MacOS precompiled tarballs need to be signed to run with Gatekeeper enabled, or Hugo won't run.

[akirch24]

In recent versions of MacOS, Apple has implemented a tool called Gatekeeper. It is now on by default. More info:
Apple MacOS Gatekeeper
With Gatekeeper enabled, unsigned software will not run. To resolve this Hugo will need to add signing/packaging to their build process for MacOS artifacts.

Steps to reproduce:

1. go to Hugo downloads page: https://github.com/gohugoio/hugo/releases/tag/v0.144.2
   
2. In Settings>Security Settings, confirm towards the bottom that Security>Allow Applications From: is App Store and Known Developers
3. download Hugo for macOS
4. untar hugo
5. invoke Hugo with ./Hugo using any arguments or none at all
6. MacOS Gatekeeper prevents Hugo from launching displaying the following dialog:
   

Steps to fix:

1. get a developer ID and use Xcode to sign the application
2. produce a dmg or pkg file. The tool to use here is usually pkgbuild, which has a manpage on MacOS.
3. distribute the dmg or pkg file.

What version of Hugo are you using (hugo version)?

% ./hugo version
zsh: killed     ./Hugo version
% ls
LICENSE					README.md				hugo					hugo_0.144.2_darwin-universal.tar

Does this issue reproduce with the latest release?

As far as I can tell this is the latest release.

[bep]

So, I have the building blocks needed to enable signing and notarization this; I both sign and notarise hugoreleaser, but it's a little bit of an extra hassle to set up ... You can certainly override (open anyway ...) this for a given binary; I have Gatekeeper enabled, but I just downloaded and executed the latest hugo.

Also, you can use brew to install Hugo (I think they builds from source and then do "local signing" or something).

[trelane]

Bep,

Hugely appreciate the quick response. We have MDM via Intune, but this will likely also be a problem centrally managing with JAMF. We have a workaround by forcing it to be allowed. We're trying to avoid Brew and centrally manage applications for security. For users with Gatekeeper enforcing, and no local admin rights, this will be a showstopper until they can get help from their IT Department.
Package signing is a pain, but everything I can see indicates we're headed towards a Zero Trust model for just about everything.

Andrew

[Fastidious]

@bep how to open anyway? I am not given that option.

[bep]

@Fastidious the trick is, I'm pretty sure, to first open it in Finder:

1. Right click the binary, click Open.
2. You fill get a warning/popup about it being unsigned or something, click "Open anyway" ( or something)

After this you should be able to run the binary as normal from the terminal.

[edhemphill]

FYI - another way: right after you get the dialog above, clidk "Done" - then go into the System Settings -> Security -> scroll down and see an option to open hugo anyway. Once you have done this once it will work going forward.

[trelane]

FYI - another way: right after you get the dialog above, clidk "Done" - then go into the System Settings -> Security -> scroll down and see an option to open hugo anyway. Once you have done this once it will work going forward.

Correct but this assumes the user has admin access. Almost everyone is desperately trying to remove admin access for users.

[trelane]

All,

I owe you an apology for a deep discourtesy. I just realized that I've posted to this thread from both my work and personal GitHub accounts in an accidental incident of sockpuppetry. To clarify akirch24 is my work account. I deeply apologize for my mistake and any confusion it might have caused.

Andrew