The release of the macOS Sierra built-in protection tool called Gatekeeper resulted in more restrictions in the way applications created by unidentified developers are accessed. The 'allow from anywhere' option is hidden by default, however, the built-in command line application can easily resolve this issue. Sierra pops up a prompt warning the app is from an unidentified developer. Click Open to continue. That choice is stored with the app, so you won’t be asked again until you install a new version.
Apple has a built-in way to protect you from opening up potentially malicious apps on your computer in Mac OS X. This setting, named Gatekeeper, will never stop you from installing apps from the Mac App Store, but it can help prevent helps from being installed that are not a part of the Mac App Store. However, if you get a security warning and still want to install the app, here is how to do it.
Choosing Your Gatekeeper Options
Open up your 'System Preferences' and head to 'Security & Privacy.'
In the 'General' tab, you'll see a section called 'Allow apps downloaded from.' In order to change these settings, you'll have to click on the lock icon below and input your admin password. Once that's out of the way, you can choose between three options:
- Mac App Store
- Mac App Store and identified developers
- Anywhere
Just the Mac App Store
The safest option to choose here would be the 'Mac App Store,' since Apple reviews all apps that are accepted in their store and can remove them quickly if necessary. You will know that your Mac will be as free as possible from malware if you use this option only.
Mac App Store & Trusted Developers
The next option also trusts apps from 'identified developers,' which are developers with a unique Developer ID from Apple who have their apps signed digitally. This is the preferred option, since Apple can verify that there has not been any tampering with the apps since they were signed.
Apps from Anywhere
The last option, 'Anywhere,' removes Gatekeeper's blocking capabilities on your Mac, letting you install and open any app off the internet, including Automator apps made by individuals. Sometimes Apps that fall in this category contain malware, We do not recommend using this option and instead recommend using the 'identified (trusted) developers' option above and okay installation of apps missing a Developer ID on a case-by-case basis.
Trusting Apps on a Case-by-Case Basis
If you have the 'Mac App Store and identified (trusted) developers' option selected, then when you download an app without a Developer ID and try to open it, you'll get the following warning.
- 'App Name' can't be opened because it is from an unidentified developer
To bypass this restriction, select 'OK' on the popup to close it, then go into the 'Security & Privacy' section in your 'System Preferences.' Below the Gatekeeper options in the 'General' tab, you will see the app that was blocked from opening. To trust it, select 'Open Anyway'.
An Even Shorter Way to Open Them
If you do not want to go into Systems Preferences to open an app for the first time as shown above, then Control+Click on the app in the Finder, then select 'Open.' You will see a new popup asking if you're sure you want to run the app on your Mac. Just hit 'Open' again and the App will launch as expected.
It usually happens that you can not run a downloaded binary from the command line.
The OS would complain that
'watchman' cannot be opened because the developer cannot be verified.
macOS cannot verify that this app is free from malware.
Chrome downloaded this file today at 9:30 AM from github.com
Many online tutorials instruct you to overcome this restriction by navigating to the binary file location, right-click, selecting open, and confirming.
macOS cannot verify the developer of 'watchman'. Are you sure you want to open it?
By opening this app, you will be overriding system security which can expose your computer and personal information to malware that may harm your Mac or compromise your privacy.
Chrome downloaded this file today at 9:30 AM from github.com
Open A Mac App From An Unidentified Developer
However, this approach has two demerits.
- It requires GUI. Thus, it is not possible to apply to several files at once.
- To mark some files safe, it must be opened (executed).
Workaround 1
Use xattr -dr com.apple.quarantine <directory, binary, .app, or dylib path>
Workaround 2
Suppose that the path of the binary you want to mark as safe is /opt/watchman/bin/watchman
.
- Step 1: run
xattr -p com.apple.quarantine /opt/watchman/bin/watchman
. This will print a string starting with0081;
, for example0081;5e7fec61;Chrome;6585C1D3-E260-4275-9E6E-505DF8D6B7EE
. - Step 2: copy the output string, replace first 4 characters with
00c1
. - Step 3: run
xattr -w com.apple.quarantine '00c1;5e7fec61;Chrome;6585C1D3-E260-4275-9E6E-505DF8D6B7EE' /opt/watchman/bin/watchman
The binary /opt/watchman/bin/watchman
can be run from the command line without any complaint from the OS.
Those above steps can be combined in one composed commands.
Further information
To list all file attributes use one of the following commands.
ls -al@ <path>
attr -lr <path>
Open An App From An Unidentified Developer Macos Sierra 10.12
What does each value in the attribute mean?
00c1
: flag for a quick lookup. This is a magic number defined by apple. See this link for further analysis on it.5e7fec61
: date in hex format.
Convert this value to a date:
In Linux:
In Mac:
Generate a value from current timestamp:
Open An App From An Unidentified Developer Macos Sierra Leone
In Linux:
In Mac:
Why 2001-01-01? Because Apple's absolute time is Jan 2001 00:00:00 GMT
. See CFAbsoluteTime.
Chrome
: app name (arbitrary string value).6585C1D3-E260-4275-9E6E-505DF8D6B7EE
: uuid used to look up for other information about the file.
Lookup for information from the uuid.
Output:
Open An App From An Unidentified Developer
Insert a new entry to the database. (replace the date=...
with appropriate MacOS version above if you are using Mac)
Open An App From An Unidentified Developer Macos Sierra 10.13
Set the attribute on an existing file ${file}
. (replace the date=...
with appropriate MacOS version above if you are using Mac)
Generate a new uuid: