Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"mc" was not opened because it contains malware. This action did not harm your Mac. #19078

Open
3 tasks done
mluboroscev opened this issue Jan 11, 2025 · 9 comments
Open
3 tasks done

"mc" was not opened because it contains malware. This action did not harm your Mac. #19078

mluboroscev opened this issue Jan 11, 2025 · 9 comments
Labels
bug Reproducible Homebrew/brew bug

Comments

@mluboroscev
Copy link

brew doctor output

Please note that these warnings are just used to help the Homebrew maintainers
with debugging if you file an issue. If everything you use Homebrew for is
working fine: please don't worry or file an issue; just ignore this. Thanks!

Warning: Some installed formulae are deprecated or disabled.
You should find replacements for the following formulae:
  imap-uw

Verification

  • My "brew doctor output" above says Your system is ready to brew. and am still able to reproduce my issue.
  • I ran brew update twice and am still able to reproduce my issue.
  • This issue's title and/or description do not reference a single formula e.g. brew install wget. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/new/choose instead.

brew config output

HOMEBREW_VERSION: 4.4.15
ORIGIN: https://github.com/Homebrew/brew
HEAD: b6fafba4864d65acabf966415e14b2dd86d81e1a
Last commit: 7 days ago
Branch: stable
Core tap JSON: 11 Jan 17:18 UTC
Core cask tap JSON: 11 Jan 17:18 UTC
HOMEBREW_PREFIX: /opt/homebrew
HOMEBREW_CASK_OPTS: []
HOMEBREW_MAKE_JOBS: 16
Homebrew Ruby: 3.3.6 => /opt/homebrew/Library/Homebrew/vendor/portable-ruby/3.3.6/bin/ruby
CPU: 16-core 64-bit arm_palma
Clang: 16.0.0 build 1600
Git: 2.48.0 => /opt/homebrew/bin/git
Curl: 8.7.1 => /usr/bin/curl
macOS: 15.2-arm64
CLT: 16.2.0.0.1.1733547573
Xcode: 16.2
Rosetta 2: false

What were you trying to do (and why)?

I ran the mc program in the terminal.

What happened (include all command output)?

After running it, I got an error window “Malware Blocked and Moved to Bin. "mc" was not opened because it contains malware. This action did not harm your Mac.” on my screen and the mc binary was moved to the trash.
Screenshot 2025-01-11 at 19 46 58

What did you expect to happen?

Starting Midnight Commander.

Step-by-step reproduction instructions (by running brew commands)

Open Terminal
[~]$ mc
[1]    7155 killed     mc
[~]$ mc
/opt/homebrew/bin/mc: line 2: /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc: No such file or directory
/opt/homebrew/bin/mc: line 2: exec: /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc: cannot execute: No such file or directory
[~]$ brew reinstall mc
==> Downloading https://ghcr.io/v2/homebrew/core/midnight-commander/manifests/4.8.32
Already downloaded: /Users/Maddyson/Library/Caches/Homebrew/downloads/1debe8b4b5d2a23dc6ce503cb9ed8a673cbc919f1eb088a273b28d8001ffd495--midnight-commander-4.8.32.bottle_manifest.json
==> Fetching midnight-commander
==> Downloading https://ghcr.io/v2/homebrew/core/midnight-commander/blobs/sha256:d4a361245ce1023f004e6e8204b11ba9
Already downloaded: /Users/Maddyson/Library/Caches/Homebrew/downloads/752462de3f26be39fd6b7b21452ed723e824d47eb66681c2b7393a39d7f90237--midnight-commander--4.8.32.arm64_sequoia.bottle.tar.gz
==> Reinstalling midnight-commander 
==> Pouring midnight-commander--4.8.32.arm64_sequoia.bottle.tar.gz
🍺  /opt/homebrew/Cellar/midnight-commander/4.8.32: 355 files, 7.8MB
==> Running `brew cleanup midnight-commander`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
[~]$ mc
[1]    7155 killed     mc
[~]$ mc
/opt/homebrew/bin/mc: line 2: /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc: No such file or directory
/opt/homebrew/bin/mc: line 2: exec: /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc: cannot execute: No such file or directory
@mluboroscev mluboroscev added the bug Reproducible Homebrew/brew bug label Jan 11, 2025
@Bo98
Copy link
Member

Bo98 commented Jan 11, 2025
edited
Loading

Might be related to issues affecting other software this week: https://www.bleepingcomputer.com/news/security/docker-desktop-blocked-on-macs-due-to-false-malware-alert/. Will need further investigation into console logs for why it's suddenly rejecting it.

@drunk-moe
Copy link

drunk-moe commented Jan 12, 2025
edited
Loading

What's weird is that for most applications I try to run spctl on that are homebrew I just get rejected. If I try to run it on midnight-commander, the following is returned:

sudo spctl --assess /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc
/opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc: notarization indicates this code has been revoked

Also, it only seems to freak out when I use mc over SSH, if I use it locally I don't have an issue.

More than happy to provide anything useful - I'd love to just override this but I'm not sure if there's any command I can run to do so except disabling gatekeeper system wide, which I do not want to do (unfortunately since it only happens when I run the application over SSH I cannot use System Settings to override it.)

