[macOS][10.15] libhostfxr.dylib cannot be opened because Apple can't verify if it contains malware

[thebluepotato]

When opening Jackett in macOS 10.15 Catalina beta 3, an alert pops up saying that libhostfxr.dylib cannot be opened. This is due to a new Gatekeeper policy in Catalina.

Here's the error in the Terminal:

Failed to load 1, error: dlopen(/Applications/Jackett/libhostfxr.dylib, 1): no suitable image found.  Did find:
	/Applications/Jackett/libhostfxr.dylib: code signature in (/Applications/Jackett/libhostfxr.dylib) not valid for use in process using Library Validation: Library load disallowed by System Policy
The library libhostfxr.dylib was found, but loading it from /Applications/Jackett/libhostfxr.dylib failed
  - Installing .NET Core prerequisites might help resolve this problem.
     https://go.microsoft.com/fwlink/?LinkID=798306&clcid=0x409

Jackett version: 0.11.463 (I'm using the macOS binaries)

---

[rrrevin]

Look at the line : - Installing .NET Core prerequisites might help resolve this problem.

Have you tried that?
https://github.com/dotnet/docs/blob/master/docs/core/macos-prerequisites.md

[thebluepotato]

Will try it, shouldn't those dependencies be bundled with Jackett already as Mono is not required anymore? Moreover, looking even more closely at the error message, the issue is not that the file wasn't found, but that checking it for malware wasn't possible. This is a macOS 10.15 Catalina-specific issue, which I surmise won't change if the file is identical. Nevertheless, will try afterwards!

[thebluepotato]

Result: even after installing the full .NET Core 2.2 package, Jackett cannot be opened, with exactly the same error message.
More info on Gatekeeper: https://eclecticlight.co/2019/06/12/grokking-gatekeeper-in-catalina/

[thebluepotato]

Found a workaround, but it is extremely unorthodox. The user can still run unchecked dylib/dll files by allowing them manually in Gatekeeper preferences under Security and Privacy. However this has to be done one-by-one and jackett has to be relaunched manually all the time. Here comes the hack: manually setting the quarantine flag of each dylib and dll in the Jackett directory!
Read the quarantine attribute of one dll:

xattr -p com.apple.quarantine libhostfxr.dylib

Copy the string (should be something like 0081;5d1bec70;Archive Utility;0622FF31-4499-4EBA-954A-EDC879E4010A) but replace the first 4 characters by 00c1 which tells Gatekeeper to shut up. Then use your modified string:

xattr -w com.apple.quarantine "00c1;5d1bec70;Archive Utility;0622FF31-4499-4EBA-954A-EDC879E4010A" -- *.{dylib,dll}

This will effectively whitelist all the dll and dylib files, allowing Jackett to run.
I'll file an issue with .NET so that issue can be addressed (involves signing with Xcode which can't really be done for Jackett).

[protura]

Unfortunately it didn't work for me, perhaps I'm doing this wrong?

xattr -w com.apple.quarantine 0081;5d1b7a45;Archive\x20Utility;254CAEC3-9CD2-4291-A5D3-D62D7A9CF988 -- *.{dylib,dll}

Returns:

-bash: 5d1b7a45: command not found -bash: Archivex20Utility: command not found -bash: 254CAEC3-9CD2-4291-A5D3-D62D7A9CF988: command not found

Cheers!

[thebluepotato]

Yeah the ; are considered by bash as being end-of-line characters. My mistake, you should surround the value with quotes, see my edit.

[thebluepotato]

Moreover, don't forget to use 00c1;..... not 0081;.....

[ldexterldesign]

Hi all,

Hope you're well

Just upgraded macOS to Catalina and Jackett is broken because of this...

If I action "Cancel" then dialog just returns every few seconds

I followed [A]pple instructions to open an app from an unidentified developer - neither appear to work

Same or different issue?:

• If same then OP feel free to update [t]itle and what's fix
• If different then I'll create a new issue

Yours hopefully

a: https://support.apple.com/en-mt/guide/mac-help/mh40616/mac
t: "Cannot be opened because the developer cannot be verified" and/or "macOS cannot verify that this app is free from malware"

[ldexterldesign]

FYI

Copy the string (should be something like 0081;5d1bec70;Archive Utility;0622FF31-4499-4EBA-954A-EDC879E4010A) but replace the first 4 characters by 00c1 which tells Gatekeeper to shut up. Then use your modified string:

xattr -w com.apple.quarantine "00c1;5d1bec70;Archive Utility;0622FF31-4499-4EBA-954A-EDC879E4010A" -- *.{dylib,dll}

This will effectively whitelist all the dll and dylib files, allowing Jackett to run.

This worked for me (i.e. without --):

xattr -w com.apple.quarantine "00c1;5da86185;Vivaldi;C846B94B-F857-4C39-852C-64F687F2FBC3" *.{dylib,dll}

To clarify, who's fault is this (e.g. Apple, jackett dependency or jacket core)?

Hope this helps

Regards

PS @thebluepotato thanks!

[ldexterldesign]

Also...

