Forum Bugs

macOS Catalina: "prince" cannot be opened because the developer cannot be verified.

mattt
When attempting to open the `prince` executable on macOS Catalina, the operation fails with the following system alert by Gatekeeper:

> # "prince" cannot be opened because the developer cannot be verified.
> macOS cannot verify that this app is free from malware.

In order to run the command line utility, you need to open the Security and Privacy preference pane in System Preferences, select the General tab, and click "Allow Anyway".

Alternatively, you can run the following commands from Terminal to first remove any quarantine attribute applied by Safari when downloading `prince`, and then manually add a SecAssessment system policy label to the executable:

```
$ xattr -d -r com.apple.quarantine /usr/local/bin/prince
$ spctl --add --label "Approved" /usr/local/bin/prince
```

Doing this will change the system alert to a system prompt to confirm running the executable.

To avoid these workarounds, the developers of Prince should provide a new release that's notarized with Apple. For more information, see: https://developer.apple.com/news/?id=09032019a
mikeday
Thanks, we will take a look at this.
mjmj
I ran into this also. I believe it would deter a large percentage of Mac users. Until it's fixed I would suggest linking from the documentation to this thread, or copying the workaround instructions into the installation instructions.
natevw
If installed via Homebrew, you may need the following variation in order to approve the actual binary rather than the symlink itself:

```
xattr -d -r com.apple.quarantine "$(readlink /usr/local/bin/prince)"
spctl --add --label "Approved" "$(readlink /usr/local/bin/prince)"
```

Based on feedback from a team member that used this, it may still require approval via Apple's GUI one more time after this. I do not use Catalina to test this myself.

This may be something to get integrated into the `brew cask install prince` formula (https://github.com/Homebrew/homebrew-cask/blob/master/Casks/prince.rb) but I'm not sure if this is how the Homebrew maintainers would prefer to handle Catalina Gatekeeper stuff. [UPDATE2: I asked the Homebrew Cask maintainers this directly at https://github.com/Homebrew/homebrew-cask/issues/75897]

The path of least resistance would be to have the Prince developers submit to Apple's censorship process, as I doubt the latter would have any reason to block this particular utility.


Edited by natevw

natevw
Posting, again, with the caveat that I do not have Catalina handy to test this myself.

A homebrew-cask maintainer has replied to my question with a much simpler tip: apparently the workaround for this would be to use

brew cask install --no-quarantine prince


for the installation. Apparently it is Homebrew itself going out of its way by default to add the quarantine xattr for a bit of extra caution.

IIUC the quarantine part is only half the battle though, and the system policy for approving an unsigned app could still be a problem. So hopefully someone else can chime in with further tips for getting prince running under Catalina if they are needed.

Edited by natevw