docker
[Workaround in description] Mac is detecting Docker as a malware and keeping it from starting
Description
Whenever Docker is started, this error is shown:
Malware Blocked. “com.docker.socket” was not opened because it contains malware. this action did not harm your Mac.
Reproduce
- Start Docker
- See the error
Workaround
[!TIP]
If you face this issue, try the following procedure:
- Quit Docker Desktop and check that no remaining docker processes are running using the Activity Monitor
- Run the following commands:
#!/bin/bash # Stop the docker services echo "Stopping Docker..." sudo pkill '[dD]ocker' # Stop the vmnetd service echo "Stopping com.docker.vmnetd service..." sudo launchctl bootout system /Library/LaunchDaemons/com.docker.vmnetd.plist # Stop the socket service echo "Stopping com.docker.socket service..." sudo launchctl bootout system /Library/LaunchDaemons/com.docker.socket.plist # Remove vmnetd binary echo "Removing com.docker.vmnetd binary..." sudo rm -f /Library/PrivilegedHelperTools/com.docker.vmnetd # Remove socket binary echo "Removing com.docker.socket binary..." sudo rm -f /Library/PrivilegedHelperTools/com.docker.socket # Install new binaries echo "Install new binaries..." sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/ sudo cp /Applications/Docker.app/Contents/MacOS/com.docker.socket /Library/PrivilegedHelperTools/
- Restart Docker Desktop.
If that still doesn't work, download one of the currently supported release from the Release notes and re-apply step 2.
As suggested running this command is working for most of people that had this problem.
Original issue details
### docker versionClient:
Version: 26.1.4
API version: 1.45
Go version: go1.21.11
Git commit: 5650f9b
Built: Wed Jun 5 11:26:02 2024
OS/Arch: darwin/arm64
Context: desktop-linux
Cannot connect to the Docker daemon at unix:///Users/admin/.docker/run/docker.sock. Is the docker daemon running?
(Can't get docker started to check more details)
----
Asked for a friend running Docker in the same version and this is the output:
Client:
Version: 27.0.3
API version: 1.46
Go version: go1.21.11
Git commit: 7d4bcd8
Built: Fri Jun 28 23:59:41 2024
OS/Arch: darwin/arm64
Context: desktop-linux
Server: Docker Desktop 4.32.0 (157355)
Engine:
Version: 27.0.3
API version: 1.46 (minimum version 1.24)
Go version: go1.21.11
Git commit: 662f78c
Built: Sat Jun 29 00:02:44 2024
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.7.18
GitCommit: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
runc:
Version: 1.7.18
GitCommit: v1.1.13-0-g58aa920
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
lient:
Version: 27.0.3
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.15.1-desktop.1
Path: /Users/lorenzo/.docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.28.1-desktop.1
Path: /Users/lorenzo/.docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.32
Path: /Users/lorenzo/.docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Alpha) (Docker Inc.)
Version: v0.0.14
Path: /Users/lorenzo/.docker/cli-plugins/docker-desktop
dev: Docker Dev Environments (Docker Inc.)
Version: v0.1.2
Path: /Users/lorenzo/.docker/cli-plugins/docker-dev
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.25
Path: /Users/lorenzo/.docker/cli-plugins/docker-extension
feedback: Provide feedback, right in your terminal! (Docker Inc.)
Version: v1.0.5
Path: /Users/lorenzo/.docker/cli-plugins/docker-feedback
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.3.0
Path: /Users/lorenzo/.docker/cli-plugins/docker-init
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /Users/lorenzo/.docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.10.0
Path: /Users/lorenzo/.docker/cli-plugins/docker-scout
Server:
Containers: 10
Running: 9
Paused: 0
Stopped: 1
Images: 41
Server Version: 27.0.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
runc version: v1.1.13-0-g58aa920
init version: de40ad0
Security Options:
seccomp
Profile: unconfined
cgroupns
Kernel Version: 6.6.32-linuxkit
Operating System: Docker Desktop
OSType: linux
Architecture: aarch64
CPUs: 12
Total Memory: 7.657GiB
Name: docker-desktop
ID: 1e75072f-7d8f-47c3-917a-43dc08d31755
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///Users/lorenzo/Library/Containers/com.docker.docker/Data/docker-cli.sock
Experimental: false
Insecure Registries:
hubproxy.docker.internal:5555
127.0.0.0/8
Live Restore Enabled: false
Diagnostics ID
Can't get a Diagnostics ID because I'm not able to open docker, the error is from MacOS
Additional Info
I tried installing older versions of Docker but the error is the same to all of them.
