Move Downloaded Mac Apps Before Initial Launch
Here’s something we didn’t previously know. On his Eclectic Light Company blog, Howard Oakley builds on old research from Jeff Johnson to explain Apple’s minimally documented App Translocation security mechanism. In short, Gatekeeper in macOS protects against malicious plug-ins within benign apps by opening those apps from randomized, read-only locations—the new location prevents the app from accessing code or content using relative paths. As a result, apps you download, unzip, and open immediately will be translocated to—and opened from—a randomized directory. Although that usually works fine, it very occasionally can cause apps to crash on that first launch. The workaround—and Oakley’s recommendation for all downloaded apps—is to use the Finder to move the app itself (not its enclosing folder) to a different location, such as one of the standard Applications folders (/Applications or ~/Applications). That’s apparently sufficient to prevent the need for App Translocation and avoid associated crashes.
Interesting. I’ve long been in the habit of copying apps to /Applications before launching them, because if I don’t, they’ll sit around in ~/Downloads or wherever, and I either won’t be able to find them again or will forget I have them. Putting everything in /Applications by habit keeps everything reasonably organized.
Same. Plus in days long past you never knew where the app was going to write some random config information relative to its install location and your downloads folder or desktop could get very cluttered very quickly.
You should clarify “is to move the app to a different location” to “is to move the app to a different location using the Finder”. It is the Finder that removes the quarantine flag and turns off translocation, so if you use a different tool (eg the Terminal), then it will not necessarily resolve the problem.
Who is “You”? Not clear who you are replying to. If it’s Howard, then you need to post your reply to his blog. I don’t see anybody in this discussion mentioning moving the app, but I will observe that they shouldn’t be “copying” apps to /Applications.
It’s my understanding that Gatekeeper is the process that removes the quarantine flags (technically modifies the quarantine attribute).
@ace, in his article at Move Downloaded Mac Apps Before Initial Launch - TidBITS, as referenced in the topic post…
My point remains, if you move the application with some other means (eg Hazel (maybe it does these days), Terminal, whatever), then the translocation will not necessarily be turned off.
Hence, the advice should be “move the app to a different location using the Finder”.
OK, I’ll let him respond to that since his article doesn’t accurately quote Howard’s blog where he makes it clear that Finder should be used to move such apps.
Yes, @peternlewis is right. I had those “using the Finder” words in a draft at one point, but the sentence read badly and I figured that calling out the the 99% solution was overkill in an ExtraBIT that sends people to read the full details in another article. Apparently not—I’ll tweak.
I have a folder “/Applications/added stuff” where I put most of the apps that I download. (A few refuse to run from there, so they get put in /Applications, or deleted.)
I assume moving (using the Finder) apps to this folder is why I have not experienced (that I recall) an app crashing on first startup. Well, that, and I have so few downloaded apps.
This structure makes more sense to me, leaving /Applications to contain mostly stuff that Apple provided. Am I shooting myself in the foot in any way?
The distinction between “copying” and “moving” is trivial, and mostly pedantic. It’s shorthand for “dragging the icon to the new location”. If the download unzips into a .dmg, you genuinely are copying the file, as that is rightfully considered a separate volume by the Finder and so requires actually writing the file again.
And, if an app unzips itself into ~/Downloads, there is nothing fundamentally wrong with copying it (i.e., actually duplicating it) into /Applications rather than moving it. If it can’t be drag-copied, it should be using an actual installer instead of simply unzipping in the same location. (Yes, it’s a marginal waste of disk space, and a minor amount of excess writing to your SSD, shortening its life by maybe a few seconds. Unless you’re talking about a massive app package like Adobe Creative Cloud or MS Office, it’s not worth worrying about for most people.)
Thanks for this, Adam. I knew about the translocation issue because I ran into it when using Path Finder instead of Finder, but you’ve made me think about an Automator service I wrote to move items from the desktop to the Applications directory. I think it suffers the same problem – even though the app ends up in the right place, it seems to think it isn’t. Presumably a shell script to do the same job wouldn’t work properly either.
In a script you can remove the quarantine flag by using xattr.
Example: xattr -d -r com.apple.quarantine /Applications/some.app
To list flags: ls -Rl@ /Applications/some.app
Edit: But please see what @alvarnell writes below.
Aha! Thank you. I think I’ve managed to make that work.
Of course most disk images now helpfully open to show a shortcut to the Applications folder. But for those that don’t, or for apps downloaded as zip files, this saves me the effort of opening a Finder window ;-)
I hope you realize that doing so disables all security checks of the app by XProtect, MRT (apparently now XProtect Remediator), and gatekeeper for valid signatures & Notarization. There have been at least a couple of instances where well known mainstream app download sites were hacked and malware substituted for the most recent update, one was ransomware.
Thank you – no, I wouldn’t want to avoid security checks of that kind.
Thanks for the warning @alvarnell.