Apple will not allow QGIS on macOS to open / unverified developer

[wnrand]

What is the bug or the crash?

I have been going around on this for several weeks now, trying various previous suggestions to get MacOS X to allow me to open QGIS. I have talked to our IT department and Apple and both keep referring me back to QGIS to solve this issue.

Control-click to select "Open" does not work (even for the first time opening with a fresh install.) Clicking "Open anyway" does not work. Rebooting into safe mode does not fix the issue. I believe I tried the hint to use a terminal script and that did not work either. Is there any other option to get QGIS to launch on Mac?

Steps to reproduce the issue

Navigate to QGIS application
Control-click to bring up context menu, select "Open"
Error message pops up that says "“QGIS” cannot be opened because the developer cannot be verified."
Navigate to System preferences, open "Security & Privacy"
Click "Open Anyway" button on "General" tab
Back to error message

Versions

QGIS 3.34.1-Prizren

Supported QGIS version

• I'm running a supported QGIS version according to the roadmap.

New profile

• I tried with a new QGIS profile

Additional context

I fully deleted all QGIS supporting files before doing a fresh installation with no change in behavior

[agiudiceandrea]

@wnrand, could you please specify if you have followed the instruction displayed on the Download page?

After installing QGIS, the first launch attempt may fail due to security protections. To enable QGIS, control-click on its icon in your Applications folder and select Open in the context menu. A confirmation dialog will display where you need to click the Open button again. This only has to be done once.

Does the issue occur trying to install QGIS or trying to launch QGIS after installation?

Please also specify what is the exact version of your OS and how did you download the QGIS installer.

[pathmapper]

Here are some infos from Apple: https://support.apple.com/HT202491#openanyway

[github-actions]

The QGIS project highly values your report and would love to see it addressed. However, this issue has been left in feedback mode for the last 14 days and is being automatically marked as "stale".
If you would like to continue with this issue, please provide any missing information or answer any open questions. If you could resolve the issue yourself meanwhile, please leave a note for future readers with the same problem and close the issue.
In case you should have any uncertainty, please leave a comment and we will be happy to help you proceed with this issue.
If there is no further activity on this issue, it will be closed in a week.

[github-actions]

While we hate to see this happen, this issue has been automatically closed because it has not had any activity in the last 42 days despite being marked as feedback. If this issue should be reconsidered, please follow the guidelines in the previous comment and reopen this issue.
Or, if you have any further questions, there are also further support channels that can help you.

[jackvaughanjr]

@wnrand, could you please specify if you have followed the instruction displayed on the Download page?

I have tried the instructions using both the LTS and most recent versions.
Additionally, I've opened Privacy & Security and clicked Open Anyway there. Same result.

Does the issue occur trying to install QGIS or trying to launch QGIS after installation?

This occurs when trying to launch QGIS after installation.

Please also specify what is the exact version of your OS and how did you download the QGIS installer.

Currently running Sonoma 14.1.2 and I downloaded directly from the site.

[agiudiceandrea]

@jackvaughanjr, thanks. It would be very useful if you indicated in detail all the steps followed and what went wrong and the exact error messages, in respect to the available instruction available on qgis.org, in order to try to fix the issue and then provide better instructions.

[github-actions]

The QGIS project highly values your report and would love to see it addressed. However, this issue has been left in feedback mode for the last 14 days and is being automatically marked as "stale".
If you would like to continue with this issue, please provide any missing information or answer any open questions. If you could resolve the issue yourself meanwhile, please leave a note for future readers with the same problem and close the issue.
In case you should have any uncertainty, please leave a comment and we will be happy to help you proceed with this issue.
If there is no further activity on this issue, it will be closed in a week.

[wnrand]

@wnrand, could you please specify if you have followed the instruction displayed on the Download page?

After installing QGIS, the first launch attempt may fail due to security protections. To enable QGIS, control-click on its icon in your Applications folder and select Open in the context menu. A confirmation dialog will display where you need to click the Open button again. This only has to be done once.

Does the issue occur trying to install QGIS or trying to launch QGIS after installation?

Please also specify what is the exact version of your OS and how did you download the QGIS installer.

