Skip to content

fix(install): strip macOS quarantine in the curl installer#177

Merged
pofallon merged 1 commit into
mainfrom
fix/install-macos-quarantine
Jun 5, 2026
Merged

fix(install): strip macOS quarantine in the curl installer#177
pofallon merged 1 commit into
mainfrom
fix/install-macos-quarantine

Conversation

@pofallon
Copy link
Copy Markdown
Contributor

@pofallon pofallon commented Jun 5, 2026

Problem

Mac users who install a release see: "Apple could not verify 'deacon' is free of malware that may harm your Mac or compromise your privacy." Our release binaries are unsigned/un-notarized, so macOS Gatekeeper blocks them whenever they carry the com.apple.quarantine attribute (set by browser/Finder downloads).

Fix (curl-installer side)

install.sh now removes com.apple.quarantine from the installed binary on macOS (after chmod +x).

  • curl/wget downloads are not quarantined, so for the piped curl … | bash flow this is usually a no-op — it's belt-and-suspenders that also covers binaries that arrived via a quarantining path.
  • Double-guarded: runs only when os == macos and xattr exists, so Linux/Windows installs are unaffected.
  • The deploy-pages job copies scripts/install.sh verbatim, so this ships with the next release.

Validated with bash -n. Function is a no-op on this Linux box (no xattr).

Not included (follow-ups, by design)

  • This does not help users who download the archive in a browser and double-click it — only true notarization (Apple Developer ID, $99/yr) removes the prompt for that path.
  • The hosted installer still needs a release to run for the Pages site to go live (the enablement:true fix is on main but no release has run since).
  • Optional: add the xattr -d com.apple.quarantine ./deacon one-liner to the release-notes "Install" section / README for manual-download users.

🤖 Generated with Claude Code

@pofallon @claude
fix(install): strip macOS quarantine in the curl installer
6d78576 
Gatekeeper blocks our unsigned/un-notarized binaries with "Apple could
not verify 'deacon' is free of malware" when they arrive via a
quarantining download path (browser/Finder). The installer now removes
the com.apple.quarantine attribute after placing the binary on macOS.

curl/wget downloads aren't quarantined, so for a piped install this is
typically a no-op — it's belt-and-suspenders and double-guarded (macOS
only, and only when `xattr` is available), so Linux/Windows installs are
unaffected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the ci CI/CD changes label Jun 5, 2026
@pofallon pofallon merged commit 1cd6074 into main Jun 5, 2026
11 checks passed
@pofallon pofallon deleted the fix/install-macos-quarantine branch June 5, 2026 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci CI/CD changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pofallon