If it helps, I have the same issue and am running this version of MacOS M3: macOS Sequoia 15.1 (24B83)
can you tell us how old is the vmnetd executable on your machines?
it's located here: /Library/PrivilegedHelperTools/com.docker.vmnetd
Running ls -lrt /Library/PrivilegedHelperTools/ gives this:
-r-xr--r-- 1 root wheel 5636768 31 May 2024 com.docker.vmnetd
Hi,
Which version(s) of Docker Desktop have you tried? Which one is the highest one? Did you download it fresh? What happens if you do
sudo rm /Library/PrivilegedHelperTools/com.docker.vmnetd
then start Docker Desktop again? (Docker Desktop should re-install it on-demand when it needs it)
Thanks, and sorry this happened to you!
I uninstalled after the issue happened and re-installed the latest version available on the website - since deleting com.docker.vmnetd the application hangs (the window never opens), there is no visible error message, the file com.docker.vmnetd is still missing and trying to open the application multiple times yields an error of the likes of "Cannot start Docker because the application is not responding" (same as the post above)
Ah maybe you need to (sudo) kill -9 the vmnetd process, actually. Does
ps aux | grep vmnetd
show it running?
vmnetd was not running, and killing the docker process and starting it again gives the same result.
$ps aux | grep vmnetd
user 25212 0.0 0.0 410733072 1664 s000 S+ 1:16pm 0:00.01 grep vmnetd
$ps aux | grep "[dD]ocker"
user 24255 0.0 0.2 412151024 73200 ?? S 1:05pm 0:00.15 /Applications/Docker.app/Contents/MacOS/com.docker.backend run
It'd be helpful to get some system logs to see why macOS is rejecting vmnetd.
- Make sure that no
dockerprocess are running -- or kill them through the Activity Monitor. - Note the current time.
- Start Docker Desktop
- Run the following command in a terminal and replace the time with what you noted in step 2. (this command might be really slow).
$ log show --start '2025-01-07 X:Y:00' | grep 'com.docker'
I see this at the end of the log output that looks suspicious:
trustd: [com.apple.securityd:SecWarning]
Entitlement com.apple.application-identifier=9BNSXJN65R.com.docker.docker is ignored because of invalid application signature or incorrect provisioning profile
"group.com.docker"
vmnetd was not running, and killing the docker process and starting it again gives the same result.
Ah right, so Docker Desktop does not re-install vmnetd in that case.
You can do
sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/
then restart Docker Desktop.
edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing
If someone is facing this issue, before removing the broken vmnetd or socket binary, could you please try to run these two commands and paste the output here:
$ codesign -d --extract-certificates /Library/PrivilegedHelperTools/com.docker.vmnetd
$ for file in $(ls codesign*); do security verify-cert -vv -c $file; done
$ openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
$ openssl x509 -noout -text -in codesign0
This wasn't working for me
sudo cp /Applications/Docker.app//Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/
but reinstalling from command line worked.
I have the same problem but with a small different detail. In the screenshot the file mentioned is com.docker.socket:
@acassioaraujo your screenshot shows com.docker.vmnetd but in your issue description you also write com.docker.socket, could you please confirm which file is affected for you ? thanks
@zioproto I think both are affected since they were signed with the same certificate. If you have a chance, could you try to run the commands I posted in this comment please? This would help us a lot. https://github.com/docker/for-mac/issues/7520#issuecomment-2576051225
@akerouanton It seems the signature cannot be verified:
security verify-cert -vv -c codesign0
Cert Verify Result: CSSMERR_TP_NOT_TRUSTED
---
Certificate chain
0: Developer ID Application: Docker Inc (9BNSXJN65R)
<cert(0x15c80d000) s: Developer ID Application: Docker Inc (9BNSXJN65R) i: Developer ID Certification Authority>
---
Certificate errors
0: Developer ID Application: Docker Inc (9BNSXJN65R)
Unable to find next certificate in the chain [MissingIntermediate]
---
Certificate chain properties
(
{
error = "CSSMERR_TP_NOT_TRUSTED";
title = "Developer ID Application: Docker Inc (9BNSXJN65R)";
}
)
---
Trust evaluation results
{
TrustEvaluationDate = "2025-01-07 19:30:03 +0000";
TrustResultDetails = (
{
MissingIntermediate = 0;
StatusCodes = (
"-2147409622"
);
}
);
TrustResultValue = 5;
}
---
Trust evaluation errors
Error Domain=NSOSStatusErrorDomain Code=-25318 "errKCCreateChainFailed / errSecCreateChainFailed: / The attempt to create a certificate chain failed." UserInfo={NSLocalizedDescription=\u201cDeveloper ID Application: Docker Inc (9BNSXJN65R)\u201d certificate is not trusted, NSUnderlyingError=0x600000f1cba0 {Error Domain=NSOSStatusErrorDomain Code=-25318 "errKCCreateChainFailed / errSecCreateChainFailed: / The attempt to create a certificate chain failed." UserInfo={NSLocalizedDescription=Certificate 0 \u201cDeveloper ID Application: Docker Inc (9BNSXJN65R)\u201d has errors: Unable to build chain to root (possible missing intermediate);}}}
vmnetd was not running, and killing the docker process and starting it again gives the same result.
