#451: mac gatekeeper quarantine removal

[shodiBoy1]

This PR fixes #451

Implemented changes:

On modern macOS (15.1+, Apple Silicon), just removing com.apple.quarantine didn't work - unsigned apps still showed the "is damaged" popup. Tested this on a real M1 Pro with IntelliJ CE and Android Studio.

The fix does two things after extraction:

• xattr -cr to clear all extended attributes (quarantine, resource forks, etc.)
• codesign --force --deep --sign - to ad-hoc sign the .app bundle - but only if it's not already properly signed (so we don't break notarized apps like Eclipse)

Other changes:

• Version file (.ide.software.version) now stays at rootDir instead of being copied inside the .app, because codesigning seals the bundle and any writes after that fail with "Operation not permitted"
• linkDir always points to rootDir now (symlink target), binDir resolves into the .app bundle separately
• Added findBinDir() in MacOsHelper - needed because getToolBinPath() can't use findLinkDir() (would cause infinite recursion with getBinaryName())

---

Checklist for this PR

• When running mvn clean test locally all tests pass and build is successful
• PR title is of the form #«issue-id»: «brief summary» (e.g. #921: fixed setup.bat). If no issue ID exists, title only.
• PR top-level comment summarizes what has been done and contains link to addressed issue(s)
• PR and issue(s) have suitable labels
• Issue is set to In Progress and assigned to you or there is no issue (might happen for very small PRs)
• You followed all coding conventions
• You have added the issue implemented by your PR in CHANGELOG.adoc unless issue is labeled
  with internal

[coveralls]

Coverage Report for CI Build 24218122141

Coverage decreased (-0.006%) to 70.464%

Details

• Coverage decreased (-0.006%) from the base build.
• Patch coverage: No coverable lines changed in this PR.
• 105 coverage regressions across 4 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

105 previously-covered lines in 4 files lost coverage.

File	Lines Losing Coverage	Coverage
com/devonfw/tools/ide/tool/ToolCommandlet.java	47	73.4%
com/devonfw/tools/ide/tool/LocalToolCommandlet.java	36	80.15%
com/devonfw/tools/ide/os/MacOsHelper.java	19	76.71%
com/devonfw/tools/ide/git/repository/RepositoryCommandlet.java	3	70.98%

---

Coverage Stats

Relevant Lines:	15111
Covered Lines:	11098
Line Coverage:	73.44%
Relevant Branches:	6710
Covered Branches:	4278
Branch Coverage:	63.76%
Branches in Coverage %:	Yes
Coverage Strength:	3.1 hits per line

---

💛 - Coveralls

[hohwille]

@shodiBoy1 thanks for your PR. Great that you are working on this nasty problem that is currently blocking Mac users and renders the UX of IDEasy on Mac void. 👍
Currently, I do not see the difference in the xattr compared to PR #453. Can you explain why this should fix the problem now? Have you tested this approach on MacOS and it worked for unsigned apps like e.g. IntelliJ?

FYI: Did you also see this comment? #451 (comment)
When we remove the quarantine attribute, MacOS protected the app directory and we cannot make any modifications to it after that. This IMHO implies that we cannot keep the current solution with the .ide.software.version file that we simply copy to the linkDir as a workaround. Maybe it could work if we do that before we remove the quarantine attribute?
Further, in PR #453 @jan-vcapgemini made a review comment that this xattr execution should be moved to MacOsHelper what makes sense to me and should be followed.

[hohwille]

Seems something went wrong on conflict resolution.

Suggested change

	* https://github.com/devonfw/IDEasy/issues/1747[#1747]: Fixed macOS x64 native image build using macos-15-intel runner
	* https://github.com/devonfw/IDEasy/issues/1738[#1738]: FileAccess.delete no longer follows directory links during recursive delete
	* https://github.com/devonfw/IDEasy/issues/1151[#1151]: Use uname -m for runtime architecture detection on Mac/Linux
	* https://github.com/devonfw/IDEasy/issues/1770[#1770]: Fix setup hanging due to buffered log output during license prompt
	* https://github.com/devonfw/IDEasy/issues/1771[#1771]: Maven version 3.9.1x are now available
	* https://github.com/devonfw/IDEasy/issues/1647[#1647]: Fixed CVE detection for rancher desktop
	* https://github.com/devonfw/IDEasy/issues/1363[#1363]: Tool uninstallation in force mode now also removes its plugins
	* https://github.com/devonfw/IDEasy/issues/1687[#1687]: Fixed JLine warning about restricted method

[hohwille]

This should only happen for an application. The extract function is generic and can also be used to extract a ZIP file with pure data or config that is not an application. Please note that the executed xattr command will typically trigger a popup with password request so this should only appear for applications (ideally only if they are not signed).
Please check PR #453 where this was already done in the right place.

[hohwille]

This looks exactly like what I did in PR #453. However, I tested my solution and it did not work.
Am I missing something or why should it work now?