One last edit, checked log stream while trying to launch the app - Apple did indeed revoke this (which I guess means blacklist it since I doubt it was notarized):

syspolicyd: (Security) SecKeyVerifySignature
syspolicyd: (Security) [com.apple.securityd:SecError] Notarization daemon found revoked hash: {length = 20, bytes = 0x01abd023bf050ca96408fbe34a819b6167df9276}
syspolicyd: (Security) [com.apple.securityd:security_exception] MacOS error: -66992

@Bo98
Copy link
Member

Bo98 commented Jan 12, 2025
edited
Loading

since I doubt it was notarized

Indeed, there should be no notarization on any Homebrew formulae. rejected should be correct (as Homebrew formulae don't have, and don't need, full signing & notarization). In fact notarization should be impossible since it requires an Apple account and final basic ad-hoc signing is performed on your machine. So does seem to be a basic signature check.

I'm not entirely sure why this has been flagged. How Apple even know about it is odd too given it was never registered with them, and surely we haven't hit the astronomically low chance of a hash collision. We could just rebuild it and the hash will change I guess and "fix" the issue. 🤷‍♂️

Can you run codesign -dvvv on that file and confirm you are seeing that CDHash and that it's adhoc signed?

Also post the output of jq .built_on.os_version /opt/homebrew/Cellar/midnight-commander/4.8.32/INSTALL_RECEIPT.json. Each macOS version will have a different hash so would be useful to know which one you're having issues with (in theory it would be macOS 15 but it might be macOS 14 if you had it installed prior to upgrading to macOS 15).

@drunk-moe
Copy link

It was indeed built on macOS 15 (output from the jq command indicated "macOS 15")

Also, bizarre thing, I am seeing stuff returned from codesign on the file in libexec but not bin:

/opt/homebrew/Cellar/midnight-commander/4.8.32/bin/mc:

$ sudo spctl --assess /opt/homebrew/Cellar/midnight-commander/4.8.32/bin/mc
/opt/homebrew/Cellar/midnight-commander/4.8.32/bin/mc: rejected

$ sudo codesign -dvvv /opt/homebrew/Cellar/midnight-commander/4.8.32/bin/mc
/opt/homebrew/Cellar/midnight-commander/4.8.32/bin/mc: code object is not signed at all

On /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc:

$ sudo spctl --assess /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc
/opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc: notarization indicates this code has been revoked

$ sudo codesign -dvvv /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc
Executable=/opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc
Identifier=mc-5555494476296be716cc37bbb281b42db598b73c
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=7492 flags=0x2(adhoc) hashes=228+2 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=01abd023bf050ca96408fbe34a819b6167df9276
CandidateCDHashFull sha256=01abd023bf050ca96408fbe34a819b6167df927626533c27e3e2f820ec09ffb9
Hash choices=sha256
CMSDigest=01abd023bf050ca96408fbe34a819b6167df927626533c27e3e2f820ec09ffb9
CMSDigestType=2
CDHash=01abd023bf050ca96408fbe34a819b6167df9276
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

Let me know if anything else is needed. Hopefully rebuilding it will fix it.

@Bo98
Copy link
Member

Bo98 commented Jan 12, 2025
edited
Loading

Also, bizarre thing, I am seeing stuff returned from codesign on the file in libexec but not bin:

The one in bin is just a shell script wrapper, so no code signing there as it's not a binary. It's a plain text file you can see the contents of.

Not all formulae are like that. midnight-commander is as it needs to add GNU diff to the PATH before execution.

@drunk-moe
Copy link

Gotchya, that makes sense. Thanks for your quick responses!

@mluboroscev
Copy link
Author

since I doubt it was notarized

Indeed, there should be no notarization on any Homebrew formulae. rejected should be correct (as Homebrew formulae don't have, and don't need, full signing & notarization). In fact notarization should be impossible since it requires an Apple account and final basic ad-hoc signing is performed on your machine. So does seem to be a basic signature check.

I'm not entirely sure why this has been flagged. How Apple even know about it is odd too given it was never registered with them, and surely we haven't hit the astronomically low chance of a hash collision. We could just rebuild it and the hash will change I guess and "fix" the issue. 🤷‍♂️

Can you run codesign -dvvv on that file and confirm you are seeing that CDHash and that it's adhoc signed?

Also post the output of jq .built_on.os_version /opt/homebrew/Cellar/midnight-commander/4.8.32/INSTALL_RECEIPT.json. Each macOS version will have a different hash so would be useful to know which one you're having issues with (in theory it would be macOS 15 but it might be macOS 14 if you had it installed prior to upgrading to macOS 15).

[~]$ codesign -dvvv /opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc

Executable=/opt/homebrew/Cellar/midnight-commander/4.8.32/libexec/bin/mc
Identifier=mc-5555494476296be716cc37bbb281b42db598b73c
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=7492 flags=0x2(adhoc) hashes=228+2 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=01abd023bf050ca96408fbe34a819b6167df9276
CandidateCDHashFull sha256=01abd023bf050ca96408fbe34a819b6167df927626533c27e3e2f820ec09ffb9
Hash choices=sha256
CMSDigest=01abd023bf050ca96408fbe34a819b6167df927626533c27e3e2f820ec09ffb9
CMSDigestType=2
CDHash=01abd023bf050ca96408fbe34a819b6167df9276
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

[~]$ jq .built_on.os_version /opt/homebrew/Cellar/midnight-commander/4.8.32/INSTALL_RECEIPT.json
"macOS 15"

@westito
Copy link

westito commented Jan 12, 2025

The problem exists with the precompiled binary only. Installing with brew install --build-from-source midnight-commander works just fine.

@jerryhard
Copy link

The problem exists with the precompiled binary only. Installing with brew install --build-from-source midnight-commander works just fine.

yes rebuild work i have latest MacOS Sequoia 15.2 on M4 pro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Reproducible Homebrew/brew bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@westito @Bo98 @mluboroscev @jerryhard @drunk-moe