I gave up trying to get the new QGIS to work and went back to using the old version that Mac OS would allow to launch.

I tried all those options. I deleted the old install a few times, reinstalled the newest version fresh and then -- first thing -- try and open QGIS with the control-click and select "Open". It never worked.

I am now on a new workstation and trying to get any QGIS to work and am still getting the same error when first trying to launch QGIS. No option is given to continue. System preferences/Security/General does not allow it to continue launching either

[wnrand]

Here are some infos from Apple: https://support.apple.com/HT202491#openanyway

Thank you. I have tried following that but it does not behave as the article says it should. I click "Open anyway" and it relaunches QGIS and leads back to the error message that QGIS cannot be opened. I can keep looping that way with no success at launching QGIS.

[wnrand]

I had given up on trying to solve this issue and decided to just use the old version of QGIS that I had been able to install previously. But my workstation died last week and I'm now trying to get any version of QGIS to launch on the new workstation I have been given. I tried a fresh install and first action was to use the control-click to get the contextual menu and then choose "Open". But Mac OS does not give me the option to continue and the system preferences in the Security tab only trys to relaunch QGIS when I click "Open Anyway". I have found no way around this. Are there any other ideas for a way to get Mac OS to allow QGIS to launch?

[chris-prener]

I ran into this problem today - I work on a macOS machine that is managed by my employer. Our profiles are set to only allow installations from identified developers. I end up in the same loop that @wnrand does - there is no way to open QGIS when this security requirement is being enforced at the enterprise level. Our IT folks told me that my two options are to get the QGIS team to participate in the Apple identified developer program or use ArcGIS. Would love to hear if this is something that could be added to your roadmap!

[github-actions]

The QGIS project highly values your report and would love to see it addressed. However, this issue has been left in feedback mode for the last 14 days and is being automatically marked as "stale".
If you would like to continue with this issue, please provide any missing information or answer any open questions. If you could resolve the issue yourself meanwhile, please leave a note for future readers with the same problem and close the issue.
In case you should have any uncertainty, please leave a comment and we will be happy to help you proceed with this issue.
If there is no further activity on this issue, it will be closed in a week.

[DoZiBo1]

I ran into this problem today - I work on a macOS machine that is managed by my employer. Our profiles are set to only allow installations from identified developers. I end up in the same loop that @wnrand does - there is no way to open QGIS when this security requirement is being enforced at the enterprise level. Our IT folks told me that my two options are to get the QGIS team to participate in the Apple identified developer program or use ArcGIS. Would love to hear if this is something that could be added to your roadmap!

I have the exact same problem. The suggested fixes from QGIS website simply do not work.

[agiudiceandrea]

@DoZiBo1, are you using a macOS machine that is managed by your employer?

[DoZiBo1]

@agiudiceandrea Yes. Support department says it needs to be signed. No way for me to circumvent it.
QGIS support page here even claims to provide "signed installers" for macOS, which does not seem to be true. I can find no further reference which version is signed.

[agiudiceandrea]

@DoZiBo1, AFAIK the macOS dmg installer is signed by the "Developer ID Application: Open Source Geospatial Foundation (4F7N4UDA22)" identity, while the macOS dmg installer is not "notarized".

See the log at https://download.qgis.org/downloads/macos/qgis-macos-ltr.latest.log

config for QGIS 3.34.5
config loaded OK
�[34;01mPrint identities�[39;49;00m
  1) BE0D9DD7BAD99E1AFE8E616E3D02336B382A205F "Developer ID Application: Open Source Geospatial Foundation (4F7N4UDA22)"
     1 valid identities found
�[34;01mSigning the QGIS-LTR.app�[39;49;00m
/Users/admin/qgis/builds/ltr/bundle/QGIS-LTR.app: signed app bundle with Mach-O thin (x86_64) [org.qgis.qgis3]
�[34;01mCreate dmg image�[39;49;00m
�[34;01mAdd license to dmg�[39;49;00m
Adding EULA
Created license /var/folders/kg/m1ksgth50bs7krlsy56c8kd00000gq/T/dmglicense.tmp.XXXXXXXXXX.7N0kIo64
Successfully added the EULA license to /Users/admin/qgis/builds/ltr/build/..//qgis_ltr_final-3_34_5_20240322_163526.dmg
�[34;01mSigning the dmg�[39;49;00m
/Users/admin/qgis/builds/ltr/build/..//qgis_ltr_final-3_34_5_20240322_163526.dmg: signed  []
�[34;01mCreate checksum�[39;49;00m
�[34;01mDmg created with size 1.6G /Users/admin/qgis/builds/ltr/build/..//qgis_ltr_final-3_34_5_20240322_163526.dmg�[39;49;00m
All done (qgis-mac-packager.bash)
SUCCESS

