In an earlier blog post, I explained why you can't "just right click" to open an unsigned app downloaded on macOS. It's not as simple as that. But can we make it simpler? When you download a file from the web, from email, or from an instant message, macOS "quarantines" the file. In technical terms, the
com.apple.quarantine extended attribute is added to the file. If you attempt to open a quarantined app, macOS Gatekeeper checks whether the app has been validly code signed and notarized. If the app fails this check, then Gatekeeper prevents the app from opening. However, if an app is not quarantined, then opening the app bypasses the Gatekeeper requirements. Is there a simple way to remove an app from quarantine?
You can delete the
com.apple.quarantine extended attribute from a file using the
/usr/bin/xattr command-line tool, but that's not very simple, because you have to switch to Terminal and type an error-prone command. Ideally, we want to "just right click" in Finder. This is where our old friend Otto comes in. (Otto? Auto parts?)
Otto is the icon of Automator app. We can use Automator to create a quick action in Finder to remove the quarantine from files. First, launch Automator app, which you can find in the Applications folder, and select "New" from the main menu. This opens a new untitled workflow. Then choose "Quick Action" as the type of workflow.
Set the workflow to receive files or folders in Finder app. Then drag a Run Shell Script action into the workflow, and set the action to pass input as arguments. Now we have the Automator workflow run the command
/usr/bin/xattr automatically, so that we don't have to run it manually in Terminal.
Here's the text of the script:
for f in "$@" do /usr/bin/xattr -drs "com.apple.quarantine" "$f" done
$@ is the code for the arguments passed to the script. In this case, the arguments are the paths of the files selected in Finder, so we're iterating over those, using the variable
f to signify the file. What does
-drs mean? You can do
man xattr in Terminal to read the fine manual for the
xattr tool. The
d stands for delete, indicating that the given attribute
com.apple.quarantine should be deleted. The
r stands for recursive, indicating that if the given file is a folder, then the quarantine attribute should also be deleted from all files contained within the folder. (Note that a Mac app is actually a folder containing all of the files needed by the app. You can see inside an app by selecting "Show Package Contents" from the contextual menu in Finder.) The
s stands for symlink, indicating that if the given file is a symbolic link, then
xattr should delete the quarantine from the link itself rather than from the linked file.
Finally, you should save the quick action. This is the hardest part of the whole process, because you have to spell "Quarantine" correctly.
Automator automatically saves the quick action in the folder
~/Library/Services, but you don't need to know this, because once the workflow is saved, it's now available in the Finder contextual menu. You should now see a "Remove Quarantine" menu item if you just right click!
There are a few places where you can find the new "Remove Quarantine" menu item. One is in the "Quick Actions" menu, which can be configured in the Extensions pane of System Preferences. You can also find "Remove Quarantine" in the "Services" menu, which can be configured in the Keyboard pane of System Preferences (under the Shortcuts tab). What I discovered recently is that the number of services enabled determines how the Finder contextual menu is displayed. If there are 4 or fewer relevant services, then Finder will display them at the top level of the menu (at the bottom of the menu), but if there are more than 4 relevant services, then Finder will put them in a "Services" submenu. So you might want to go into System Preferences and disable any services you don't use.
Once you remove a file from quarantine, you can open the file as usual in Finder without those pesky Gatekeeper alerts. Please use this power wisely though, and at your own risk. The standard disclaimers apply here: if your Mac gets pwned, it's not my fault, and I have no money anyway, so suing me would be fruitless. If you want to sue someone, sue the fruit company instead.