Ask Your Question
0

""Wireshark" can't be opened because Apple cannot check it for malicious software" with 4.4.1 on macOS 14.5

asked 2024-10-10 19:15:27 +0000

ebarrere gravatar image

updated 2024-10-11 06:20:13 +0000

Guy Harris gravatar image

I have installed via brew as well as the direct download (v4.4.1 in both cases) and I am unable to run without bypassing security checks.

"Wireshark" can't be opened because Apple cannot check it for malicious software.

I know I can get around this, but why..? Is this expected?

macOS 14.5 (23F79)

edit retag flag offensive close merge delete

Comments

Do you have any information on what Apple is checking here?

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2024-10-11 05:39:38 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2024-10-12 19:12:56 +0000

Guy Harris gravatar image

This is Wireshark issue #20129; 4.4.2 should fix it.

edit flag offensive delete link more

Comments

Resolved this by installing 4.4.2rc0-12 per Gerald’s comment.

ebarrere gravatar imageebarrere ( 2024-10-15 15:27:55 +0000 )edit
0

answered 2024-10-11 06:16:37 +0000

Guy Harris gravatar image

Is this expected?

No. I downloaded 4.4.1 and drag-installed it, and was able to run it, on my Intel 14.5 VM.

"can't be opened because Apple cannot check it for malicious software" appears to be an indication that the OS thinks the app isn't notarized or that the notarization isn't valid.

Try removing both the Brew version and the direct download version and then re-installing the direct download version.

edit flag offensive delete link more

Comments

Also, was this on an Intel machine or an Apple Silicon machine?

Guy Harris gravatar imageGuy Harris ( 2024-10-11 06:18:40 +0000 )edit

I tried this but no luck. Same behavior after brand new install.

This is an Intel chip in a 2019 MacBook Pro.

ebarrere gravatar imageebarrere ( 2024-10-11 14:40:33 +0000 )edit

I removed the formula (CLI version) of Wireshark too, in case there was some conflict.

[elliott@hostname ~ ]$ brew remove wireshark   
Warning: Treating wireshark as a formula. For the cask, use homebrew/cask/wireshark or specify the `--cask` flag. To silence this message, use the `--formula` flag.
Uninstalling /usr/local/Cellar/wireshark/4.4.1... (1,027 files, 107.2MB)
==> Autoremoving 4 unneeded formulae:
libmaxminddb
libnghttp3
libsmi
speexdsp
Uninstalling /usr/local/Cellar/libnghttp3/1.6.0... (19 files, 502.4KB)
libnghttp3 1.5.0 is still installed.
To remove all versions, run:
  brew uninstall --force libnghttp3
Uninstalling /usr/local/Cellar/libsmi/0.5.0... (477 files, 20.3MB)
Uninstalling /usr/local/Cellar/libmaxminddb/1.11.0... (31 files, 176.7KB)
Uninstalling /usr/local/Cellar/speexdsp/1.2.1... (20 files, 645.4KB)
[elliott@hostname ~ ]$ brew remove --cask wireshark 
Error: Cask 'wireshark' is not installed.
[elliott@hostname ~ ]$
ebarrere gravatar imageebarrere ( 2024-10-11 14:43:04 +0000 )edit

I tried a full reboot following uninstall, then downloading the DMG again in case there was some weird cache issue, but same behavior.

I'm reading up on app notorization now, but if you have any advice for troubleshooting let me know.

ebarrere gravatar imageebarrere ( 2024-10-11 14:55:38 +0000 )edit

So it appears the notorization ticket can be available online or embedded in the app. Can you confirm which option Wireshark is using? If the ticket is online, where?

My current hypothesis is some security software on this machine is preventing signature verification. I have Zscaler and SentinelOne per my corporate policy.

ebarrere gravatar imageebarrere ( 2024-10-11 15:14:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-10-10 19:15:27 +0000

Seen: 191 times

Last updated: Oct 15