stonegray's site

macOS Ghidra Signing

The NSA does not sign Ghidra binaries, and appears to have no plans to do so. Instead, they suggest that you install a build enviroment and rebuild these components from source.

Ghidra already ships with all required binaries for Intel macOS, so we can simply remove them from quarantine instead of replacing them. This will not work on aarch64 (M1 or A-series), for which you will need to do a rebuild.


When installing, you can use brew’s built-in --no-quarantine flag to remove the xattr after install:

1# Use brew flag to fix quarantine on fresh install:
2brew install --cask --no-quarantine ghidra

For exisitng installs, we can search through Ghidra’s install directory and remove the quarantine on each individual binary we come across:

1# Repair existing brew install of Ghidra: 
2find $(brew --prefix)/Caskroom/ghidra/ \
3	-perm +111 -type f \
4	-exec xattr -d {} +

If you didn’t install using brew, just replace the directory in the above snippet with the Ghidra install path.

#ghidra   #reversing   #macOS