Skip to content

Instantly share code, notes, and snippets.

@jeremy-code

jeremy-code/README.md

Last active April 13, 2025 03:50
Show Gist options
  • Save jeremy-code/ac32af6dfe8cf5ad6decc71f73ae8761 to your computer and use it in GitHub Desktop.
Save jeremy-code/ac32af6dfe8cf5ad6decc71f73ae8761 to your computer and use it in GitHub Desktop.
Download ZIP
macOS `spctl` Hidden Commands
Raw
README.md

Per spctl's man page (x-man-page://spctl), it recognizes a few commands for a main operation:

spctl --assess [-t type] [-] file ...
spctl --global-enable
spctl --global-disable
spctl --disable-status
spctl --status

It also lists some commands as being deprecated, which do nothing and output "This operation is no longer supported. Please see the man page for more information."

spctl --add
spctl --disable
spctl --enable
spctl --remove
spctl --reset-default # This one simply outputs "This operation is no longer supported."

Note that one can run spctl --status --verbose and get output:

assessments enabled|disabled
developer id enabled|disabled

However, I have discovered some other "main" commands that have been undocumented:

spctl --master-enable | --master-disable # I believe these are simply aliases to `--global-enable`, `--global-disable`
spctl --test-devid-status # Outputs `devid enabled|disabled`
spctl --test-devid-enable | --test-devid-disable # Outputs deprecation/man page message
spctl --rearm-status # outputs `rearm enabled|disabled`
spctl --rearm-enable | rearm-disable # Enables or disables the above
spctl --test-notarization-status 
spctl --test-notarization-enable | --test-notarization-disable # Outputs deprecation message
spctl --list # list rules
spctl --list-blocked # list blocked applications

I am very curious about --test-devid-status, --rearm-status, --test-notarization-status.

The settings roughly match up with Apple's Privacy & Security (x-apple.systempreferences:com.apple.preference.security) options for "Allow applications from": "App Store", "App Store & Known Developers", and "Anywhere".

It seems that

  • "App Store" ⇔ assessments enabled, devid disabled, notarized apps disabled
  • "App Store & Known Developers" ⇔ assessments enabled, devid enabled, notarized apps enabled
  • "Anywhere" ⇔ all disabled

I have no idea what --rearm-status corresponds to. I found this much older article that claims Gatekeeper automatically re-enables after 30 days on Yosemite and later (archived), so I wouldn't be surprised if that was what it was for.

The difference between --test-notarization-status and --test-devid-enable seem interesting to me. This article by Apple (Signing your apps for Gatekeeper) seems to imply that software can be signed by Developer ID and then notarized by Apple for extra security. What I am curious about is why they are two separate options, but I can't really test it because the enabling/disabling commands don't work, so ¯\_(ツ)_/¯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment