Developers using the virtualization software Docker have been plagued by an issue for a week, with users complaining that macOS is wrongly detecting it as malware.
Docker - Image Credit: Docker
Apple's security systems in macOS are designed to protect the user and their data from a massive amount of online attacks in normal use. However, those same systems can also trigger in legitimate software if a mistake is made.
That seems to be the case for Docker, a virtualization tool often used to develop apps on Mac. For over a week, users are discovering their Mac is blocking Docker from running, because of a supposed malware issue.
For some versions of Docker Desktop, users can see a message warning "Malware Blocked," and that "com.docker.vmnetd was not opened because it contains malware. This action did not harm your Mac." Docker Desktop then simply doesn't run at all.
While alarming to users, it turns out that it isn't a malware problem. Really it's a signing issue that manifests in that way when analyzed by macOS security.
Bad signs
Apple built a number of security tools into macOS that apps must abide by in order to run. This includes XProtect for detecting malware, Notarization to check for malicious components and code-signing problems, and Gatekeeper for checking the validity of Developer ID signatures.
On the status page for Docker, an "active incident" is listed for Docker Desktop for macOS, starting from January 7. The official listing is "Docker Desktop on macOS unable to start due to malware reports."
The malware error message in macOS - Image Credit: Docker/Github
Initially, the Docker team offered a workaround that involved stopping Docker services, removing two binaries, reinstalling the binaries, and then restarting Docker.
The actual cause of the problem was uncovered on January 8. Some files in existing installations are incorrectly signed, tripping up the macOS anti-malware protection.
To solve the problem, the developers initially fixed it by copying correctly signed files from the Docker.app application bundle to the right places. It took until January 9 for a patch to be released for Docker Desktop versions 4.32 to 4.37, fixing the issue.
A support document has also been issued to help users, including guidance on how to install a patch. Users who installed Docker Desktop using Homebrew casks should perform a full reinstall to fix the issue.
An MDM script is also provided for IT administrators in corporate environments.