macOS Ghidra Signing
The NSA does not sign Ghidra binaries, and appears to have no plans to do so. Instead, they suggest that you install a build enviroment and rebuild these components from source.
Ghidra already ships with all required binaries for Intel macOS, so we can simply remove them from quarantine instead of replacing them. This will not work on aarch64 (M1 or A-series), for which you will need to do a rebuild.
Solutions
When installing, you can use brew’s built-in --no-quarantine
flag to remove the com.apple.quarantine
xattr after install:
1# Use brew flag to fix quarantine on fresh install:
2brew install --cask --no-quarantine ghidra
For exisitng installs, we can search through Ghidra’s install directory and remove the quarantine on each individual binary we come across:
1# Repair existing brew install of Ghidra:
2find $(brew --prefix)/Caskroom/ghidra/ \
3 -perm +111 -type f \
4 -exec xattr -d com.apple.quarantine {} +
If you didn’t install using brew, just replace the directory in the above snippet with the Ghidra install path.