[DoZiBo1]

@agiudiceandrea I don't know what this means. Can you translate this into a conclusion? Does it mean, it's signed but in the wrong way/improperly, or it is not signed in all the necessary places? Or is it signed and the problem lies elsewhere?

[agiudiceandrea]

@DoZiBo1, probably your support department would mean to say that the installer needs to be "notarized". AFAIK the QGIS dmg installer is only signed, not "notarized". I think the sys admins can actually allow to install the QGIS dmg signed installer on you system, but their policy is probably to only allow "notarized" installers.
If the package management system "MacPorts" is allowed on your system, then you can install QGIS via MacPorts: see https://qgis.org/en/site/forusers/alldownloads.html#macports.

[DoZiBo1]

@agiudiceandrea Thank you for clarification. If I see this correctly, there is already open issues regarding notarization of QGIS: issue 218 which refers to issue 270 where the necessary work is supposed to be included.

[github-actions]

The QGIS project highly values your report and would love to see it addressed. However, this issue has been left in feedback mode for the last 14 days and is being automatically marked as "stale".
If you would like to continue with this issue, please provide any missing information or answer any open questions. If you could resolve the issue yourself meanwhile, please leave a note for future readers with the same problem and close the issue.
In case you should have any uncertainty, please leave a comment and we will be happy to help you proceed with this issue.
If there is no further activity on this issue, it will be closed in a week.

[DanGunnStudio]

Same issue. Extremely frustrating.

[greg-vernon]

It is not really reasonable to be asking users to install packages that go around the security measures that are built into MacOS. At best it's sloppy, at worst a system could be potentially compromised. There is also the case of failing a security audit if you're in a company that requires auditing.

I worked at a CA for a number of years, and I've also got some experience with dealing with Apple dev stuff and packaging. If I can help out somehow with getting this fixed, I'd be happy to help.

[BiosPlus]

Same issue here, I have users who would like to install the application though the signing and notarisation issues are a blocker in terms of application security.

[tatjabecker]

I am not sure if it is the correct thing to do, but what helped me solve this issue was changing my security & privacy settings. In Accessibility I added QGIS to the list of apps that are allowed to control my computer. Then in the Security & Privacy settings, where it states that QGIS is blocked you can click "Open anyway". Voila it opened! Maybe the first step was not necessary, because I wasn't paying attention if the "Open anyway" option was available, nevertheless it is worth to try these two steps if you haven't already.

[greg-vernon]

I am not sure if it is the correct thing to do, but what helped me solve this issue was changing my security & privacy settings. In Accessibility I added QGIS to the list of apps that are allowed to control my computer. Then in the Security & Privacy settings, where it states that QGIS is blocked you can click "Open anyway". Voila it opened! Maybe the first step was not necessary, because I wasn't paying attention if the "Open anyway" option was available, nevertheless it is worth to try these two steps if you haven't already.

You can definitely make things work this way. However, from a security standpoint, it's not really the right way to be doing things.

[aileenclarke]

I'm having the same issue on an employer controlled Mac. Does anyone know what the newest version of QGIS is that doesn't cause this problem? I'm stuck on 3.16 for now.

[kentr]

Possibly related to #55930.

I agree with others that it's unreasonable to require users to bypass the OS security features. I won't even do this on my own computer in most cases.

[miceg]

If the package management system "MacPorts" is allowed on your system, then you can install QGIS via MacPorts:

From that page:

Concurrent installation of Homebrew and MacPorts is not compatible and will almost certainly lead to conflicts. If you choose to install one of the package systems you need to uninstall the other.