Ah right, so Docker Desktop does not re-install
vmnetdin that case. You can dosudo cp /Applications/Docker.app//Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/then restart Docker Desktop.
edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing
This worked for me on version 4.32
@zioproto I just added two other commands to my comment, ie. openssl ocsp … and openssl x509. Could you paste their output too please? 🙂
EDIT: Let me re-add them here for clarity.
$ openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
$ openssl x509 -noout -text -in codesign0
@akerouanton the certificate has been revoked:
openssl x509 -in codesign0 -ocsp_uri -noout
http://ocsp.apple.com/ocsp03-devidg201
Question: I am not familiar with this, is it normal that the verification url is plaintext http and not https ?
and
openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
Response verify OK
codesign0: revoked
here is the full certificate in text form:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
13:16:fd:12:7d:9a:57:15:17:65:91:f8:5f:fc:3c:66
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Developer ID Certification Authority, OU=G2, O=Apple Inc., C=US
Validity
Not Before: Feb 8 12:56:54 2024 GMT
Not After : Feb 8 12:56:53 2029 GMT
Subject: UID=9BNSXJN65R, CN=Developer ID Application: Docker Inc (9BNSXJN65R), OU=9BNSXJN65R, O=Docker Inc, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:de:55:31:8d:a3:31:c4:99:12:84:a4:3b:1c:38:
f5:27:ac:df:4e:4b:88:8e:c3:07:00:13:a5:ab:82:
2c:ae:93:5f:f3:f1:9a:aa:bc:51:f9:9b:32:25:85:
6a:33:fe:0b:62:af:47:41:63:bf:41:d8:bb:18:8d:
33:35:68:3c:43:03:df:b5:05:c5:ac:cc:a5:e1:ad:
e7:91:c6:b1:dc:80:0b:f3:9d:f1:99:05:ac:8d:f2:
e7:5c:e2:f8:c2:6e:01:02:08:bc:d7:b1:f8:14:e7:
b9:06:b2:47:49:5c:6d:39:73:26:38:cf:c7:16:bf:
ab:b6:64:e9:b7:22:09:c9:af:b4:05:3e:0f:2d:e0:
fc:90:ba:5e:89:e5:15:63:df:9b:85:84:25:90:11:
10:02:15:bc:22:97:f4:12:2b:f0:f6:2a:7e:f0:86:
54:3a:b6:f4:85:60:90:a8:93:b8:32:b7:b0:08:41:
46:89:c9:35:a8:fd:72:83:16:8c:9f:91:1b:36:4c:
df:7d:ee:3f:a5:e2:f5:62:62:ba:c1:0a:5f:a0:e1:
f7:49:bf:f9:f1:44:cc:c7:5d:57:5b:5a:89:4f:61:
29:01:a6:24:af:14:7a:cc:ce:dc:3a:b5:7b:c3:fd:
70:aa:10:a9:00:b2:a0:9b:25:71:f7:6b:fb:a3:bf:
2e:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
F8:3A:0C:69:11:76:E0:ED:AC:D1:EB:A6:59:FA:37:D5:C4:55:B0:1E
Authority Information Access:
CA Issuers - URI:http://certs.apple.com/devidg2.der
OCSP - URI:http://ocsp.apple.com/ocsp03-devidg201
X509v3 Certificate Policies:
Policy: 1.2.840.113635.100.5.1
User Notice:
Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
CPS: https://www.apple.com/certificateauthority/
X509v3 Extended Key Usage: critical
Code Signing
X509v3 Subject Key Identifier:
21:58:40:59:A0:20:1A:5B:6D:97:AE:14:CD:2D:AC:0E:03:A1:23:66
X509v3 Key Usage: critical
Digital Signature
1.2.840.113635.100.6.1.33:
..20140507000000Z
1.2.840.113635.100.6.1.13: critical
..
