Here's what's happening (in Sierra, 10.12.5)
- try to launch a non-application file which ISN'T a bundle (e.g. pdf, png — numbers bundles will be fine) — by double-clicking, or using open in the Terminal
- A dialog is prevent with "FILENAME" is damaged and can't be opened. You should move it to the Trash.
What I've tried:
- safe mode
- running as a separate user
What I've discovered:
- It's definitely related to gatekeeper: Turning gatekeeper off with
sudo spctl --master-disablemakes these images launchable. - Something is wrong with spctl the underlying command line utility which manages security policies. See below.
Problem with spctl:
If you run a basic command like spctl --assess -vvv --raw /bin/ls it replies with One or more parameters passed to a function were not valid. (I tried this as it is a diagnostic step in an old but closely related fix.
However running this same command with gatekeeper off gives the correct result.
I've also tried to restore the SystemPolicy db from the original by:
sudo spctl --master-disable
turning gatekeeper offsudo cp -p /var/db/.SystemPolicy-default /var/db/SystemPolicy
copying the system policysudo chmod u+w /var/db/SystemPolicyfix perms- restart the computer
sudo spctl --master-enable
turning gatekeeper back on
But this hasn't helped (but in fact I don't think the SystemPolicy db has reverted back to the defaults — it seems to grow massively in size (or possibly just revert back to the previous db) when I turn gatekeeper back on.
Any thoughts?
Best Answer
Just experienced a similar issue on a 10.13 system after having migrated it from a 10.12 system -- turns out
/var/db/gkopaque.bundlewasn't valid, so I copied that from a good 10.13 system (by making a tarball as root on the good system, extracting it as root on the destination system), restarting (the system or killing syspolicyd), and that fixed the issue.