qmk_toolbox
qmk_toolbox copied to clipboard
macOS cannot check QMK Toolbox for malware, cannot open
On macOS Catalina and above, QMK Toolbox cannot open without this warning:
- macOS Version: 10.15.6
- QMK Toolbox Version: 0.0.20
Yes, I know that I could easily override it, but why not sign the application? You can get a free Apple Developer Program account to sign the application, as this is an open-source project.
Signing the app is something we keep kicking down the road. We will do it, but I can't give you a timeline on it.
In the meantime you can bypass this check without changing your global preferences by right clicking QMK Toolbox and clicking "Open". After that you will be able to open the app in the normal fashion.
Note on macos 10.15.7 I cannot open this even with the finder right click open workaround. I believe this is stock macos behavior now although there's some chance it's extra lockdown by my workplace's IT setup.
Note on macos 10.15.7 I cannot open this even with the finder right click open workaround. I believe this is stock macos behavior now although there's some chance it's extra lockdown by my workplace's IT setup.
It's not your setup. I can't open it either on my (private) Mac.
For the time being you can work around this by opening System Preferences, going to Security & Privacy, and under the General tab you should see QMK Toolbox listed. Click "Open Anyway" to allow QMK Toolbox to open now and in the future.
Interestingly enough only using this workaround did not work for me. What did work was doing the above and cleaning the quarantine attribute with sudo xattr -cr /Applications/QMK\ Toolbox.app
(https://ss64.com/osx/xattr.html).
I don't get that "Open Anyway" button in the security & privacy screen at all. shrug. but @kyusu that xattr
command line did work so now I can launch the toolbox. Thanks!
Running High Sierra and Big sur. The following works for me.
Double click the application. It says "no go" but offers to show me the application in the finder. It opens the Applications folder and highlights the application. I right click the application and choose open (yes, seems the same as just double clicking it) It now gives me 3 options, one of which is open anyway.
I do not need to go into the security and privacy settings. This is a personal laptop, but it has worked in reasonably locked down corporate laptops as well.
HTH
Just another request for signing the QMK Toolbox :) app. I love it and recommend it to my customers, but the fact that many of them have trouble installing it does cause me a lot of headaches :(. Thanks!
Interestingly enough only using this workaround did not work for me. What did work was doing the above and cleaning the quarantine attribute with
sudo xattr -cr /Applications/QMK\ Toolbox.app
(https://ss64.com/osx/xattr.html).
-cr
recursively removes all xattr
attributes. It's usually not a concern, but to be safe I'd recommend just specifying the attr causing the annoyance. xattr -d com.apple.quarantine /Applications/QMK\ Toolbox.app
Here’s yet another request to sign the app to address this. Considering that most people probably type passwords, account numbers, and other private info using keyboards flashed using QMK Toolbox, it seems important to provide the ability to confirm that one’s copy of the app hasn’t been infected with malware during or after download.
Users of other similarly-sized open source projects that didn’t sign their app have already been targeted by attacks that might have been mitigated if the app was signed.
I've started doing some preliminary work on having the app signed and notarized now through GitHub Actions, just a bunch of tedious work right now adding steps to the workflow, running it, and waiting for the result.
Great, thanks so much for your work on this!
I was able to get this to work on MacOS Ventura 13.1 earlier today. The series of steps was slightly different from what's discussed above (I had to click through a second dialog warning) but the app ultimately worked.
another approach is to "show in finder", right click, select open from the file options, and then you will be given the option to start the program.
Any chance this has been resolved in the beta or planned to? Now Nuphy shifted to VIA/QMK and more mainstream users like myself are figuring this out. It would be much appreciated if you can sign the app and provide a simpler / safer route for us to use this. Great work overall, new to the mechanical keyboard world.
Due to the deletion of the GitHub Action from the marketplace that we were using to sign Mac build with, we had to remove signing for now (https://github.com/qmk/qmk_toolbox/pull/420). Not sure yet when I'll get around to fixing the signing issue by finding new actions from the marketplace to work with.
Thanks nooges. Hopefully an alternative comes along soon. Appreciate your efforts. Cheers