Run an unsigned application

Last updated Apr 30, 2025

Many applications published for MacOS are signed, but this requires the developer to pay for an Apple developer account.

When running an unsigned application for the first time, MacOS will warn the user the application cannot be run and will not give any information on why this is.

To allow execution of the application, run the following command.

1

xattr -rd com.apple.quarantine <path to application>

For example if you install the terminal application Alacritty using Homebrew:

1

brew install alacritty

You will not be able to run the application at first, but after running:

1

xattr -rd com.apple.quarantine /Applications/Alacritty.app

You will be able to run the application in the normal way.

While most applications can be run on Windows without code signing, however unsigned Powershell scripts are disabled by default.

You can set an execution policy each time you run a script with the following. This will allow you to run a locally created Powershell script while retaining protection from remote unsigned scripts.

1

powershell.exe -ExecutionPolicy RemoteSigned -File C:\Path\To\Script.ps1

If you’re feeling lucky, you can always bypass all protections, and get no feedback or warnings for unsigned remote scripts by running.

1

powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\Script.ps1

While not recommended (as it may leave your computer vulnerable) you can allow unsigned scripts with the Set-ExecutionPolicy command.

1

Set-ExecutionPolicy -Scope <scope> -ExecutionPolicy <policy>

Scope can be one of the following:

• MachinePolicy. Set by a Group Policy for all users of the computer.
• UserPolicy. Set by a Group Policy for the current user of the computer.
• Process. Affects only the current session.
• CurrentUser. Affects only the current user.
• LocalMachine. Default scope that affects all users of the computer.

ExecutionPolicy can be one of the following:

• AllSigned. Requires that all scripts and configuration files are signed by a trusted publisher, including scripts written on the local computer.
• Bypass. Nothing is blocked and there are no warnings or prompts.
• Default. Sets the default execution policy. Restricted for Windows clients or RemoteSigned for Windows servers.
• RemoteSigned. Requires that all scripts and configuration files downloaded from the Internet are signed by a trusted publisher. The default execution policy for Windows server computers.
• Restricted. Doesn’t load configuration files or run scripts. The default execution policy for Windows client computers.
• Undefined. No execution policy is set for the scope. Removes an assigned execution policy from a scope that is not set by a Group Policy. If the execution policy in all scopes is Undefined, the effective execution policy is Restricted.
• Unrestricted. Beginning in Powershell 6.0, this is the default execution policy for non-Windows computers and can’t be changed. Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the internet, you’re prompted for permission before it runs.