Gatekeeper preventing from opening files from Finder (launching apps is fine)

Question

Here's what's happening (in Sierra, 10.12.5)

• try to launch a non-application file which ISN'T a bundle (e.g. pdf, png -- numbers bundles will be fine) -- by double-clicking, or using open in the Terminal
• A dialog is prevent with "FILENAME" is damaged and can't be opened. You should move it to the Trash.

What I've tried:

• safe mode
• running as a separate user

What I've discovered:

• It's definitely related to gatekeeper: Turning gatekeeper off with sudo spctl --master-disable makes these images launchable.
• Something is wrong with spctl the underlying command line utility which manages security policies. See below.

Problem with spctl:

If you run a basic command like spctl --assess -vvv --raw /bin/ls it replies with One or more parameters passed to a function were not valid. (I tried this as it is a diagnostic step in an old but closely related fix.

However running this same command with gatekeeper off gives the correct result. I've also tried to restore the SystemPolicy db from the original by:

• sudo spctl --master-disable turning gatekeeper off
• sudo cp -p /var/db/.SystemPolicy-default /var/db/SystemPolicy copying the system policy
• sudo chmod u+w /var/db/SystemPolicy fix perms
• restart the computer
• sudo spctl --master-enable turning gatekeeper back on

But this hasn't helped (but in fact I don't think the SystemPolicy db has reverted back to the defaults -- it seems to grow massively in size (or possibly just revert back to the previous db) when I turn gatekeeper back on.

Any thoughts?

Answer 1

Just experienced a similar issue on a 10.13 system after having migrated it from a 10.12 system -- turns out /var/db/gkopaque.bundle wasn't valid, so I copied that from a good 10.13 system (by making a tarball as root on the good system, extracting it as root on the destination system), restarting (the system or killing syspolicyd), and that fixed the issue.

Answer 2

As others have said, replacing /var/db/gkopaque.bundle worked for me. In my case I pulled it from a Time Machine backup by:

• Running: $ defaults write com.apple.finder AppleShowAllFiles TRUE
• Relaunching the Finder (command + option + escape)
• Navigating to /var/db/
• Entering the Time Machine and navigating to an older version of gkopaque.bundle and clicking restore
• Exiting the Time Machine
• Rebooting
• Running (to confirm): $ spctl --assess -vvv --raw /bin/ls
• Running: defaults write com.apple.finder AppleShowAllFiles FALSE
• Relaunching the Finder (command + option + escape)

Answer 3

I had exactly your problems with Gatekeeper. What worked for me was to replace the /var/db/gkopaque.bundle with a copy from another, good, computer.

I simply used AirDrop to transfer it to the bad Mac. Then login to the bad Mac as root, and move the bundle to /var/db/. After a reboot Gatekeeper is working, the settings in System Preferences > Security & Privacy now "stick" and don't revert back to App Store. As a result apps can now launch when I double-click files in Finder.