[Workaround in description] Mac is detecting Docker as a malware and keeping it from starting

[acassioaraujo]

Description

Whenever Docker is started, this error is shown:

Malware Blocked. “com.docker.socket” was not opened because it contains malware. this action did not harm your Mac.

Reproduce

1. Start Docker
2. See the error

Workaround

Tip

If you face this issue, try the following procedure:

1. Quit Docker Desktop and check that no remaining docker processes are running using the Activity Monitor
2. Run the following commands:

#!/bin/bash

# Stop the docker services
echo "Stopping Docker..."
sudo pkill '[dD]ocker'

# Stop the vmnetd service
echo "Stopping com.docker.vmnetd service..."
sudo launchctl bootout system /Library/LaunchDaemons/com.docker.vmnetd.plist

# Stop the socket service
echo "Stopping com.docker.socket service..."
sudo launchctl bootout system /Library/LaunchDaemons/com.docker.socket.plist

# Remove vmnetd binary
echo "Removing com.docker.vmnetd binary..."
sudo rm -f /Library/PrivilegedHelperTools/com.docker.vmnetd

# Remove socket binary
echo "Removing com.docker.socket binary..."
sudo rm -f /Library/PrivilegedHelperTools/com.docker.socket

# Install new binaries
echo "Install new binaries..."
sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/
sudo cp /Applications/Docker.app/Contents/MacOS/com.docker.socket /Library/PrivilegedHelperTools/

3. Restart Docker Desktop.

If that still doesn't work, download one of the currently supported release from the Release notes and re-apply step 2.

As suggested running this command is working for most of people that had this problem.

Original issue details

### docker version

Client:
 Version:           26.1.4
 API version:       1.45
 Go version:        go1.21.11
 Git commit:        5650f9b
 Built:             Wed Jun  5 11:26:02 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux
Cannot connect to the Docker daemon at unix:///Users/admin/.docker/run/docker.sock. Is the docker daemon running?

(Can't get docker started to check more details)

----
Asked for a friend running Docker in the same version and this is the output:

Client:
 Version:           27.0.3
 API version:       1.46
 Go version:        go1.21.11
 Git commit:        7d4bcd8
 Built:             Fri Jun 28 23:59:41 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.32.0 (157355)
 Engine:
  Version:          27.0.3
  API version:      1.46 (minimum version 1.24)
  Go version:       go1.21.11
  Git commit:       662f78c
  Built:            Sat Jun 29 00:02:44 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.18
  GitCommit:        ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
 runc:
  Version:          1.7.18
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

lient:
 Version:    27.0.3
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.15.1-desktop.1
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.28.1-desktop.1
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.32
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Alpha) (Docker Inc.)
    Version:  v0.0.14
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.25
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.3.0
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.10.0
    Path:     /Users/lorenzo/.docker/cli-plugins/docker-scout

Server:
 Containers: 10
  Running: 9
  Paused: 0
  Stopped: 1
 Images: 41
 Server Version: 27.0.3
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae71819c4f5e67bb4d5ae76a6b735f29cc25774e
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.6.32-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 12
 Total Memory: 7.657GiB
 Name: docker-desktop
 ID: 1e75072f-7d8f-47c3-917a-43dc08d31755
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/lorenzo/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

Diagnostics ID

Can't get a Diagnostics ID because I'm not able to open docker, the error is from MacOS

Additional Info

I tried installing older versions of Docker but the error is the same to all of them.

[luckystreak96]

If it helps, I have the same issue and am running this version of MacOS M3: macOS Sequoia 15.1 (24B83)

[jpbriend]

can you tell us how old is the vmnetd executable on your machines?
it's located here: /Library/PrivilegedHelperTools/com.docker.vmnetd

[luckystreak96]

Running ls -lrt /Library/PrivilegedHelperTools/ gives this:

-r-xr--r--  1 root  wheel  5636768 31 May  2024 com.docker.vmnetd

[mat007]

Hi,

Which version(s) of Docker Desktop have you tried? Which one is the highest one? Did you download it fresh?
What happens if you do

sudo rm /Library/PrivilegedHelperTools/com.docker.vmnetd

then start Docker Desktop again? (Docker Desktop should re-install it on-demand when it needs it)

Thanks, and sorry this happened to you!

[mancha-24]

I deleted the com.docker.vmnetd but now I get this opening docker again

[luckystreak96]

I uninstalled after the issue happened and re-installed the latest version available on the website - since deleting com.docker.vmnetd the application hangs (the window never opens), there is no visible error message, the file com.docker.vmnetd is still missing and trying to open the application multiple times yields an error of the likes of "Cannot start Docker because the application is not responding" (same as the post above)

[mat007]

Ah maybe you need to (sudo) kill -9 the vmnetd process, actually. Does

ps aux | grep vmnetd

show it running?

