starred/qBittorrent

Fork 0

mirror of https://github.com/qbittorrent/qBittorrent.git synced 2026-03-02 22:57:32 -05:00

qbittorrent-5.0.5_lt20.dmg is "damaged" due to apple quarantine requirement #17178

New issue

Open

opened 2026-02-22 03:42:50 -05:00 by deekerman · 6 comments

deekerman commented

2026-02-22 03:42:50 -05:00

Owner

Originally created by @Artoria2e5 on GitHub (Sep 16, 2025).

qBittorrent & operating system versions

qBitTorrent 5.0.5
Darwin Kernel Version 24.6.0
macOS Sequoia 15.6

What is the problem?

System complains that dmg file is damaged and refuses to mount. This can be circumvented via xattr -d com.apple.quarantine on the file. I guess it wants downloaded (quarantined) files to be signed somehow and this file isn;t.

Steps to reproduce

Go to fosshub and download.
Try to double click.

Additional context

Log(s) & preferences file(s)

This is really irrelevant because this happens before one can run the app.

$ xattr -l Downloads/qbittorrent-5.0.5_lt20.dmg 
com.apple.metadata:kMDItemWhereFroms: bplist00?_
https://download.fosshub.com/Protected/expiretime=1758054016;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vcUJpdHRvcnJlbnQuaHRtbA==/33b3d1678b8cd83b756ced24eee3c466df827ea3e38d418665c4d3890366ccb4/5b8793a7f9ee5a5c3e97a3b2/67fc21c230835604261a8af3/qbittorrent-5.0.5_lt20.dmgP
com.apple.quarantine: 0081;68c905d6;Firefox Developer Edition;641971FC-B46D-4DAA-A36A-EECD547F16F5

Originally created by @Artoria2e5 on GitHub (Sep 16, 2025). ### qBittorrent & operating system versions qBitTorrent 5.0.5 Darwin Kernel Version 24.6.0 macOS Sequoia 15.6 ### What is the problem? System complains that dmg file is damaged and refuses to mount. This can be circumvented via `xattr -d com.apple.quarantine` on the file. I guess it wants downloaded (quarantined) files to be signed somehow and this file isn;t. ### Steps to reproduce 1. Go to fosshub and download. 2. Try to double click. ### Additional context <img width="372" height="374" alt="Image" src="https://github.com/user-attachments/assets/13860248-94a5-4380-a89f-cbfc3364253e" /> ### Log(s) & preferences file(s) This is really irrelevant because this happens before one can run the app. ```console $ xattr -l Downloads/qbittorrent-5.0.5_lt20.dmg com.apple.metadata:kMDItemWhereFroms: bplist00?_ https://download.fosshub.com/Protected/expiretime=1758054016;badurl=aHR0cHM6Ly93d3cuZm9zc2h1Yi5jb20vcUJpdHRvcnJlbnQuaHRtbA==/33b3d1678b8cd83b756ced24eee3c466df827ea3e38d418665c4d3890366ccb4/5b8793a7f9ee5a5c3e97a3b2/67fc21c230835604261a8af3/qbittorrent-5.0.5_lt20.dmgP com.apple.quarantine: 0081;68c905d6;Firefox Developer Edition;641971FC-B46D-4DAA-A36A-EECD547F16F5 ```

deekerman added the

OS: macOS

label

2026-02-22 03:42:50 -05:00

deekerman commented

2026-02-22 03:42:52 -05:00

Author

Owner

@ghost commented on GitHub (Sep 25, 2025):

on 26 I find I have to try and mount the image, be refused, then go into settings->security and there will be a message there about the failed mount, verify it's ok there and retry. Process was a bit different on prior OS versions.

I've found the same for other unsigned packages as well.

@ghost commented on GitHub (Sep 25, 2025): on 26 I find I have to try and mount the image, be refused, then go into settings->security and there will be a message there about the failed mount, verify it's ok there and retry. Process was a bit different on prior OS versions. I've found the same for other unsigned packages as well.

deekerman commented

2026-02-22 03:42:52 -05:00

Author

Owner

@Vaida12345 commented on GitHub (Oct 10, 2025):

Just a reminder to checksum before mounting it. Can't be too sure about downloaded files.

@Vaida12345 commented on GitHub (Oct 10, 2025): Just a reminder to checksum before mounting it. Can't be too sure about downloaded files.

deekerman commented

2026-02-22 03:42:53 -05:00

Author

Owner

@garglebutt commented on GitHub (Nov 6, 2025):

Expected behaviour. I'd propose to close.

@garglebutt commented on GitHub (Nov 6, 2025): Expected behaviour. I'd propose to close.

deekerman commented

2026-02-22 03:42:53 -05:00

Author

Owner

@Artoria2e5 commented on GitHub (Nov 6, 2025):

Expected by whom? You average user, or your average uber-poweruser who torrents?

Just a reminder to checksum before mounting it. Can't be too sure about downloaded files.

I agree that for now we can add a notice to the user about what to do. That said, is checksumming even needed? We do have a code signature on the whole app, which implies automatic checksumming against a known-correct (because it's signed) checksum the moment you open the app for the first time. There's something profoundly silly about all the layers of signing apple wants...

@Artoria2e5 commented on GitHub (Nov 6, 2025): Expected by whom? You average user, or your average uber-poweruser who torrents? > Just a reminder to checksum before mounting it. Can't be too sure about downloaded files. I agree that for now we can add a notice to the user about what to do. That said, is checksumming even needed? We do have a code signature on the whole app, which implies automatic checksumming against a known-correct (because it's signed) checksum the moment you open the app for the first time. There's something profoundly silly about all the layers of signing apple wants...

deekerman commented

2026-02-22 03:42:53 -05:00

Author

Owner

@garglebutt commented on GitHub (Nov 6, 2025):

By anyone who chooses to download and install unsigned packages on MacOS. This is isn't particularly new any more.

@garglebutt commented on GitHub (Nov 6, 2025): By anyone who chooses to download and install unsigned packages on MacOS. This is isn't particularly new any more.

deekerman commented

2026-02-22 03:42:53 -05:00

Author

Owner

@Artoria2e5 commented on GitHub (Nov 6, 2025):

The app inside is signed. Signing the disk image provides no useful extra protection, only from say filesystem driver bugs that occur on mount (well, why is everyone using a disk image? why can't you make tarballs and zips work for the same job, Apple?) and from… perhaps Finder bugs that come with reading the .DS_Store for fancy layout.

@Artoria2e5 commented on GitHub (Nov 6, 2025): The app inside is signed. Signing the disk image provides no useful extra protection, only from say filesystem driver bugs that occur on mount (well, why is everyone using a disk image? why can't you make tarballs and zips work for the same job, Apple?) and from… perhaps Finder bugs that come with reading the .DS_Store for fancy layout.