Should I enter this command in Terminal

command linepermissionSecuritysudoterminal

Background: A month or so ago I purchased an app from a developer with (what seemed to me to be) a decent reputation. The app did not work as expected, so I reached out to tech support, who got back to me within a week with the response (all typos, grammar errors, and other verbal weirdness copied verbatim from the original):

Thank you so much for your kind feedback. And I am truly sorry for it takes a lof of time to locate the reason and find the solution. I
sincerely apology for the inconveniences has caused to you.

Our DEV team make further diagnosis and find the solution for you.
Would you please give the customized version a try to solve the

https://drive.google.com/file/[link redacted]

Please download and unzip it to give it a new try.

So, okay. I downloaded the file, unzipped it, and launched — only to get the error message:

[App name] is damaged and can’t be opened. You should move it to the Trash.

I wrote back to tech support, reporting the error message. They responded with the following instructions:

Thank you so much for your kind feedback. Given this rare situation,
would you please refer to below instructions to solve the problems?

  1. Please find the "Terminal" option on your computer;

  2. And then, please Please enter the path below:

sudo xattr -rd com.apple.quarantine / (App location)

After that, please enter the password of your computer. Then, you can
use it.

Now, I am almost completely UNIX-illiterate, and I am reluctant to enter any command into Terminal unless I know exactly what it is going to do — and this appears to be a command designed to turn off security measures. Moreover, a little bit of Googling suggests that this command, whatever it does, is usually recommended when getting a permission error (e.g. "You do not have permission to open the application"), which is not the error I am getting.

So my questions:

  1. What will this command do?
  2. Is it safe for me to execute it?
  3. Is it likely to help?

Best Answer

Breakdown of this command:

sudo xattr -rd com.apple.quarantine /path/to/app/location

  • sudo: Execute the remainder of the command with superuser (root) privileges. More information: man sudo
  • xattr: Show or modify extended filesystem attributes on a file or directory. Extended attributes are those that go beyond the standard POXIX user/group/other read/modify/write/execute permissions. More information: man xattr
  • -rd: These are two separate flags/arguments that will be passed to xattr. r means that if you invoke xattr on a directory, the operation will be performed recursively on all files and directories contained within it. Since you are targeting an application, which is actually a bundle (i.e., a structured directory), this flag is necessary in order to reach all of the bundle's contents. d means that the operation performed will be to delete the specified attribute from the file or directory.
  • com.apple.quarantine: This is another argument passed to xattr. It specifies the name of the attribute to be operated upon (deleted, in this case). The com.apple.quarantine attribute is the mechanism by which files downloaded from Safari and some other applications are marked as having been downloaded from the Internet (which is a potentially hostile environment), as opposed to coming from a presumably safe environment, like the Mac App Store or files that you've created yourself. When a user attempts to execute a quarantined binary for the first time, the kernel hooks into the quarantine.kext kernel extension and the execution is gated by a UI interaction that presents the "This file was downloaded from the Internet. Are you sure you want to open it?" panel.
  • /path/to/app/location: This is the final argument passed to xattr. It specifies the file or directory whose attributes xattr will read or modify.

When put all together, this command says:

"For every file and folder inside /path/to/app/location, delete the com.apple.quarantine attribute. Do this all as the root user."

Here is why you are being asked to run this:

  1. The app whose path you specified at the end of this command was downloaded from the Internet through your browser.
  2. macOS recognized that any file from the Internet may be unsafe, so it applied the quarantine attribute at the time of download.
  3. This file is an application, so when you tried to open it, the kernel saw that it was quarantined and ran security checks on it. It only does this prior to the first successful launch; subsequent launches skip this security mechanism if it succeeded previously.
  4. The app failed the checks for some reason and macOS informed you that the app is damaged.
  5. The developer wants you to delete the quarantine attribute in order to bypass the security checks and allow the app to run.

So the above Terminal command by itself is a perfectly safe and reasonable thing to run on its own. However, in context, you need to be very vigilant: By first running this safe command and then running the app you downloaded, you are allowing a third-party developer to execute their code on your computer without successfully passing security checks - which you already know have failed.

Is this malicious? Impossible to know. The developer may be a totally sincere software engineer who has imperfect English and a buggy app that they are trying to collaboratively debug with you. Or it may be a shady developer who's trying to backdoor you. None of us can answer that for you here.

A couple of things you could do are:

  1. Run the application executable through a disassembler and see if you can glean any malicious intent (hard to do with experience; impossible if you're not a developer yourself).
  2. Ask the developer to work with you to debug the launch failure because you don't feel comfortable removing the app from quarantine. This will probably involve providing targeted launch logs with the log command (see man log, but also know that this is on the developer to figure out for you).
Related Question