Today I went to launch VMware 4.1.0 on my OS X 10.8.1 Mac and was met with this surprising refusal to open:
Well, that’s interesting. Mac OS X supports the ability for applications to specify in their “Info.plist” files the minimum system version they require, but as far as I know there are no keys for specifying the maximum system version. Mac OS X will display a similar failure when an application is so old that it doesn’t contain code that was compiled for the appropriate CPU on the computer, but the code in this VMware 4.1.0 executable is 64-bit Intel code that my Mac should be able to run.
Now it so happens that VMware 4.1.0 shipped with a bug that many folks have found convenient. Apple officially forbids the virtualization of Mac OS X “client” operating system releases prior to 10.7. If one was inclined to defy this, then having a copy of 4.1.0 around to run virtual machines would be pretty handy.
Knowing that this version of VMware inadvertently defies Apple’s virtualization policy, and believing that there’s no way for the app to be identifying itself as incompatible with the current version of Mac OS X, I immediately jumped to the conclusion that Apple was “blacklisting” the app for political reasons:
Whoah, did Apple blacklist VMware Fusion 4.1.0 as of 10.8.1? skitch.com/danielpunkass/…
— Daniel Jalkut (@danielpunkass) August 24, 2012
Damn you, Apple! I’ll show you, I’ll just jump into the terminal and run it from the command line. Doing so showed me a very fast, very efficient door to the immediate panicking and restarting of my Mac. Wow, they really don’t want me to open this app!
Upon restarting and reviewing the panic log, I realized the crash was actually related to VMware’s kernel extension. So in all likelihood, the app has an incompatibility with 10.8 and Apple is blocking users from casually opening it as a favor and not as punishment to VMware or its users.
How does this kind of “blacklisting” occur on Mac OS X 10.8? I suppose in the future we might see restrictions that tie in to the new Gatekeeper signing system, but that is of no help if the targeted apps are not signed. The current mechanism is in the form of a crude XML file installed by Apple in your System folder:
Take a look, it’s pretty interesting! In this file you’ll find all manner of policy amendments, all based on the bundle ID of the targeted application. Search the file for a section labeled “MinimumVersionRequirements” and you’ll discover a long list of bundle IDs and corresponding version numbers. When you double-click an app to open it in the Finder, among the other checks the system does, it looks for an entry in this list for the appropriate bundle ID and, if found, only allows the app to launch if its bundle version is the same or higher than the value listed.
In the case of VMware Fusion’s entry, it lists 536017 as the minimum. I don’t have it installed, but I suspect this is the bundle version for VMware 4.1.3, the last officially supported version of VMware 4 on 10.8.
But VMware also earns the distinction of being the only app in the file to take advantage of a keyed value “VersionRange”:
<key>VersionRange</key> <array> <string>683826</string> <string>683827</string> </array>
I don’t know exactly how this is interpreted, but I suspect it’s a range of bundle versions that should be considered incompatible with the system. In this case, I suspect Apple has determined that there is a problem with a specific version of VMware Fusion 5. They can’t set the minimum version to the latest version of VMware without cutting out support for 4.1.3, so the VersionRange technique lets them surgically remove support for this specific version.
Elsewhere in the file you will find other interesting policy amendments, including a long list of apps on which the LSFileQuarantineEnabled flag is explicitly turned on. This flag ensures that whatever files are created by these apps, they should be “quarantined” to cause the default protections e.g. for Gatekeeper policies to be enforced. Not surprisingly, the list of bundle IDs are all web browsers and torrent downloaders. Apple’s using the policy amendment here to say: even if the developers of these apps haven’t taken care to set the LSFileQuarantineEnabled on their own, the system should treat any files created by these apps as if they are “files downloaded from the web” and subject them to greater scrutiny than the files created by other apps.
As Apple becomes increasingly involved in the vetting of which software should be sold to, or allowed to run on customers’ computers, it’s worth considering whether they will be tempted to use these powers for less honorable goals. I would not have been surprised if Apple’s blacklisting here had been for non-technical reasons, but in spite of my initial paranoia, the Exceptions.plist file seems to only contain amendments that are genuinely for the good of users and developers.