24732790894

Committed 21 Apr 2026 04:01PM UTC coverage: 70.599% (+0.009%) from 70.59%

Build # 24732790894

Build Type

push

github

Committed by

web-flow

Commit Message

#451: mac gatekeeper quarantine removal (#1794)

Co-authored-by: Jörg Hohwiller <hohwille@users.noreply.github.com>

Coverage Stats

4325 of 6766 branches covered (63.92%)

Branch coverage included in aggregate %.

11197 of 15220 relevant lines covered (73.57%)

3.1 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

76.92

cli/src/main/java/com/devonfw/tools/ide/os/MacOsHelper.java

package com.devonfw.tools.ide.os;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Iterator;
import java.util.Set;
import java.util.stream.Stream;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.devonfw.tools.ide.context.IdeContext;
import com.devonfw.tools.ide.io.FileAccess;
import com.devonfw.tools.ide.process.ProcessErrorHandling;
import com.devonfw.tools.ide.process.ProcessMode;
import com.devonfw.tools.ide.process.ProcessResult;
import com.devonfw.tools.ide.tool.ToolCommandlet;
import com.devonfw.tools.ide.tool.repository.ToolRepository;

/**
 * Internal helper class for MacOS workarounds.
 */
public final class MacOsHelper {

  private static final Logger LOG = LoggerFactory.getLogger(MacOsHelper.class);

  private static final Set<String> INVALID_LINK_FOLDERS = Set.of(IdeContext.FOLDER_CONTENTS,
      IdeContext.FOLDER_RESOURCES, IdeContext.FOLDER_BIN);

  private final IdeContext context;

  private final FileAccess fileAccess;

  private final SystemInfo systemInfo;

  /**
   * The constructor.
   *
   * @param context the {@link IdeContext} instance.
   */
  public MacOsHelper(IdeContext context) {

    super();
    this.context = context;
    this.fileAccess = context.getFileAccess();
    this.systemInfo = context.getSystemInfo();
  }

  /**
   * The constructor.
   *
   * @param fileAccess the {@link FileAccess} instance.
   * @param systemInfo the {@link SystemInfo} instance.
   */
  public MacOsHelper(FileAccess fileAccess, SystemInfo systemInfo) {

    super();
    this.context = null;
    this.fileAccess = fileAccess;
    this.systemInfo = systemInfo;
  }

  /**
   * Fixes macOS Gatekeeper blocking for downloaded tools. On macOS 15.1+ (Apple Silicon), just removing {@code com.apple.quarantine} is not enough since
   * unsigned apps still get the "is damaged" error. So we clear all xattrs first, then ad-hoc codesign any {@code .app} bundles. Call this after writing
   * {@code .ide.software.version} since codesigning seals the bundle.
   *
   * @param path the {@link Path} to the installation directory.
   */
  public void removeQuarantineAttribute(Path path) {

    if (!this.systemInfo.isMac()) {
      return;
    }
    if (this.context == null) {
      LOG.debug("Cannot fix Gatekeeper for {} - no context available", path);
      return;
    }
    // clear all extended attributes (quarantine, resource forks, etc.)
    LOG.debug("Clearing extended attributes from {}", path);
    try {
      this.context.newProcess().executable("xattr").addArgs("-cr", path).run(ProcessMode.DEFAULT_SILENT);
    } catch (Exception e) {
      LOG.warn("Could not clear extended attributes from {}: {}", path, e.getMessage(), e);
    }
    // ad-hoc codesign .app bundles only if they are not already properly signed (e.g. Eclipse is notarized - we must not replace that)
    Path appDir = findAppDir(path);
    if (appDir != null) {
      try {
        ProcessResult verifyResult = this.context.newProcess().executable("codesign")
            .errorHandling(ProcessErrorHandling.NONE)
            .addArgs("-v", appDir).run(ProcessMode.DEFAULT_SILENT);
        if (!verifyResult.isSuccessful()) {
          LOG.debug("Ad-hoc codesigning {}", appDir);
          ProcessResult signResult = this.context.newProcess().executable("codesign")
              .errorHandling(ProcessErrorHandling.LOG_WARNING)
              .addArgs("--force", "--deep", "--sign", "-", appDir).run(ProcessMode.DEFAULT_SILENT);
          if (!signResult.isSuccessful()) {
            LOG.warn("Could not codesign {} - app may be blocked by Gatekeeper", appDir);
          }
        }
      } catch (Exception e) {
        LOG.warn("Codesign not available for {}: {}", appDir, e.getMessage(), e);
      }
    }
  }

