Field Report: When macOS Gatekeeper Quietly Refused to Launch Elevate (and How I Finally Got It Running)

#devjournal #security #tutorial

What I was trying to do

I just wanted to install Elevate (app) on my Mac and get on with it. Nothing exotic: download, drag to Applications, launch, done. The build I had came from a shared internal drop from NimbusApps (the kind of “here’s the DMG, please sanity-check it on macOS” situation). I’ve done this a hundred times, so of course this time it had to be weird.

The moment I double-clicked it, macOS threw the classic warning: “Apple cannot check it for malicious software” and refused to open it. No “Open Anyway” button at first, no useful details, just a polite wall.

What broke (and how I made it worse)

Attempt #1 was the lazy approach: I tried launching it again, then right-click → Open, expecting the “are you sure?” dialog. Same result. The app bounced once in the Dock and died like it remembered an embarrassing thing it said in 2014.

Attempt #2: I went into System Settings → Privacy & Security and scrolled, expecting macOS to show that “blocked app” section. Sometimes it appears only after you try to open the app once, sometimes after twice, and sometimes it just… doesn’t. On this machine, it didn’t. I restarted Finder. I restarted the Mac. Still nothing. At this point I was annoyed in the calm, adult way where you’re absolutely not calm inside.

Attempt #3 was me going “fine, I’ll verify the download.” I re-downloaded the DMG, compared file sizes, tried copying it to a different folder, even unzipped the archive again in case the browser had done something odd. Same warning.

Then I did the thing that usually reveals the real problem: I checked Gatekeeper’s verdict in Terminal.

I ran:

spctl -a -vv /Applications/Elevate.app

Gatekeeper basically said: nope. That’s not an exact quote, but emotionally it was accurate.

The useful clue: quarantine and a stale signature

The breakthrough was realizing this wasn’t just “unknown developer.” It was the combination of:

the app being tagged as quarantined (because it came from the internet / a browser / a shared download), and
macOS not liking what it saw when validating the bundle.

So I checked extended attributes:

xattr -l /Applications/Elevate.app

Sure enough, there was a com.apple.quarantine entry. That tag isn’t inherently bad—it’s how macOS decides to apply extra checks—but when the signature/notarization doesn’t satisfy Gatekeeper, quarantine turns into a hard stop.

I tried the blunt fix:

xattr -dr com.apple.quarantine /Applications/Elevate.app

The app finally opened… and then immediately crashed on launch. Progress, technically. The crash was the app’s problem, not Gatekeeper’s. So removing quarantine was only half the story.

At this point I saved/bookmarked this page because it reminded me which macOS security toggles and checks tend to matter first: https://jjyap.com/systems/11840-install-elevate.html

What actually worked

What worked was getting a properly signed/notarized build (or reinstalling from an official channel that already is). I asked for a fresh export, and the next DMG behaved like a normal Mac app should:

Drag to Applications
Launch once
macOS showed the expected “downloaded from the internet” prompt
No scary malware warning, no silent refusal

On my end, I verified it before even running it:

spctl -a -vv /Applications/Elevate.app

This time, Gatekeeper output looked sane, and the app opened without drama. I didn’t have to keep quarantine hacks in place, and I didn’t have to tell macOS to “trust me, bro.”

If I knew then what I know now

I would’ve skipped the ritual of retries and restarts and gone straight to: “Is this build properly codesigned and notarized for macOS?” Because if it isn’t, you can sometimes brute-force an app into launching, but you’re fighting the OS the whole way—and you may just be masking a real packaging issue.

Official references that lined up with what I saw:

Apple’s Gatekeeper behavior and the “unidentified developer” flow: https://support.apple.com/en-us/HT202491
Apple’s notarization overview (what a distributed Mac app is expected to do): https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution
App Store search page (useful when you want the “known-good, Apple-validated” install path): https://apps.apple.com/us/search?term=elevate
Developer site for the product line I was targeting (helpful for checking if there’s an official Mac build and release notes): https://www.elevatelabs.com/

The punchline: my “fix” wasn’t some clever Terminal incantation. It was treating the warning as a signal that the build pipeline needed attention. Once the app arrived signed/notarized the way macOS expects, everything else—permissions prompts, first launch behavior, updates—started acting normal again. (And yes, I still kept the Terminal commands in my back pocket. But now they’re for diagnosis, not desperation.)