client from a browser and was able to start the client without any message saying it cannot be opened. The signed macOS client this works just fine now.

Note You need to log in before you can comment on or make changes to this bug.