For Homebrew users, this is obviously a non-starter. 😉

There is an important difference between their respective QGIS packages:

• MacPorts builds everything from source.

  This effectively side-steps signing and notarisation requirements by signing binaries with a local certificate on your machine as part of the build process.

• Homebrew's QGIS Cask simply grabs the qgis.org macOS build – so has all the same issues (unnotarised and Intel-only).

  It would be possible for Homebrew to build packages from source like MacPorts does (with a Formula), it just doesn't here.

I don't think that building everything from source is the right answer, because installing and updating is slooowwwwwww.

FWIW while the Conda-based packages look promising, they're also unsigned and unnotarised at the moment.

I haven't tried going down the "normal" Conda path to see if those are actually signed or notarised – it looks extremely heavy weight.

[Newkid76]

Hey everyone, I had the same issue as I was trying to install the latest version in my company's mac and this fixed it:

1. Go to settings
2. Privacy & Security
3. Scroll down until Security
4. You will see the blocked section called "Allow applications downloaded from": "App Store" and "App Store and identified developers" - you will not be able to do anything here
5. But below, you will see a message about QGIS that you'll need to approve (by adding your password)

[BiosPlus]

@Newkid76, Your company Mac administrator doesn't seem to push a strict gatekeeper policy. On devices where we push a gatekeeper policy there is no work around aside from xattr.

[justinbb]

@greg-vernon QGIS on Mac has had some problems for a few years now. You may have noticed that complaints fall into two broad categories, lack of notarization (as here) and out-of-date components / missing Apple Silicon binaries. The two categories are unfortunately intertwined.

There was an attempt made to produce a compilant Mac QGIS bundle a few years ago: the result was QGIS-Mac-Packager. The project was too broad in its aims, then fell far short of them. It is in two parts:

• a custom dependency manager which cannot be updated (the root cause for the numerous bug reports about out-of-date components, lack of Apple Silicon binaries, etc.)
• a bundler + installer-maker. The bundle thus produced is signed but it is not eligible for notarization.
  QGIS-Mac-Packager is still used to produce the downloadable Mac installers on the QGIS site.

On dependency management / creation of a working executable:
QGIS-Mac-Packager's dependency manager part, obsolete and unmaintainable, has to be replaced.
More recently, @m-kuhn made an alternative conda-based Mac installer which is functional but does not seem to have been found fully satisfactory.
The QGIS installation guide has recommended MacPorts for some time now, which is a good basis for Mac QGIS users with the permission and ability to manage MacPorts – only a part of the user community.
There has been a proposal to move to Microsoft vcpkg for Windows builds, a cross-platform solution which would likely give good results on Mac as well.
Any of these methods are (either theoretically or in reality) capable of getting together the code and resources to make an up-to-date, working QGIS with Apple Silicon binaries. But they still don't solve the notarization problem.

On organizing and notarizing the bundle:
Organizing the bundle so it can be notarized is a non-trivial problem, as notarization requires strict separation of code and data. The QGIS-Mac-Packager's bundling part might be able to serve as the basis for a better Mac bundle (I haven't dared look). There is further discussion (including links to documentation, history, etc.) at qgis/QGIS-Mac-Packager#160.

[greg-vernon]

@justinbb, @miceg seems to have described the problem fairly well. For those of us who are fairly techy, and have the time to mess around with macports, that could be the answer. Though, TBH, it's going to be a lot less work to set up a separate system to run Linux in order to comply with whatever security requirements employers require.

For those are not technically inclined, and those who have worry about security compliance, the mac is probably not going to be a QGIS platform that they can use. None of the options supports an installation method that actually does any auditing of the packages, which is what Apple means to be doing with the notarization process.

What might be useful is to have a look at what the PostgresApp project is doing.

[kentr]

I had success using QGIS inside a VM running Lubuntu with Virtualbox 6.

Virtualbox is notorized.

Edit: Point being that this might make company tech managers happy.

[greg-vernon]

@kentr That works for the more techie folks out there. Still there are serious shortcomings. You still have the overhead of maintaining the Virtualbox software, and you've got users now having to manage whatever Linux that's running there. More importantly though, your video RAM is fairly limited with Virtualbox. It's probably just easier to have a dedicated Linux system, and use it remotely via VNC or the equivalent.

