It usually happens that you can not run a downloaded binary from the command line.

The OS would complain that

"watchman" cannot be opened because the developer cannot be verified.

macOS cannot verify that this app is free from malware.

Chrome downloaded this file today at 9:30 AM from

Many online tutorials instruct you to overcome this restriction by navigating to the binary file location, right-click, selecting open, and confirming.

macOS cannot verify the developer of "watchman". Are you sure you want to open it?

By opening this app, you will be overriding system security which can expose your computer and personal information to malware that may harm your Mac or compromise your privacy.

Chrome downloaded this file today at 9:30 AM from

However, this approach has two demerits.

  • It requires GUI. Thus, it is not possible to apply to several files at once.
  • To mark some files safe, it must be opened (executed).

Workaround 1

Use xattr -dr <directory, binary, .app, or dylib path>

Workaround 2

Suppose that the path of the binary you want to mark as safe is /opt/watchman/bin/watchman.

  • Step 1: run xattr -p /opt/watchman/bin/watchman. This will print a string starting with 0081;, for example 0081;5e7fec61;Chrome;6585C1D3-E260-4275-9E6E-505DF8D6B7EE.
  • Step 2: copy the output string, replace first 4 characters with 00c1.
  • Step 3: run xattr -w "00c1;5e7fec61;Chrome;6585C1D3-E260-4275-9E6E-505DF8D6B7EE" /opt/watchman/bin/watchman

The binary /opt/watchman/bin/watchman can be run from the command line without any complaint from the OS.

Those above steps can be combined in one composed commands.

xattr -w "$(xaatr -p /opt/watchman/bin/watchman | sed 's/^.\{4\}/00c1/')" /opt/watchman/bin/watchman

Further information

To list all file attributes use one of the following commands.

  • ls -al@ <path>
  • attr -lr <path>

What does each value in the attribute mean?

  • 00c1: flag for a quick lookup. This is a magic number defined by apple. See this link for further analysis on it.
  • 5e7fec61: date in hex format.

Convert this value to a date:

In Linux:

date -d @$(echo $((16#${hex})))
# Sun 29 Mar 2020 09:31:29 AM JST

In Mac:

date -r $(echo $((16#${hex})))

#Sun Mar 29 09:31:29 JST 2020

Generate a value from current timestamp:

In Linux:

printf %x $(($(date +%s) - $(date -d "2001-01-01T00:00 UTC" +%s)))
# output: 24f34922

In Mac:

printf %x $(($(date +%s) - $(TZ=UTC date -jf '%F %T' "2001-01-01 00:00:00" +%s)))
# output: 24f34f38

Why 2001-01-01? Because Apple's absolute time is Jan 2001 00:00:00 GMT. See CFAbsoluteTime.

  • Chrome: app name (arbitrary string value).
  • 6585C1D3-E260-4275-9E6E-505DF8D6B7EE: uuid used to look up for other information about the file.

Lookup for information from the uuid.

/usr/bin/sqlite3 ~/Library/Preferences/ "SELECT * FROM LSQuarantineEvent WHERE LSQuarantineEventIdentifier == '${uuid}'"



Insert a new entry to the database. (replace the date=... with appropriate MacOS version above if you are using Mac)

date=$(printf %x $(($(date +%s) - $(date -d "2001-01-01T00:00 UTC" +%s)))
/usr/bin/sqlite3 ~/Library/Preferences/ "INSERT INTO \"LSQuarantineEvent\" VALUES('${uuid}',${date},NULL,'${app_name}','${url}',NULL,NULL,0,NULL,'${url}',NULL);"

Set the attribute on an existing file ${file}. (replace the date=... with appropriate MacOS version above if you are using Mac)

date=$(printf %x $(($(date +%s) - $(date -d "2001-01-01T00:00 UTC" +%s))))
/usr/bin/xattr -w "0002;${date};${app_name};${uuid}" "${file}"

Generate a new uuid:

# Linux: 84e2caa7-62cd-423f-85fa-2026a1b71ee5
# Mac: E7BF43F8-E2BB-4124-8EAE-6F1CDDB46835