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
c4:ea:d3:c2:92:b8:aa:01:c3:45:9a:95:27:16:8f:ff:03:1e:
14:f9:ae:fa:6a:6f:1b:ef:3e:5a:94:59:f3:63:b0:32:e7:34:
a2:0d:02:6a:b6:c4:bf:7e:12:fe:2f:db:7d:84:ae:79:d9:3e:
20:4c:11:d8:4c:d7:27:9e:f5:d2:8a:19:22:11:30:52:33:40:
36:93:ca:14:65:22:68:1a:82:f0:0c:72:d5:7e:03:d1:92:1e:
92:da:96:15:a6:e2:80:ea:0e:32:f8:fd:5c:2e:bd:08:31:64:
d5:1c:9c:71:68:ac:94:e8:c7:97:fe:b9:07:f4:10:93:12:1f:
7c:71:00:0a:e6:b6:81:5b:91:50:c5:a4:fd:5a:2a:c1:db:ff:
00:39:49:a8:74:72:86:0b:b1:fa:4b:cb:fe:bb:c1:85:14:83:
33:1d:96:65:99:93:92:69:52:98:7d:1a:3e:04:e4:f2:12:1d:
a1:88:14:26:b9:80:01:02:ac:bb:06:a6:73:9a:05:e7:d0:2e:
f1:f8:df:0e:8a:21:fd:08:f4:4b:e2:d1:ad:c5:08:26:43:93:
65:70:0c:b9:67:3f:3b:16:b0:c5:45:0b:17:da:62:e3:52:b1:
0d:10:70:1b:be:66:c6:fe:c5:47:36:6e:9e:c8:0d:91:9b:54:
1b:59:9b:2a
@zioproto Thanks a lot! Last batch of questions:
- Which version of Docker Desktop do you have?
- Can you upload com.docker.vmnetd and com.docker.socket?
vmnetd was not running, and killing the docker process and starting it again gives the same result.
Ah right, so Docker Desktop does not re-install
vmnetdin that case. You can dosudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/then restart Docker Desktop.
edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing
It also worked for Docker 4.32.0, which we are stuck on due to the issue outlined here.
- Which version of Docker Desktop do you have?
difficult to say for sure because I am not able to start docker anymore.
- Can you upload com.docker.vmnetd and com.docker.socket?
Can you give me the full path to those files ?
I found /Library/PrivilegedHelperTools/com.docker.socket but I cannot find com.docker.vmnetd at the same path.
Do you need the full file ? this is my hash:
MD5 (com.docker.socket) = 8c166046e4c4b8a864c2941067b16428
It should be:
/Library/PrivilegedHelperTools/com.docker.vmnetd/Library/PrivilegedHelperTools/com.docker.socket
But if one is missing on your system, don't worry and just upload what you have 🙂
Seeing similar issues. Downloaded the specific MacOS version (4.29.0) from https://desktop.docker.com/mac/main/arm64/145265/Docker.dmg and Apple wouldn't even let me install the dmg, with message “Docker.dmg” was not opened because it contains malware. This action did not harm your Mac.
When I use spctl to verify the dmg, this is what I get
$ spctl -a -v ~/Downloads/Docker.dmg
/Users/shreyas.sriram/Downloads/Docker.dmg: CSSMERR_TP_CERT_REVOKED
``
1 - sudo rm /Library/PrivilegedHelperTools/com.docker.vmnetd
2 - sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/
works fine, tks @mat007
@akerouanton I had to add a .txt to the binary file because otherwise the GitHub UI would not let me upload the binary.
WARNING: For anyone downloading this file. This is a Mach-O 64-bit executable arm64. My feeling here is that MacOS X is detecting this file as malware because of something wrong with the certificate verification. However, at this point we cannot exclude this file is maybe really malware, so do not execute this file if you dont know what you are doing.