#mac #gatekeeper #workaround #tips

Running unverified apps on Mac

The problem

You download a binary or application, go to run it and Mac won’t let you. There are (arguably) good reasons for this, but that’s out of the scope of this article, but you’ll find more information about Mac’s Gatekeeper on the internet :).

You’ll see something like this:

Error message while trying to run binary: “your-binary” cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware. Chrome downloaded this file today at 9:00 from example.com


So, how does Mac knows that a binary is not to be checked/trusted?

When you download a file, the browser sets the extended attributes that Mac will check before allowing you to run the binary/app.

Show extended attributes

$ xattr your-binary

Show extended attributes’ data

Here’s an example

# if you downloaded it using Chrome
$ xattr -l your-binary
com.apple.metadata:kMDItemWhereFroms: ...
com.apple.quarantine: 0181;62324d50;Chrome;37400A13-128E-4ABA-97ED-D61093874F54

# if you downloaded it using Firefox
$ xattr -l your-binary
com.apple.metadata:kMDItemWhereFroms: ...
com.apple.quarantine: 0181;62324b24;Firefox;99E8F9C8-78F9-4CD4-8E08-9D1D6791B22B

You can see that there’s also a com.apple.metadata:kMDItemWhereFroms attrbiute, it has binary data (mostly text, though). It contains the url where you downloaded the binary from. This information is used to show the error message to the user.

Remove quarentine attribute

Removing the quarentine flag should be enough to allow you to run your binary.

$ xattr -d com.apple.quarantine your-binary

Remove all extended attributes

If you want to get rid of all the data, you can use:

$ xattr -c your-binary

An app instead of a binary?

If you have an app, which is really a directory (e.g. YourApp.app) you may want to apply these changes to every file on that folder. You can do that using the -r argument for xattr. For example:

$ xattr -dr com.apple.quarantine YourApp.app


Depending on your use case it may be easier to just use curl or wget (on the command line) to download the file. At the time of writing this, those tools are not “compliant” with Mac and don’t set any extended attribute, so you can just download and run without Mac’s Gatekeeper complaining.

I’m not sure if “compliant” is proper word for apps setting these extended attributes, though.