Running unverified apps on Mac
The problem
You download a binary or application, go to run it and Mac won’t let you. There are (arguably) good reasons for this, but that’s out of the scope of this article, but you’ll find more information about Mac’s Gatekeeper on the internet :).
You’ll see something like this:
Error message while trying to run binary: “your-binary” cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware. Chrome downloaded this file today at 9:00 from example.com
Explanation
So, how does Mac knows that a binary is not to be checked/trusted?
When you download a file, the browser sets the extended attributes that Mac will check before allowing you to run the binary/app.
Show extended attributes
$ xattr your-binary
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine
Show extended attributes’ data
Here’s an example
# if you downloaded it using Chrome
$ xattr -l your-binary
com.apple.metadata:kMDItemWhereFroms: ...
com.apple.quarantine: 0181;62324d50;Chrome;37400A13-128E-4ABA-97ED-D61093874F54
# if you downloaded it using Firefox
$ xattr -l your-binary
com.apple.metadata:kMDItemWhereFroms: ...
com.apple.quarantine: 0181;62324b24;Firefox;99E8F9C8-78F9-4CD4-8E08-9D1D6791B22B
You can see that there’s also a com.apple.metadata:kMDItemWhereFroms
attrbiute, it has binary data (mostly text, though). It contains the url
where you downloaded the binary from. This information is used to show the
error message to the user.
Remove quarentine attribute
Removing the quarentine flag should be enough to allow you to run your binary.
$ xattr -d com.apple.quarantine your-binary
Remove all extended attributes
If you want to get rid of all the data, you can use:
$ xattr -c your-binary
An app instead of a binary?
If you have an app, which is really a directory (e.g. YourApp.app
) you may
want to apply these changes to every file on that folder. You can do that using
the -r
argument for xattr
. For example:
$ xattr -dr com.apple.quarantine YourApp.app
Alternative
Depending on your use case it may be easier to just use curl
or wget
(on
the command line) to download the file.
At the time of writing this, those tools are not “compliant” with Mac and don’t
set any extended attribute, so you can just download and run without Mac’s
Gatekeeper complaining.
I’m not sure if “compliant” is proper word for apps setting these extended attributes, though.