How to stop users opening applet from within DMG

Neophyte · December 26, 2025, 5:00am

I distribute my applet in a read-only DMG file via GitHub. Some users developed the habit of running the applet from within the DMG which caused much trouble. So, I’ve looked for a way to prevent the applet running from within the DMG.

I’m using this code at the beginning of main.scpt:

set path_to_applet to path to me as text
set path_to_applet_posix to POSIX path of path_to_applet
if path_to_applet_posix contains "/Volumes/applet" then
	display dialog "Sorry, applet cannot be run from within a DMG file. Copy applet to \"Applications\" and try again" buttons "OK" with icon stop
	error number -128
end if

That code works on a DMG file before I upload it to GitHub. But, it does NOT work on the DMG file which has been downloaded from GitHub. The only difference I can think of is that macOS is seeing that the DMG file has been downloaded in Safari and while showing it on the Desktop, is actually quarantining it and so the path is not “/Volumes/apple/”.

Does any of this make sense ? If so, does anyone know the pa tho DMG files downloaded by Safari ?

Thanks.

mingione · December 26, 2025, 12:19pm

What is the name of the disk image? I think it would be /Volumes/name of volume/…

Alternatively, could the script check to see if it’s in the applications folder, and only run then?

Andrew

Neophyte · December 26, 2025, 10:04pm

Hi Andrew, thanks.

My thought turns out to be correct – the download is quarantined by macOS. Although it is shown in the users Downloads folder, it’s actually in a temporary folder named like this:

/private/var/folders/r4/iolkjsldi8sio99xsmlxslknclk380000gq/T/AppTranslocation/34DF5GT3-2568-9EA2-2TT7-7J12JK6852HH/d/Test.app/

Interesting that the download stays in there after user gives affirmative response to security challenge.

So, I’ve changed my code to test for the “AppTranslocation” folder. It works on Monterey and Tahoe. I guess the “/private/vars/folders/” location would also be reliable.

Will need to do some research on which macOS version first provided that automatic quarantining.

Cheers.

leo_r · December 27, 2025, 3:40am

It’s called ‘app translocation’. Was implemented years ago (don’t remember exactly when).

You can check for the location of the original app via shell script such as this:
/usr/bin/security translocate-original-path

I’ve been using this method for years in some Objective-C code.

More info here:

https://www.reddit.com/r/learnpython/comments/vxbdgp/when_a_app_opens_on_a_mac_does_it_create_a/

It’s possible there are better sources on this, I just googled “translocate-original-path”.

StefanK · December 27, 2025, 9:29am

How about to write an installer? This can be another simple applet which moves the executable into /Applications up to a full-fledged .pkg installer.

In my opinion the path check has one crucial shortcoming: You need to run code on the target machine which isn’t there as disk images lack an autostart function.

Neophyte · December 28, 2025, 4:38am

StefanK, leo_r, many thanks.

Yes, I remember reading a few reports way back when. Had forgotten about it till now.

Yes, an installer is an option. However, some users prefer to run the applet from their Desktop or an external drive. That’s fine – I do a lot of my testing with a copy on the Desktop. I don’t want to make that more difficult for my users except those who try to run it from within the DMG. As it happens, usually, it will run OK from the DMG but one user complained when they tried to uninstall which caused a crash – the DMG is read only.

Not sure I understand. What do you mean by “the target machine” ?