With the help ChatGPT I put together a go program. It ran fine on the macOS machine I compiled it on, however once it was transferred to another machine, via the internet it wouldn’t run on the other machine.

When you move around compiled binaries between machines, especially on macOS, you might run into an annoying little issue:

getCertInfo can’t be opened because Apple cannot check it for malicious software. 

This software needs to be updated. Contact the developer for more information

Chrome downloaded this file today at 22:06.

It was frustrating because the program ran perfectly on the machine where I had compiled it, but macOS flagged it as potentially dangerous after the transfer. This isn’t something new for Windows users, but I wasn’t expecting it on macOS.

The Culprit: Extended Attributes

After a bit of digging, I realized this had to do with the so-called “Mark of the Web” (similar to what Windows does with downloaded files). On macOS, this takes the form of the Extended Attributes. Any file downloaded via browsers, emails, or cloud services gets flagged with this attribute, which tells macOS to restrict its execution until it can be “checked.”

I ran xattr to see the attributes of the file:

❯ xattr -l getCertInfo
com.apple.provenance:
com.apple.quarantine: 0081;66fe7d3e;Chrome;

There it was! The com.apple.Extended Attributes was causing all the trouble. It was applied by Chrome after downloading from Google Drive, hence the issue.

The Fix: Remove the Extended Attributes

The longer term solution is to notarize the software, however that is a task in itself. In this case we built the software so it’s provenance is known. Removing this Extended Attribute that was added when it was downloaded is a pretty straightforward process. I used xattr again, this time with the -c flag to clear all extended attributes on the file:

❯ xattr -c getCertInfo

After that, I ran the xattr -l command again just to confirm, and voila! No attributes were returned, meaning the quarantine flag was gone. I could now run my program without macOS throwing any more warnings.

Running getCertInfo

With the quarantine flag removed, I was able to run my program, which is designed to pull and display certificate details for a given URL. Here’s an example for thewayeye.net:

❯ ./getCertInfo https://thewayeye.net

{
  "subject": "CN=thewayeye.net",
  "issuer": "CN=WE1,O=Google Trust Services,C=US",
  "serial_number": "231711055811292949721405076819704224698",
  "valid_from": "2024-09-04 18:49:31 +0000 UTC",
  "valid_until": "2024-12-03 18:49:30 +0000 UTC",
  "is_ca": false,
  "key_usage": [
    "Digital Signature"
  ],
  "extended_key_usage": [
    "Server Authentication"
  ],
  "san": {
    "dns_names": [
      "thewayeye.net"
    ],
    "ip_addresses": [],
    "email_addresses": null
  },
  "public_key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY/3mm1kK0gy945UGk9wgpJHv+Rti\nyzH9XxUWywk00nVg0Z9r0hiy3LCVEMz9yHBMLjwaaeWg3kpJ4NWoZ9x9KQ==\n-----END PUBLIC KEY-----\n",
  "certificate_status": "Valid",
  "days_until_expiry": 59,
  "signature_algorithm": "ECDSA-SHA256",
  "version": 3,
  "sha256_fingerprint": "b49cf7a7ad2a80eff33eca50790125341c867247d5066093705c738e963723a4",
  "sha1_fingerprint": "fe68db5e0c3f5a2e6c10ab20824b80952b9cfe2a",
  "crl_distribution_points": [
    "http://c.pki.goog/we1/fJedmL2peto.crl"
  ],
  "authority_info_access": [
    "Found AIA (complex data)"
  ],
  "tls_session_info": {
    "server_name": "thewayeye.net",
    "cipher_suite": "TLS_AES_128_GCM_SHA256",
    "tls_version": "TLS 1.3",
    "negotiated_protocol": "h2",
    "alpn_used": true,
    "ocsp_stapled": true,
    "handshake_complete": true,
    "peer_certificates": 3,
    "mutual_tls": false,
    "resumed_session": false
  },
  "certificate_chain": [
    {
      "subject": "CN=thewayeye.net",
      "issuer": "CN=WE1,O=Google Trust Services,C=US",
      "valid_from": "2024-09-04 18:49:31 +0000 UTC",
      "valid_until": "2024-12-03 18:49:30 +0000 UTC",
      "is_ca": false,
      "role": "Leaf Certificate (Server Certificate)"
    },
    {
      "subject": "CN=WE1,O=Google Trust Services,C=US",
      "issuer": "CN=GTS Root R4,O=Google Trust Services LLC,C=US",
      "valid_from": "2023-12-13 09:00:00 +0000 UTC",
      "valid_until": "2029-02-20 14:00:00 +0000 UTC",
      "is_ca": true,
      "role": "Intermediate Certificate"
    },
    {
      "subject": "CN=GTS Root R4,O=Google Trust Services LLC,C=US",
      "issuer": "CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE",
      "valid_from": "2023-11-15 03:43:21 +0000 UTC",
      "valid_until": "2028-01-28 00:00:42 +0000 UTC",
      "is_ca": true,
      "role": "Root Certificate"
    }
  ]
}

This output provides a detailed breakdown of the SSL/TLS certificate information, showing everything from the subject and issuer details to the key usage, SAN fields, and the TLS session info. It even calculates how many days are left before the certificate expires (61 days in this case, so I need to renew soon).

Lesson Learned

While it’s easy to get frustrated when something doesn’t work right away, macOS’s quarantine feature is actually a useful security measure. That said, knowing how to work around it is crucial for anyone moving files around different environments, especially when dealing with binaries.

If you ever encounter this issue, remember: xattr -c is your friend.