Should I enter this command in Terminal?

Background: A month or so ago I purchased an app from a developer with (what seemed to me to be) a decent reputation. The app did not work as expected, so I reached out to tech support, who got back to me within a week with the response (all typos, grammar errors, and other verbal weirdness copied verbatim from the original):

Thank you so much for your kind feedback. And I am truly sorry for it takes a lof of time to locate the reason and find the solution. I sincerely apology for the inconveniences has caused to you.

Our DEV team make further diagnosis and find the solution for you. Would you please give the customized version a try to solve the

https://drive.google.com/file/[link redacted]

Please download and unzip it to give it a new try.

So, okay. I downloaded the file, unzipped it, and launched -- only to get the error message:

[App name] is damaged and can’t be opened. You should move it to the Trash.

I wrote back to tech support, reporting the error message. They responded with the following instructions:

Thank you so much for your kind feedback. Given this rare situation, would you please refer to below instructions to solve the problems?

  1. Please find the "Terminal" option on your computer;

  2. And then, please Please enter the path below:

sudo xattr -rd com.apple.quarantine / (App location)

After that, please enter the password of your computer. Then, you can use it.

Now, I am almost completely UNIX-illiterate, and I am reluctant to enter any command into Terminal unless I know exactly what it is going to do -- and this appears to be a command designed to turn off security measures. Moreover, a little bit of Googling suggests that this command, whatever it does, is usually recommended when getting a permission error (e.g. "You do not have permission to open the application"), which is not the error I am getting.

So my questions:

  1. What will this command do?
  2. Is it safe for me to execute it?
  3. Is it likely to help?

Answers 3

  • Breakdown of this command:

    sudo xattr -rd com.apple.quarantine /path/to/app/location

    • sudo: Execute the remainder of the command with superuser (root) privileges. More information: man sudo
    • xattr: Show or modify extended filesystem attributes on a file or directory. Extended attributes are those that go beyond the standard POXIX user/group/other read/modify/write/execute permissions. More information: man xattr
    • -rd: These are two separate flags/arguments that will be passed to xattr. r means that if you invoke xattr on a directory, the operation will be performed recursively on all files and directories contained within it. Since you are targeting an application, which is actually a bundle (i.e., a structured directory), this flag is necessary in order to reach all of the bundle's contents. d means that the operation performed will be to delete the specified attribute from the file or directory.
    • com.apple.quarantine: This is another argument passed to xattr. It specifies the name of the attribute to be operated upon (deleted, in this case). The com.apple.quarantine attribute is the mechanism by which files downloaded from Safari and some other applications are marked as having been downloaded from the Internet (which is a potentially hostile environment), as opposed to coming from a presumably safe environment, like the Mac App Store or files that you've created yourself. When a user attempts to execute a quarantined binary for the first time, the kernel hooks into the quarantine.kext kernel extension and the execution is gated by a UI interaction that presents the "This file was downloaded from the Internet. Are you sure you want to open it?" panel.
    • /path/to/app/location: This is the final argument passed to xattr. It specifies the file or directory whose attributes xattr will read or modify.

    When put all together, this command says:

    "For every file and folder inside /path/to/app/location, delete the com.apple.quarantine attribute. Do this all as the root user."

    Here is why you are being asked to run this:

    1. The app whose path you specified at the end of this command was downloaded from the Internet through your browser.
    2. macOS recognized that any file from the Internet may be unsafe, so it applied the quarantine attribute at the time of download.
    3. This file is an application, so when you tried to open it, the kernel saw that it was quarantined and ran security checks on it. It only does this prior to the first successful launch; subsequent launches skip this security mechanism if it succeeded previously.
    4. The app failed the checks for some reason and macOS informed you that the app is damaged.
    5. The developer wants you to delete the quarantine attribute in order to bypass the security checks and allow the app to run.

    So the above Terminal command by itself is a perfectly safe and reasonable thing to run on its own. However, in context, you need to be very vigilant: By first running this safe command and then running the app you downloaded, you are allowing a third-party developer to execute their code on your computer without successfully passing security checks - which you already know have failed.

    Is this malicious? Impossible to know. The developer may be a totally sincere software engineer who has imperfect English and a buggy app that they are trying to collaboratively debug with you. Or it may be a shady developer who's trying to backdoor you. None of us can answer that for you here.

    A couple of things you could do are:

    1. Run the application executable through a disassembler and see if you can glean any malicious intent (hard to do with experience; impossible if you're not a developer yourself).
    2. Ask the developer to work with you to debug the launch failure because you don't feel comfortable removing the app from quarantine. This will probably involve providing targeted launch logs with the log command (see man log, but also know that this is on the developer to figure out for you).

  • I have ran into this when a piece of software you are using is from a previous version of MacOS / no longer supported with the current version of MacOS (an X through the software, claims it's broken and recommends you send it to the trash), or when the developer's code hasn't been signed by Apple and downloaded from the internet (the downloaded from the internet warning, a third-party developer with code that has been unsigned by Apple; the only legitimate reason would be the developer is deciding to not pay Apple $99 a year to be a developer, but is a bit suspect otherwise).

    While both of the aforementioned can be innocuous, if the program serves a legitimate purpose, the steps he is taking you through to get the program running by bypassing some of these prompts is out of the norm (in my opinion).

    The command is question bypasses these warnings by disabling Apple's default quarantine an app with such issues.

    To me, these recommendations will either be innocuous, or nefarious - depending on the intentions of the developer. The only thing that informs this is their reputation in general:

    • Are you obtaining this from the official (or trusted) source?
    • Is the software well-established and has a niche community that uses it can can provide feedback the software operates as intended?

    If the answer is yet to both, then it's probably fine. However, what I find suspect is why the developer doesn't just update their software, recompile it for the newest operating system and have their code signed by Apple to bypass these warnings the correct way.

    At least he isn't asking for you to disable Gatekeeper (system wide0 because that is something I would find to be highly suspect.

    So it comes down to an individual judgment call on your part, not knowing the name of the software package to offer a general opinion. But it may be worth asking why he hasn't provided an updated version to avoid the end-user from having to jump through these hoops, if these warnings are truly innocuous. I presume if it is innocuous, it's because it was written using an older version of MacOS and is unwilling to pony up the cash yearly to be an Apple developer and have their code signed accordingly.

    If you cannot get your answers satisfactorily answered and presuming this code doesn't require an administrator to run, is either run said software on a virtual machine to analyze its usage (which protects your computer), or if it will work on a non-admin user (which it may not since you may not be able to bypass these warnings without admin privileges) is creating a new regular/non-admin user account to test this and then worst case scenario you can just delete the account without fear of it modifying or mucking up your system files. THe standard user account should be sandboxed, for the most part.

    Performing a backup of your files beforehand would be recommended, if you are wanting to be overtly cautious - in the case of ransomware.


  • 1. It will delete an unneeded component of the application.

    2. It is safe.

    3. Not likely, but it may.

    This part is a bit messy, sorry. So I am not familiar with this command but in general, being familiar with the command line, I read the manual page and I can say that this command is not malicious. com.apple.quarantine only asks if you want to run this application. If you confirm it will remove itself. Basically, it is the "You are opening the application APPLICATION_NAME for the first time. Are you sure you want to open this application?"

    You are opening the application APPLICATION_NAME for the first time. Are you sure you want to open this application?

    It may help but probably it won't but there is no cost, it won't damage your computer.


Related Questions