Ever since macOS started enforcing code signing there’s been the occasional hoop to jump through to get non-App Store software to run. Typically it’s as easy as right-clicking on the binary and choosing Open, which is all well and good until that application needs to launch a subsequent one. Recently I downloaded the ISO for vCenter Server Appliance and double-clicked on it to mount it. I then navigated to:
/Volumes/VMware VCSA/vcsa-ui-installer/mac
Once here, I double-clicked Installer[.app] and of course got the following:
I dutifully two-finger-clicked (ie: right-click) and chose Open and then Open again and proceeded with the initial vCenter configuration. Not too far into the process, Installer wanted to call ovftool but since this was a direct launch, I received a message similar to the previous one:
At this point, I couldn’t find a way to work around this security control directly so I decided to do some research. As with most things VMware-related I came across a post by William Lam, specifically one entitled How to exclude VCSA UI/CLI Installer from MacOS Catalina Security Gatekeeper?. This post lead me to this command:
sudo xattr -r -d com.apple.quarantine <directory of ISO contents>
but that assumes you’ve copied the ISO to another drive and not running it directly as if it were a read-only file system mounted much like the DVD media it represents. I copied all ~8GB of the ISO to my local SSD issued the command above and sure enough, it was going to work. I wasn’t happy with this however and was determined to run this installer from the ISO as intended. The root of the problem is that when you mount the ISO, either by double clicking on it in Finder or issuing an hdiutil mount image.iso, it mounts the file system with the quarantine option:
I did some quick research on how to mount an ISO without this option using any of mount, hdiutil, diskutil or Disk Utility[.app] to no avail. I did notice however that after I unmounted the ISO using diskutil unmount /dev/disk3
that the image remained in the sidebar albeit greyed out:
I decided to right-click on it here and choose Mount:
A quick check over in Terminal[.app] and voilĂ , no quarantine!
At this point I navigated to the Installer once again and was able to run through to completion without any security notifications. I’m not sure if this is a well known workaround but I didn’t find any reference to it online so hopefully someone will benefit from it.
TL;DR: Instructions for running installers directly from read-only mounted file systems on macOS:
- Double-click the image so that it mounts normally with DiskImageMounter.app
- Issue the following CLI command to unmount it: diskutil unmount /dev/diskX
- Launch Disk Utility.app
- Right-click the image name in the side bar and choose Mount
- Your installer can be run directly from the r/o filesystem