  /**
   * @param rootDir the {@link Path} to the root directory.
   * @return the path to the app directory.
   */
  public Path findAppDir(Path rootDir) {
    return this.fileAccess.findFirst(rootDir,
        p -> p.getFileName().toString().endsWith(".app") && Files.isDirectory(p), false);
  }

  /**
   * @param rootDir the {@link Path} to the root directory.
   * @param tool the name of the tool to find the link directory for.
   * @return the {@link com.devonfw.tools.ide.tool.ToolInstallation#linkDir() link directory}.
   */
  public Path findLinkDir(Path rootDir, String tool) {

    if (!this.systemInfo.isMac() || Files.isDirectory(rootDir.resolve(IdeContext.FOLDER_BIN))) {
      return rootDir;
    }
    Path contentsDir = rootDir.resolve(IdeContext.FOLDER_CONTENTS);
    if (Files.isDirectory(contentsDir)) {
      return findLinkDir(contentsDir, rootDir, tool);
    }
    Path appDir = findAppDir(rootDir);
    if (appDir != null) {
      contentsDir = appDir.resolve(IdeContext.FOLDER_CONTENTS);
      if (Files.isDirectory(contentsDir)) {
        return findLinkDir(contentsDir, rootDir, tool);
      }
    }
    return rootDir;
  }

  /**
   * Finds the root tool path of a tool in MacOS
   *
   * @param commandlet the {@link ToolCommandlet}
   * @param context the {@link IdeContext}
   * @return a {@link String}
   */
  public Path findRootToolPath(ToolCommandlet commandlet, IdeContext context) {
    return context.getSoftwareRepositoryPath().resolve(ToolRepository.ID_DEFAULT).resolve(commandlet.getName())
        .resolve(commandlet.getInstalledEdition())
        .resolve(commandlet.getInstalledVersion().toString());
  }

  private Path findLinkDir(Path contentsDir, Path rootDir, String tool) {

    LOG.debug("Found MacOS app in {}", contentsDir);
    Path resourcesAppBin = contentsDir.resolve(IdeContext.FOLDER_RESOURCES).resolve(IdeContext.FOLDER_APP)
        .resolve(IdeContext.FOLDER_BIN);
    if (Files.isDirectory(resourcesAppBin)) {
      return resourcesAppBin.getParent();
    }
    Path linkDir = findContentSubfolder(contentsDir, tool);
    if (linkDir != null) {
      return linkDir;
    }
    return rootDir;
  }

  private Path findContentSubfolder(Path dir, String tool) {

    try (Stream<Path> childStream = Files.list(dir)) {
      Iterator<Path> iterator = childStream.iterator();
      while (iterator.hasNext()) {
        Path child = iterator.next();
        String filename = child.getFileName().toString();
        if (INVALID_LINK_FOLDERS.contains(filename) || filename.startsWith("_")) {
          continue;
        } else if (Files.isDirectory(child.resolve(IdeContext.FOLDER_BIN)) || Files.exists(child.resolve(tool))) {
          return child;
        }
      }
    } catch (IOException e) {
      throw new IllegalStateException("Failed to search for file in " + dir, e);
    }
    return null;
  }

