Why My DMG is not getting opened without asking security popup

Question

I created a DMG .this has 640 and apache permissions. once i uploaded it to internet some extended attributes are getting added to it. Because of that when customer downloads it they are getting a pop up

"There may be a problem with this disk image. Are you sure you want to open it?

Opening this disk image may make your computer less secure or cause other problems."

I don't want quarantine attribute to be added to it.so what should i do to my dmg before uploading it to internet such that quarantine attribute will not be set.And also why this pop is not coming for other dmg's downloaded from net. I downloaded google chrome.dmg, for that quarantine attribute is not set.can any one help me out with better solution

Answer 1

Did you sign the entire DMG as well as the .app file? I believe this is a new requirement if you have additional files in the DMG besides the signed .app.

(Copied from my answer at Mac DMG oddity - signing and "damaged" applications)

In addition to signing the .app bundle:

codesign -f -s "Developer ID Application: Your Dev ID Here" -v "Your App.app"

you should also sign the created DMG as well:

codesign -f -s "Developer ID Application: Your Dev ID Here" -v YourProgram.dmg

I didn't put quotation marks around the dmg file path because it's less likely that you have spaces in the dmg name. If you do, don't forget to escape them on the command line, or wrap your file path in quotes.

Answer 2

I don't think this is related to the extended attributes or quarantine at all. That error message indicates that the filesystem in the disk image is corrupt, probably because the image was damaged during uploading/downloading (see this previous SU question). Can you checksum the image before and after uploading & downloading it to see if it's been changed somewhere along the path? Also, using Disk Utility to verify the volume would be useful.

As far as quarantine is concerned: the quarantine attribute is added when the image (or any other file) is downloaded; there is nothing you can do to prevent this. If there were a way to avoid this, the bad guys would be using it on their malware to evade the quarantine security checks -- and Apple would consider this a bug, and fix it. Your customer can remove the quarantine after downloading the image, but this should not be necessary. (Although you may want to sign some/all of the files inside the image to comply with gatekeeper's restrictions.)

Answer 3

I don't want quarantine attribute to be added to it.so what should i do to my dmg before uploading it to internet such that quarantine attribute will not be set.

Distribute it through the App Store or sign it with your Apple developer account.

And also why this pop is not coming for other dmg's downloaded from net.

The other DMGs are probably distributed through the App Store or signed it with an Apple developer account.

---

Here's the settings of interest:

The best you can do is distribute through the App Store (in Apple's opinion).

I settle on the App Store and Identified Developers. There's no difference between the two in my opinion - in both cases, I rely upon Apple to check the developer and binary. Where it comes from (App Store vs Internet) does not matter to me.

However, I trust some developers more than Apple's assertion. For example, I have more trust for the Wireshark folks than anything Apple has to say about an unknown developer. I would install Wireshark even if it was not signed (xattr -r -d "com.apple.quarantine" <app> to the rescue).