NASA Insignia
Site Title

Opening applications from 'unidentified developers' when you're not an admin

Problem: You have a non-administrator account on a Mac and wish to start a new application you just downloaded. However, the application was not 'cryotographically signed' with a certificate issued by Apple, and you need administrator-level privileges to start this from the Finder.


This web page will show you how you can fix this from the UNIX command line.

What you see from the Finder

When you start an application for the first time after downloading it, Apple tries to protect you from nefarious apps that may have downloaded without your permission. It tells you when you downloaded it and the name of the source web site. If it is not cryptographically signed, it won't even let you automatically start it, as shown by this dialog box:

unsigned app warning

What you don't want to do is to change your preferences; they are set to protect you. Instead, you can right-click (that is, control-click) on the application icon, and select the "Open" menu option.

right-click menu

The dialog box asks you again whether you wish to open it. Notice now that there are two buttons, with the Open button on the left, and the default being to Cancel (what happens if you hit Return).

right-click unsigned app warning

If you are an admin on this Mac, you then will see your name and a box to enter your password. If you are not an admin, you get two blank boxes, and you're stuck unless you can find an admin to authenticate for you:

empty admin dialog box

Ah, but wait: the UNIX command line to the rescue! If you own the application, you can fix this on your own.

Brief background explanation: The mechanism by which Apple prevents you from running something you downloaded without confirming it first is by use of the "extended attribute" called "quarantine". You can view and manipulate these extended attributes with the ls and xattr commands.

[By the way, you have to use Apple's /bin/ls, not the ls provided by the GNU Coreutils (part of the ASD MacPorts setup), because the latter does not know about the special needed flags.]

UNIX Command line solution

Start by showing the extended attributes of the application in question (SAOImage DS9, in this example).
Note the unusual e and @ flags to ls:

% ls -lae@ SAOImageDS9.app/
total 0
drwxr-xr-x@ 3 dfriedla  staff  102 Feb 27 12:53 .
	com.apple.quarantine	 57 
drwxr-xr-x  4 dfriedla  staff  136 Jul 11 13:49 ..
drwxr-xr-x@ 6 dfriedla  staff  204 Feb 27 12:53 Contents
	com.apple.quarantine	 57 

Now lets delete that attribute, using -d to delete and -r to do so recursively:

% xattr -r -d com.apple.quarantine SAOImageDS9.app
xattr: [Errno 13] Permission denied:
'SAOImageDS9.app//Contents/Frameworks/Tcl.framework/Tcl'
xattr: [Errno 13] Permission denied:
'SAOImageDS9.app//Contents/Frameworks/Tk.framework/Tk'

There is an interesting error above we will deal with in a moment, although it does not affect anything here.

Repeating the ls command from above shows the extended attribute is gone:

% ls -lae@ SAOImageDS9.app/
total 0
drwxr-xr-x  3 dfriedla  staff  102 Feb 27 12:53 .
drwxr-xr-x  4 dfriedla  staff  136 Jul 11 13:49 ..
drwxr-xr-x  6 dfriedla  staff  204 Feb 27 12:53 Contents

You should now be able to double-click to open the application from the Finder in the normal way and it should open with no dialog boxes.

You're done!

 


So what's the story with that error?

It turns out in this case that the two files complaining above were simply read-only, even by the file owner. Changing them to read-write and repeating the xattr command (which one could apply to the entire application again or just those two files) solved it.

% ls -l SAOImageDS9.app/Contents/Frameworks/Tcl.framework/Tcl
-r-xr-xr-x@ 1 dfriedla  staff  1380012 Feb 27 12:41 SAOImageDS9.app/Contents/Frameworks/Tcl.framework/Tcl
% ls -l SAOImageDS9.app/Contents/Frameworks/Tk.framework/Tk 
-r-xr-xr-x@ 1 dfriedla  staff  1228232 Feb 27 12:44 SAOImageDS9.app/Contents/Frameworks/Tk.framework/Tk

% cd SAOImageDS9.app/Contents/Frameworks/ # just to make commands shorter and more readable

% ls -lae@ Tcl.framework/Tcl Tk.framework/Tk
-r-xr-xr-x@ 1 dfriedla  staff  1380012 Feb 27 12:41 Tcl.framework/Tcl
	com.apple.quarantine	     57 
-r-xr-xr-x@ 1 dfriedla  staff  1228232 Feb 27 12:44 Tk.framework/Tk
	com.apple.quarantine	     57 

% chmod u+w  Tcl.framework/Tcl Tk.framework/Tk       
% xattr -d com.apple.quarantine Tcl.framework/Tcl Tk.framework/Tk

% ls -lae@ Tcl.framework/Tcl Tk.framework/Tk
-rwxr-xr-x  1 dfriedla  staff  1380012 Feb 27 12:41 Tcl.framework/Tcl
-rwxr-xr-x  1 dfriedla  staff  1228232 Feb 27 12:44 Tk.framework/Tk

David Friedlander, 12 July 2018