[...] and jackett has to be relaunched manually all the time

Thankfully not the case for me

Hope this helps

Regards

[flamekain]

Hi all,

Hope you're well

Just upgraded macOS to Catalina and Jackett is broken because of this...

If I action "Cancel" then dialog just returns every few seconds

I followed [A]pple instructions to open an app from an unidentified developer - neither appear to work

Same or different issue?:

* If same then OP feel free to update [t]itle and what's fix

* If different then I'll create a new issue

Yours hopefully

a: https://support.apple.com/en-mt/guide/mac-help/mh40616/mac
t: "Cannot be opened because the developer cannot be verified" and/or "macOS cannot verify that this app is free from malware"

This helps! the xattr way resolve one of my libfile, but failed on the next one, this way should be the correct one.

[orenwolf]

I just experienced this on upgrade to Catalina.

The fix was to leave the 'security & privacy" window open. Every time you click "cancel" the DLL will show up with "Allow Anyway" as an option. If you click on that (for every single DLL, ugh), then if you relaunch Jackett, it will then show the same "cannot be opened" dialog but with one significant exception - it now has an "open" option. Once you click on each of these (again, for each DLL!), then restart Jackett a third time, it will have updated the attributes for each file and no longer error out.

This was a good 15 minutes of clicking, but it resolved the issue.

[punkhop]

There must be some way to get around this solution to save everyone from clicking for 15 minutes...?

[donfrancisco]

@punkhop @thebluepotato @rrrevin @protura @orenwolf

There are two tips I used to solve the Jackett malware popup issue.

1) Quarantine removal

The first tip is to remove quarantine flag in a recursive manner for your intended folder:

$ sudo xattr -r -d com.apple.quarantine /path/to/folder

In this case for Jackett use:

$ sudo xattr -r -d com.apple.quarantine /path/to/Jackett

The command will recursively delete the extended attribute (xattr) of com.apple.quarantine attribute recursively to the files in the folder.

The (-r) option will allow the quarantine attribute of all files inside the application to be selected, while the (-d) deletes the extended attribute name.

You can find more information in the extended attributes (xattr) help page:

$ xattr -h

2) Terminal "Privacy"

The second tip is setting the Terminal "privacy".

System Preferences -> Security & Privacy -> Privacy and select "Developer Tools" on the left, and add terminal to allow.

This step allows the Terminal app to run software locally that does not meet the system's security policy.

Apple Support Reference:

Safely open apps on your Mac

https://support.apple.com/en-us/HT202491

[punkhop]

@donfrancisco Thanks man! Will this let me install Jackett as a service so it runs at startup? For now, I'm manually running the Jackett app and minimizing the terminal window and leaving it running all the time in the dock.

[ngosang]

@thebluepotato is this solved?

[gargolito]

I ran into this issue today so I wrote a little bash function

macallow () {
    if [[ $# -gt 0 ]]; then
        for f in $@; do
            sudo xattr -d -r com.apple.quarantine $(realpath $f)
        done
    else
        echo syntax: macallow [filename or wildcard]
    fi
}

[ngosang]

@gargolito Jackett doesn't have an active MacOS developer. Could you help us to improve the macos_installer so it works out-the-box for all users? Take a look at #8329 too. If you can open a PR many users will benefit.

[thebluepotato]

In my PR, I've taken a different approach based on my initial fix in this thread, namely telling Gatekeeper that the files are ok rather than deleting the attribute.

[ngosang]

@ all in this issue. Could you test this? #8915
You can download the binaries from here https://dev.azure.com/Jackett/0f0cb3d0-9b6b-4a86-876d-0c2e17c18801/_apis/build/builds/657/artifacts?artifactName=drop&api-version=5.1&%24format=zip

[thebluepotato]

@ngosang I’ve tested my own PR and found that it managed to install and get Jackett running from a fresh install without any issues. I’ve also sanity-checked that without running the script, Jackett wouldn’t launch due to Gatekeeper.
There are some optimisations that could be done in the script:

• The script kills Jackett in the background if it’s already running but it doesn’t wait before checking again, causing the script to stop
• The script could/should ask for an install directory

However, these are beyond the scope of this issue and PR. I also gladly invite others to test so it can be merged soon!

[ngosang]

@thebluepotato I trust you, my sole concern is if this will work on old MacOS versions. Will be merged in a couple of days unless someone has objections. I think @garfield69 can test it too.

There are more MacOS issues. Maybe you can help too (in other PRs) OS MacOS

[thebluepotato]

@ngosang No worries! As for older macOS versions, I'm not sure whether the com.apple.quarantine attribute is inexistent or if it exists but Gatekeeper stays silent. I should add some checks to the code for that (but I don't have old mac versions available to test).

[garfield69]

Jackett 0.16.691

[drhumlen]

I had a similar error after installing dotnet preview 6 on my m1 macbook to try dotnet on arm.

I solved it by just deleting the folder 6.0.0-preview.3.21201.4 in /usr/local/share/dotnet/host/fxr.

After deleting it, dotnet started worked again.