Saturday, 2 November 2024

Sequoia and downloads

This note reports on problems people may come across with downloaded packages under macOS 15 (Sequoia).

When you use Safari or Firefox to download an archive (.dmg, .pkg, or compressed tar), it’s “put into quarantine” by adding the extended attribute com.apple.quarantine.

Tar archives

If you unpack a tar archive which has this attribute, all the unpacked files inherit the attribute. If an unpacked file is an executable and you try to execute it, you get the message ‘Operation not permitted’ and the execution fails.

You can clear the com.apple.quarantine extended attribute on the unpacked file tree by

xattr -r -d com.apple.quarantine {top of tree}

(the -r means “act recursively”).

Alternatively, you can remove the attribute from the archive before unpacking; or, even easier, remove all extended attributes by xattr -c {archive}.

.dmg or .pkg archives

If you double-click on a .dmg or .pkg, you’ll get a warning that the package wasn’t opened because “Apple could not verify [it] is free of malware that may harm your Mac or compromise your privacy”; you get the choice of quitting or moving the package to the Bin.

Until Sequoia, you could work round this by doing a right-button click on the icon and selecting Load. This no longer works.

One solution would be to remove the com.apple.quarantine attribute from the archive, as above.

A second would be to use curl to download the archive. For example,

curl -L -O https://github.com/simonjwright/distributing-gcc/releases/download/gcc-14.2.0-2-aarch64/gcc-14.2.0-2-aarch64-apple-darwin23.pkg

Unlike the browsers, curl doesn’t set the extended attribute on the archive.

Alire uses curl for its downloads.

No comments:

Post a Comment