Generating Un-Quarantined Webarchives

Is your application generating a webarchive, but you find that you can’t open it in Safari without getting the dreaded “can’t be opened because it is from an unidentified developer” message?

The problem occurs because your application is sandboxed. OS X is setting the quarantine bit when it writes the file out. It seems to do this with just about any file written by your application. But it’s particularly troublesome when it writes out any type of executable script, or a webarchive in this case.

You can check for yourself whether the quarantine bit is set: Open the Terminal and type

xattr /path/to/My.webachive

You will see com.apple.quarantine listed if the file is quarantined.

To fix this, you need to add an additional entitlement to your app, the

com.apple.security.files.user-selected.executable

entitlement. As mentioned in the Apple documention, this entitlement is not available in Xcode as a checkbox, you will need to add it manually.

From Apple’s Enabling App Sandbox

Note: If your app needs to create executable files that are typically executed in some way other than through Launch Services (shell scripts, for example), you should also specify the com.apple.security.files.user-selected.executable entitlement.

By default, when writing executable files in sandboxed apps, the files are quarantined. Gatekeeper prevents quarantined executable files and other similar files (shell scripts, web archives, and so on) from opening or executing unless the user explicitly launches them from Finder.

If those executables are tools that are intended to run from the command line, such as shell scripts, this presents a problem. With this flag, the file quarantine system allows the app to write non-quarantined executables so that Gatekeeper does not prevent them from executing. This entitlement does not have an Xcode checkbox, and thus must be added to your app’s entitlement property list manually. For details, see App Sandbox Entitlement Keys.