}

1	package com.devonfw.tools.ide.os;
2
3	import java.io.IOException;
4	import java.nio.file.Files;
5	import java.nio.file.Path;
6	import java.util.Iterator;
7	import java.util.Set;
8	import java.util.stream.Stream;
9
10	import org.slf4j.Logger;
11	import org.slf4j.LoggerFactory;
12
13	import com.devonfw.tools.ide.context.IdeContext;
14	import com.devonfw.tools.ide.io.FileAccess;
15	import com.devonfw.tools.ide.process.ProcessErrorHandling;
16	import com.devonfw.tools.ide.process.ProcessMode;
17	import com.devonfw.tools.ide.process.ProcessResult;
18	import com.devonfw.tools.ide.tool.ToolCommandlet;
19	import com.devonfw.tools.ide.tool.repository.ToolRepository;
20
21	/**
22	* Internal helper class for MacOS workarounds.
23	*/
24	public final class MacOsHelper {
25
26	private static final Logger LOG = LoggerFactory.getLogger(MacOsHelper.class);	3✔
27
28	private static final Set<String> INVALID_LINK_FOLDERS = Set.of(IdeContext.FOLDER_CONTENTS,	6✔
29	IdeContext.FOLDER_RESOURCES, IdeContext.FOLDER_BIN);
30
31	private final IdeContext context;
32
33	private final FileAccess fileAccess;
34
35	private final SystemInfo systemInfo;
36
37	/**
38	* The constructor.
39	*
40	* @param context the {@link IdeContext} instance.
41	*/
42	public MacOsHelper(IdeContext context) {
43
44	super();	2✔
45	this.context = context;	3✔
46	this.fileAccess = context.getFileAccess();	4✔
47	this.systemInfo = context.getSystemInfo();	4✔
48	}	1✔
49
50	/**
51	* The constructor.
52	*
53	* @param fileAccess the {@link FileAccess} instance.
54	* @param systemInfo the {@link SystemInfo} instance.
55	*/
56	public MacOsHelper(FileAccess fileAccess, SystemInfo systemInfo) {
57
58	super();	2✔
59	this.context = null;	3✔
60	this.fileAccess = fileAccess;	3✔
61	this.systemInfo = systemInfo;	3✔
62	}	1✔
63
64	/**
65	* Fixes macOS Gatekeeper blocking for downloaded tools. On macOS 15.1+ (Apple Silicon), just removing {@code com.apple.quarantine} is not enough since
66	* unsigned apps still get the "is damaged" error. So we clear all xattrs first, then ad-hoc codesign any {@code .app} bundles. Call this after writing
67	* {@code .ide.software.version} since codesigning seals the bundle.
68	*
69	* @param path the {@link Path} to the installation directory.
70	*/
71	public void removeQuarantineAttribute(Path path) {
72
73	if (!this.systemInfo.isMac()) {	4✔
74	return;	1✔
75	}
76	if (this.context == null) {	3!
77	LOG.debug("Cannot fix Gatekeeper for {} - no context available", path);	×
78	return;	×
79	}
80	// clear all extended attributes (quarantine, resource forks, etc.)
81	LOG.debug("Clearing extended attributes from {}", path);	4✔
82	try {
83	this.context.newProcess().executable("xattr").addArgs("-cr", path).run(ProcessMode.DEFAULT_SILENT);	×
84	} catch (Exception e) {	1✔
85	LOG.warn("Could not clear extended attributes from {}: {}", path, e.getMessage(), e);	18✔
86	}	×
87	// ad-hoc codesign .app bundles only if they are not already properly signed (e.g. Eclipse is notarized - we must not replace that)
88	Path appDir = findAppDir(path);	4✔
89	if (appDir != null) {	2✔
90	try {
91	ProcessResult verifyResult = this.context.newProcess().executable("codesign")	6✔
92	.errorHandling(ProcessErrorHandling.NONE)	11✔
93	.addArgs("-v", appDir).run(ProcessMode.DEFAULT_SILENT);	×
94	if (!verifyResult.isSuccessful()) {	×
95	LOG.debug("Ad-hoc codesigning {}", appDir);	×
96	ProcessResult signResult = this.context.newProcess().executable("codesign")	×
