also notice this si specifically referencing "Signed Applications"
On Mon, 14 Nov 2016 19:36:28 +0100, Timothy Penner wrote: > Sorry Chip, I don’t know, I was paraphrasing the docs: > https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG17 > > "This also applies to apps installed via ZIP or other archive formats > or apps downloaded to the Downloads directory: ask the user to drag > the app to /Applications and launch it from there." > > Full quote: > ---------- > Shipping your Signed Code > The preferred way to ship a signed app is via the Mac App Store. The > Mac App Store provides a secure channel for app delivery and > installation that requires minimal action on the part of the user. > > For distribution outside of the Mac App Store, the preferred options > are to use a signed disk image (DMG) or signed installer package. > Signing these allows validation of the contents and their source. ZIP > archives may also be used, but this is discouraged. > > If using a disk image to ship an app, users should drag the app from > the image to its desired installation location (usually > /Applications) before launching it. This also applies to apps > installed via ZIP or other archive formats or apps downloaded to the > Downloads directory: ask the user to drag the app to /Applications > and launch it from there. > > This practice avoids an attack where a validly signed app launched > from a disk image, ZIP archive, or ISO (CD/DVD) image can load > malicious code or content from untrusted locations on the same image > or archive. Starting with macOS Sierra, running a newly-downloaded > app from a disk image, archive, or the Downloads directory will cause > Gatekeeper to isolate that app at a unspecified read-only location in > the filesystem. This will prevent the app from accessing code or > content using relative paths. > > Do not ship apps using ISO images. There is no provision for signing these. > > Important: Starting with macOS Sierra, only XIP archives signed by > Apple will be expanded. Developers who have been using XIP archives > will need to move to using signed installer packages or disk images. > ---------- > > ^Notice above it specifically mentions moving the application to the > /Applications directory.... > > -Tim > ********************************************************************** > 4D Internet Users Group (4D iNUG) > FAQ: http://lists.4d.com/faqnug.html > Archive: http://lists.4d.com/archives.html > Options: http://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ********************************************************************** ********************************************************************** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************