How to get application updates past OS X Gatekeeper

Apple's Gatekeeper data execution management service offers increased security for OS X users, but at times it may block some legitimate programs, especially at its highest security settings.

The three levels of Gatekeeper security in OS X are to allow all programs, allow programs signed with a valid Apple Developer ID, or allow only programs that are distributed through the Mac App Store. With the two more restrictive levels, the system requires explicit instruction to run an untrusted application. While this approach increases security, if you have Gatekeeper set to higher security levels then you may run into problems updating some programs, even if those programs were previously added to Gatekeeper's exceptions list.

This is particularly true for programs that apply self-updates by downloading and running a standalone updater program, where even though the main program is allowed to run by Gatekeeper, the updater may not be.

For example, the Opera browser updates by downloading an updater to a relatively hidden cache folder, where it runs the next time the browser is launched. But if you have Gatekeeper security set to the highest level, it will prevent the updater from running since it does not recognize it as an App Store program.

Normally this is not an issue, since when this restriction pops up, you can right-click a program to open it from the contextual menu, which will add it as an exception to the Gatekeeper rules. However, being in a hidden cache folder, the updater is not readily accessible after it quits. This means that once you click "OK" on the message that the program isn't being allowed to run, Opera will simply quit and there will be nothing to mark as allowed.

To get around such errors, you have three options:

1. Disable Gatekeeper temporarily
   This is perhaps the easiest option, as it will allow the program to run and update itself. To do this, go to the Security system preferences, authenticate, and select the option to allow execution of applications downloaded from anywhere.
2. Download the update from the developer
   You can access the application developer's Web site and get the updater from there. This will allow you to open it by right-clicking and choosing Open from the contextual menu, and then confirming that you wish to run the application.
3. Access the current updater package and make a Gatekeeper exception for it
   Even though the updater is hidden, you can reveal it and then manually run it. To do this, wait for Gatekeeper to display its warning message, then right-click the updater's Dock icon and choose Options > Reveal in Finder. Then right-click the updater package to open it, and add it to the Gatekeeper exceptions. This may not work in all instances, but should for most situations where the updater is a separate application that isn't signed.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.