97	.errorHandling(ProcessErrorHandling.LOG_WARNING)	×
98	.addArgs("--force", "--deep", "--sign", "-", appDir).run(ProcessMode.DEFAULT_SILENT);	×
99	if (!signResult.isSuccessful()) {	×
100	LOG.warn("Could not codesign {} - app may be blocked by Gatekeeper", appDir);	×
101	}
102	}
103	} catch (Exception e) {	1✔
104	LOG.warn("Codesign not available for {}: {}", appDir, e.getMessage(), e);	18✔
105	}	×
106	}
107	}	1✔
108
109	/**
110	* @param rootDir the {@link Path} to the root directory.
111	* @return the path to the app directory.
112	*/
113	public Path findAppDir(Path rootDir) {
114	return this.fileAccess.findFirst(rootDir,	7✔
115	p -> p.getFileName().toString().endsWith(".app") && Files.isDirectory(p), false);	15!
116	}
117
118	/**
119	* @param rootDir the {@link Path} to the root directory.
120	* @param tool the name of the tool to find the link directory for.
121	* @return the {@link com.devonfw.tools.ide.tool.ToolInstallation#linkDir() link directory}.
122	*/
123	public Path findLinkDir(Path rootDir, String tool) {
124
125	if (!this.systemInfo.isMac() \|\| Files.isDirectory(rootDir.resolve(IdeContext.FOLDER_BIN))) {	11✔
126	return rootDir;	2✔
127	}
128	Path contentsDir = rootDir.resolve(IdeContext.FOLDER_CONTENTS);	4✔
129	if (Files.isDirectory(contentsDir)) {	5✔
130	return findLinkDir(contentsDir, rootDir, tool);	6✔
131	}
132	Path appDir = findAppDir(rootDir);	4✔
133	if (appDir != null) {	2✔
134	contentsDir = appDir.resolve(IdeContext.FOLDER_CONTENTS);	4✔
135	if (Files.isDirectory(contentsDir)) {	5!
136	return findLinkDir(contentsDir, rootDir, tool);	6✔
137	}
138	}
139	return rootDir;	2✔
140	}
141
142	/**
143	* Finds the root tool path of a tool in MacOS
144	*
145	* @param commandlet the {@link ToolCommandlet}
146	* @param context the {@link IdeContext}
147	* @return a {@link String}
148	*/
149	public Path findRootToolPath(ToolCommandlet commandlet, IdeContext context) {
150	return context.getSoftwareRepositoryPath().resolve(ToolRepository.ID_DEFAULT).resolve(commandlet.getName())	9✔
151	.resolve(commandlet.getInstalledEdition())	3✔
152	.resolve(commandlet.getInstalledVersion().toString());	3✔
153	}
154
155	private Path findLinkDir(Path contentsDir, Path rootDir, String tool) {
156
157	LOG.debug("Found MacOS app in {}", contentsDir);	4✔
158	Path resourcesAppBin = contentsDir.resolve(IdeContext.FOLDER_RESOURCES).resolve(IdeContext.FOLDER_APP)	6✔
159	.resolve(IdeContext.FOLDER_BIN);	2✔
160	if (Files.isDirectory(resourcesAppBin)) {	5✔
161	return resourcesAppBin.getParent();	3✔
162	}
163	Path linkDir = findContentSubfolder(contentsDir, tool);	5✔
164	if (linkDir != null) {	2!
165	return linkDir;	2✔
166	}
167	return rootDir;	×
168	}
169
170	private Path findContentSubfolder(Path dir, String tool) {
171
172	try (Stream<Path> childStream = Files.list(dir)) {	3✔
173	Iterator<Path> iterator = childStream.iterator();	3✔
174	while (iterator.hasNext()) {	3!
175	Path child = iterator.next();	4✔
176	String filename = child.getFileName().toString();	4✔
177	if (INVALID_LINK_FOLDERS.contains(filename) \|\| filename.startsWith("_")) {	8✔
178	continue;	1✔
179	} else if (Files.isDirectory(child.resolve(IdeContext.FOLDER_BIN)) \|\| Files.exists(child.resolve(tool))) {	14✔
180	return child;	4✔
181	}
182	}	1✔
183	} catch (IOException e) {	4!
184	throw new IllegalStateException("Failed to search for file in " + dir, e);	×
185	}	×
186	return null;	×
187	}
188
189	}

devonfw / IDEasy / 24732790894

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous