helm: macOS Catalina error: “helm” cannot be opened because the developer cannot be verified.

Output of helm version: v2.14.3

Information from https://github.com/hashicorp/terraform/issues/23033 suggests that Apple is requiring applications to be signed with an Apple developer key from now on.

A workaround is also mentioned in the above issue and works but it is not ideal.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 21 (8 by maintainers)

Most upvoted comments

as a less dramatic workaround to disabling all protections, you should be able to grant an exception to helm specifically. after you try to open helm and get the error prompt, you can go to System Preferences -> Security & Privacy -> General and it will give you the option to set a special exception for helm:

Xnip2019-10-14_09-58-48

the next time you try to run helm, you’ll get one last warning prompt that now gives you the option to open helm.

+119
scotthew1 on Oct 14, 2019

@tdensmore just run sudo spctl --master-disable ref: http://osxdaily.com/2016/09/27/allow-apps-from-anywhere-macos-gatekeeper/

+72
rimusz on Oct 9, 2019

I’m using macOS Catalina and helm v2 and v3 CLI work for me there. Under System Preferences/Security & Privacy/General in Allow apps downloaded from: I have set to Anywhere

+43
rimusz on Oct 9, 2019

Thanks @rimus . sudo spctl --master-disable works for me.

+26
tdensmore on Oct 9, 2019

You can run xattr -d com.apple.quarantine /path/to/file to whitelist the binary from CLI. As others have noted, disabling gatekeeper using spctl should be avoided.

+24
sozercan on Nov 19, 2019

@rimusz I do not have that option. My only options are: App Store and App Store and identified developers

image

+7
tdensmore on Oct 9, 2019

I worked around this by deleting helm and then downloading it with wget.

It seems that it is because the file was downloaded via chrome. I’m guessing you also have this problem if helm has been downloaded via safari or firefox.

+4
micheas on Nov 7, 2019

Allow apps from anywhere and sudo spctl --master-disable disable protections that can potentially leave a Mac vulnerable to malware, and should be avoided if at all possible. This is not an ideal solution.

After taking the following steps, I now seem to have an “Open anyways” option now, allowing running individual applications without disabling secure defaults.

Here’s what I did, not sure if all steps are relevant:

  • Switch spctl off and on:
sudo spctl --master-disable
sudo spctl --master-enable
  • Set “Allow apps downloaded from: App Store” in Security and Privacy
  • Reboot
+4
myersg86 on Oct 10, 2019

Found the solution

Do not download the archive with a GUI browser, it will get tainted by macos that will pretend downloaded binaries to be signed.

Just download with wget or curl, and live happy!

Downloaded archives/binaries get some additional attributes on the file system, look at a ls -l of your Downloads folder

-rw-r--r--@  1 angelo  staff     4089627 26 Aug 12:00 PSTools.zip

You see the @ sign right after the permissions? that is the extended attribute, and files downloaded by curl will not have it

+3
aturetta on Oct 12, 2022

Wow, @micheas is right! If I download RC3 with wget it works but with chrome it triggers MacOS’s security (Gatekeeper).

Googling a bit led me to this info: “Additionally, Gatekeeper only monitors files downloaded from the Internet through an Internet browser…”

This is good news as it means installing helm using brew will not trigger the security prompt. I have confirmed this.

This explains why it worked for my installation of kubectl.

+1
marckhouzam on Nov 7, 2019
Read more comments on GitHub
← helm: Linting breaks with value imports
helm: Manifests with hooks not getting deleted during helm uninstall →