There’s a new headache in town. If you run self-hosted Azure DevOps agent, or .NET Core project, on a Mac running Catalina (v 10.15+) and Microsoft Edge, you will have noticed a new behavior where the OS prevents the .NET assembly from working.
This is because it has been marked with a “quarantine” file attribute when it was downloaded with the browser. It’s a security measure that I’m familiar with on Windows. I would typically remove this attribute by right clicking on the file, select “Properties”, then check “Unblock”:
At this point, I suspected I had a good idea of what was happening, I just needed to figure out how to check for and remove it on a Mac. I reached out to the dev community on twitter and asked around. Thanks to Eric Lawrence who pointed me to the Chromium code change that shows it is indeed quarantining the file(s).
After reviewing how to read and remove file attributes, indeed I found a com.apple.quarantine attribute on the tarball archive file that is downloaded from Azure DevOps. Since it contains all the .NET assemblies, we can just unblock the tar.gz file and all contents will unblock as well.
Solution
Let’s go back to Azure DevOps Agent Pool page, where you download your agent package (see here if you’ve never done this before).
Now that the file is in the downloads folder, we can use the xattr
command to list the attributes. In my case, I’m checking the downloaded compressed file.
xattr vsts-agent-oxs-x64-2.159.2.tar.gz
Bingo! Notice the com.apple.quarantine attribute? That’s the one causing this headache. Now we can see the attribute name, we can remove it by calling the the xattr
command again with -d attributeName fileName
parameters .
xattr -d com.apple.quarantine vsts-agent-oxs-x64-2.159.2.tar.gz
Finally list the attributes again to confirm the quarantine has been removed:
Now you can finish extracting the tarball and setting up the agent (or running your .NET core application).