There are a lot of workarounds that work for the more technically inclined among us. However, this isn't a good situation for the less technical users, and while there are some of us Geographers out there who are quite technical, there are many who are not.

@justinbb macports isn't a great solution, as it tends to take over the machine. Years ago, I was doing some mac configuration work, and I decided to get rid of macports entirely, as it doesn't play well with others. For example, if you're using macports, it wants to own /usr/local, and that's a major problem.
Homebrew would be a better solution, except, as noted, it's using the bundle from qgis.org. Still, if homebrew was used to build QGIS it could work well. It might be the best interim solution until a notarized package can be built. Though, there could be some issues with python and certificates.

I would say fixing the install for the mac in general is probably way more important at this point than building Apple Silicon binaries. Of course, that's just my opinion. :)

[m-kuhn]

Thanks all for your comments.

At the current point in time, I recommend using conda (command line) to install QGIS for anyone more "techy" out there.

At the same time, I am still positive that I will find some time at some point to look into the nasty details of rpath, python, dmg packaging (and finally hopefully notarization) using a vcpkg build.

[greg-vernon]

@m-kuhn conda looks to be a much better solution than macports. Thanks for all your work on the conda packaging!

NOTE: Don't install conda on a system you already have homebrew running on, or it will cause problems with homebrew. I've ended up completely breaking my brew install.

DMG packaging and the notarization with that shouldn't be too bad after you have an install properly set up.

[justinbb]

macports isn't a great solution, as it tends to take over the machine. Years ago, I was doing some mac configuration work, and I decided to get rid of macports entirely, as it doesn't play well with others. For example, if you're using macports, it wants to own /usr/local, and that's a major problem. Homebrew would be a better solution, except, as noted, it's using the bundle from qgis.org. Still, if homebrew was used to build QGIS it could work well. It might be the best interim solution until a notarized package can be built. Though, there could be some issues with python and certificates.

I would say fixing the install for the mac in general is probably way more important at this point than building Apple Silicon binaries. Of course, that's just my opinion. :)

@greg-vernon I defer to @m-kuhn on the way forward for QGIS Mac builds. To reply briefly to other items: I should have made a distinction between ways of putting together a Mac build inside the QGIS project for distribution, and ways for end-users to get a Mac build these days, while waiting for the build problem to be solved. In the case of the QGIS project, homebrew was apparently used to assemble dependencies in the days before the dreaded Packager, and m-kuhn worked on conda initially with the intention (if I understand correctly) of using it as a basis for a distribution; in the end, he is surely right that vcpkg is a better tool than any of the preceding for the purpose. (If nothing else, it would give the QGIS project control over its own integration-and-build process.)

For end-users, different people have different experiences with homebrew, MacPorts, and conda, and this colors their perception. Homebrew, as you mention, is not an option unless someone completes a "formula" for QGIS. Both MacPorts and conda have their issues; whether an issue is disqualifying or not is often a matter of personal preference. (E.g. I don't find that MacPorts takes over my machine, and have used it in parallel with homebrew – but with limited usage of both. I find that conda is great in some ways and annoying in others. Etc.) And, as you also mentioned, neither of them is a good solution for less technical users.

Fixing the install for Mac is indeed way more important at this point than building Apple Silicon binaries, as QGIS compiles and builds fine on Apple Silicon (and has done so for a long time) – it's simply not an issue. The lack of an "official" Apple Silicon installer is instead a side-effect of the problem of fixing the (bundling and) install for Mac, alongside the other terrible side-effect of official Mac builds having out-of-date GDAL, PROJ, and other dependencies.

[greg-vernon]

@justinbb @m-kuhn's idea using vcpkg looks promising. It looks like it handles libraries in a sane way, so then it should also work much better for the dependencies.

[greg-vernon]

@justinbb @m-kuhn, I was digging around in PostgresApp, and found a reference to create-dmg. Perhaps it's useful?

[m-kuhn]

create-dmg is also used in qfield, it's useful to create a dmg from a .app indeed.