[mat007]

Or any other docker process running?

ps aux | grep [dD]ocker

[luckystreak96]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

$ps aux | grep vmnetd
user        25212   0.0  0.0 410733072   1664 s000  S+    1:16pm   0:00.01 grep vmnetd
$ps aux | grep "[dD]ocker"
user        24255   0.0  0.2 412151024  73200   ??  S     1:05pm   0:00.15 /Applications/Docker.app/Contents/MacOS/com.docker.backend run

[akerouanton]

It'd be helpful to get some system logs to see why macOS is rejecting vmnetd.

1. Make sure that no docker process are running -- or kill them through the Activity Monitor.
2. Note the current time.
3. Start Docker Desktop
4. Run the following command in a terminal and replace the time with what you noted in step 2. (this command might be really slow).

$ log show --start '2025-01-07 X:Y:00' | grep 'com.docker'

[luckystreak96]

I see this at the end of the log output that looks suspicious:

trustd: [com.apple.securityd:SecWarning]
Entitlement com.apple.application-identifier=9BNSXJN65R.com.docker.docker is ignored because of invalid application signature or incorrect provisioning profile
    "group.com.docker"

docker-log-output.txt

[mat007]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

Ah right, so Docker Desktop does not re-install vmnetd in that case.
You can do

sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

then restart Docker Desktop.

edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing

[EricCrete]

This worked for me ^

[luckystreak96]

That also worked for me!

[codeech]

I uninstalled, and then reinstalled using the command line, and things seem to be working properly

[akerouanton]

If someone is facing this issue, before removing the broken vmnetd or socket binary, could you please try to run these two commands and paste the output here:

$ codesign -d --extract-certificates  /Library/PrivilegedHelperTools/com.docker.vmnetd
$ for file in $(ls codesign*); do security verify-cert -vv -c $file; done
$ openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
$ openssl x509 -noout -text -in codesign0

[voidd7]

This wasn't working for me

sudo cp /Applications/Docker.app//Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

but reinstalling from command line worked.

[zioproto]

I have the same problem but with a small different detail. In the screenshot the file mentioned is com.docker.socket:

@acassioaraujo your screenshot shows com.docker.vmnetd but in your issue description you also write com.docker.socket, could you please confirm which file is affected for you ? thanks

[akerouanton]

@zioproto I think both are affected since they were signed with the same certificate. If you have a chance, could you try to run the commands I posted in this comment please? This would help us a lot. #7520 (comment)

[zioproto]

@akerouanton It seems the signature cannot be verified:

security verify-cert -vv -c codesign0
Cert Verify Result: CSSMERR_TP_NOT_TRUSTED
---
Certificate chain
 0: Developer ID Application: Docker Inc (9BNSXJN65R)
    <cert(0x15c80d000) s: Developer ID Application: Docker Inc (9BNSXJN65R) i: Developer ID Certification Authority>
---
Certificate errors
 0: Developer ID Application: Docker Inc (9BNSXJN65R)
    Unable to find next certificate in the chain [MissingIntermediate]
---
Certificate chain properties
(
        {
        error = "CSSMERR_TP_NOT_TRUSTED";
        title = "Developer ID Application: Docker Inc (9BNSXJN65R)";
    }
)
---
Trust evaluation results
{
    TrustEvaluationDate = "2025-01-07 19:30:03 +0000";
    TrustResultDetails =     (
                {
            MissingIntermediate = 0;
            StatusCodes =             (
                "-2147409622"
            );
        }
    );
    TrustResultValue = 5;
}
---
Trust evaluation errors
Error Domain=NSOSStatusErrorDomain Code=-25318 "errKCCreateChainFailed / errSecCreateChainFailed: / The attempt to create a certificate chain failed." UserInfo={NSLocalizedDescription=\u201cDeveloper ID Application: Docker Inc (9BNSXJN65R)\u201d certificate is not trusted, NSUnderlyingError=0x600000f1cba0 {Error Domain=NSOSStatusErrorDomain Code=-25318 "errKCCreateChainFailed / errSecCreateChainFailed: / The attempt to create a certificate chain failed." UserInfo={NSLocalizedDescription=Certificate 0 \u201cDeveloper ID Application: Docker Inc (9BNSXJN65R)\u201d has errors: Unable to build chain to root (possible missing intermediate);}}}

[acassioaraujo]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

Ah right, so Docker Desktop does not re-install vmnetd in that case. You can do

sudo cp /Applications/Docker.app//Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

then restart Docker Desktop.

edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing

This worked for me on version 4.32

[akerouanton]

@zioproto I just added two other commands to my comment, ie. openssl ocsp … and openssl x509. Could you paste their output too please? 🙂

EDIT: Let me re-add them here for clarity.

$ openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
$ openssl x509 -noout -text -in codesign0

[zioproto]

@akerouanton the certificate has been revoked:

openssl x509 -in codesign0 -ocsp_uri -noout
http://ocsp.apple.com/ocsp03-devidg201

Question: I am not familiar with this, is it normal that the verification url is plaintext http and not https ?

and

openssl ocsp -CAfile codesign2 -issuer codesign1 -cert codesign0 -url $(openssl x509 -in codesign0 -ocsp_uri -noout)
Response verify OK
codesign0: revoked

here is the full certificate in text form:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            13:16:fd:12:7d:9a:57:15:17:65:91:f8:5f:fc:3c:66
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Developer ID Certification Authority, OU=G2, O=Apple Inc., C=US
        Validity
            Not Before: Feb  8 12:56:54 2024 GMT
            Not After : Feb  8 12:56:53 2029 GMT
        Subject: UID=9BNSXJN65R, CN=Developer ID Application: Docker Inc (9BNSXJN65R), OU=9BNSXJN65R, O=Docker Inc, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:55:31:8d:a3:31:c4:99:12:84:a4:3b:1c:38:
                    f5:27:ac:df:4e:4b:88:8e:c3:07:00:13:a5:ab:82:
                    2c:ae:93:5f:f3:f1:9a:aa:bc:51:f9:9b:32:25:85:
                    6a:33:fe:0b:62:af:47:41:63:bf:41:d8:bb:18:8d:
                    33:35:68:3c:43:03:df:b5:05:c5:ac:cc:a5:e1:ad:
                    e7:91:c6:b1:dc:80:0b:f3:9d:f1:99:05:ac:8d:f2:
                    e7:5c:e2:f8:c2:6e:01:02:08:bc:d7:b1:f8:14:e7:
                    b9:06:b2:47:49:5c:6d:39:73:26:38:cf:c7:16:bf:
                    ab:b6:64:e9:b7:22:09:c9:af:b4:05:3e:0f:2d:e0:
                    fc:90:ba:5e:89:e5:15:63:df:9b:85:84:25:90:11:
                    10:02:15:bc:22:97:f4:12:2b:f0:f6:2a:7e:f0:86:
                    54:3a:b6:f4:85:60:90:a8:93:b8:32:b7:b0:08:41:
                    46:89:c9:35:a8:fd:72:83:16:8c:9f:91:1b:36:4c:
                    df:7d:ee:3f:a5:e2:f5:62:62:ba:c1:0a:5f:a0:e1:
                    f7:49:bf:f9:f1:44:cc:c7:5d:57:5b:5a:89:4f:61:
                    29:01:a6:24:af:14:7a:cc:ce:dc:3a:b5:7b:c3:fd:
                    70:aa:10:a9:00:b2:a0:9b:25:71:f7:6b:fb:a3:bf:
                    2e:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                F8:3A:0C:69:11:76:E0:ED:AC:D1:EB:A6:59:FA:37:D5:C4:55:B0:1E
            Authority Information Access:
                CA Issuers - URI:http://certs.apple.com/devidg2.der
                OCSP - URI:http://ocsp.apple.com/ocsp03-devidg201
            X509v3 Certificate Policies:
                Policy: 1.2.840.113635.100.5.1
                  User Notice:
                    Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
                  CPS: https://www.apple.com/certificateauthority/
            X509v3 Extended Key Usage: critical
                Code Signing
            X509v3 Subject Key Identifier:
                21:58:40:59:A0:20:1A:5B:6D:97:AE:14:CD:2D:AC:0E:03:A1:23:66
            X509v3 Key Usage: critical
                Digital Signature
            1.2.840.113635.100.6.1.33:
                ..20140507000000Z
            1.2.840.113635.100.6.1.13: critical
                ..
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        c4:ea:d3:c2:92:b8:aa:01:c3:45:9a:95:27:16:8f:ff:03:1e:
        14:f9:ae:fa:6a:6f:1b:ef:3e:5a:94:59:f3:63:b0:32:e7:34:
        a2:0d:02:6a:b6:c4:bf:7e:12:fe:2f:db:7d:84:ae:79:d9:3e:
        20:4c:11:d8:4c:d7:27:9e:f5:d2:8a:19:22:11:30:52:33:40:
        36:93:ca:14:65:22:68:1a:82:f0:0c:72:d5:7e:03:d1:92:1e:
        92:da:96:15:a6:e2:80:ea:0e:32:f8:fd:5c:2e:bd:08:31:64:
        d5:1c:9c:71:68:ac:94:e8:c7:97:fe:b9:07:f4:10:93:12:1f:
        7c:71:00:0a:e6:b6:81:5b:91:50:c5:a4:fd:5a:2a:c1:db:ff:
        00:39:49:a8:74:72:86:0b:b1:fa:4b:cb:fe:bb:c1:85:14:83:
        33:1d:96:65:99:93:92:69:52:98:7d:1a:3e:04:e4:f2:12:1d:
        a1:88:14:26:b9:80:01:02:ac:bb:06:a6:73:9a:05:e7:d0:2e:
        f1:f8:df:0e:8a:21:fd:08:f4:4b:e2:d1:ad:c5:08:26:43:93:
        65:70:0c:b9:67:3f:3b:16:b0:c5:45:0b:17:da:62:e3:52:b1:
        0d:10:70:1b:be:66:c6:fe:c5:47:36:6e:9e:c8:0d:91:9b:54:
        1b:59:9b:2a

[akerouanton]

@zioproto Thanks a lot! Last batch of questions:

• Which version of Docker Desktop do you have?
• Can you upload com.docker.vmnetd and com.docker.socket?

[Chekote]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

Ah right, so Docker Desktop does not re-install vmnetd in that case. You can do

sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

then restart Docker Desktop.

edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing

It also worked for Docker 4.32.0, which we are stuck on due to the issue outlined here.

[zioproto]

• Which version of Docker Desktop do you have?

difficult to say for sure because I am not able to start docker anymore.

• Can you upload com.docker.vmnetd and com.docker.socket?

Can you give me the full path to those files ?
I found /Library/PrivilegedHelperTools/com.docker.socket but I cannot find com.docker.vmnetd at the same path.

Do you need the full file ? this is my hash:

MD5 (com.docker.socket) = 8c166046e4c4b8a864c2941067b16428

[akerouanton]

It should be:

• /Library/PrivilegedHelperTools/com.docker.vmnetd
• /Library/PrivilegedHelperTools/com.docker.socket

But if one is missing on your system, don't worry and just upload what you have 🙂

[shreyas-sriram]

Seeing similar issues. Downloaded the specific MacOS version (4.29.0) from https://desktop.docker.com/mac/main/arm64/145265/Docker.dmg and Apple wouldn't even let me install the dmg, with message “Docker.dmg” was not opened because it contains malware. This action did not harm your Mac.

When I use spctl to verify the dmg, this is what I get

$ spctl -a -v ~/Downloads/Docker.dmg
/Users/shreyas.sriram/Downloads/Docker.dmg: CSSMERR_TP_CERT_REVOKED
``

[mattcobley]

After applying several of the proposed fixes I still could not get it working. The daemon wouldn't start, but this fix got it working for me: https://cmatskas.com/fix-cannot-connect-to-the-docker-daemon/

Thank you!! This has fixed the issue I had where /var/run/docker.sock still wasn't being recreated on each restart (as everything in /var should be). So weird that this is a thing still after a full reinstall.

For everyone's benefit or if the link goes down: this says to add the following line to your ~/.zshrc:
export DOCKER_HOST=unix:///Users/$USER/Library/Containers/com.docker.docker/Data/docker.raw.sock

I did try updating the attributes as per this post but it hasn't removed them - don't know if this is why this workaround above for the socket is still required: view comment

e.g.
xattr -d com.apple.quarantine /Applications/Docker.app

[sborshikHlama]

Tip works for Macbook Air M2, MacOs Sequoia 15.0.1.

[scaler-aayush]

I am getting the below error, how can I come past this?

“com.docker.vmnetd” was not opened because it contains malware. This action did not harm your Mac.

[scaler-aayush]

I am getting the below error, how can I come past this?

“com.docker.vmnetd” was not opened because it contains malware. This action did not harm your Mac.

Got to a new error now:

You can’t open the application “Docker” because it is not responding.

[ShwetaAwaradi09]

Im getting the below error and I have uninstalled and installed Docker from the official website/self service?
“com.docker.vmnetd” was not opened because it contains malware. This action did not harm your Mac.

[sborshikHlama]

Im getting the below error and I have uninstalled and installed Docker from the official website/self service? “com.docker.vmnetd” was not opened because it contains malware. This action did not harm your Mac.

Have you tried workaround from the issue description?

[greatvovan]

Thanks so much for the script!

When will this nonsense be fixed, though?

[annahramones]

I'm on Sequoia as well and this worked for me, thank you! Before trying this, the error message kept popping up for me even after dismissing it.

[sphism]

I'm been trying and failing to fix this all day. Just constantly come back to this error

Failed to start foo: failed to start ddev-router: composeCmd failed to run 'COMPOSE_PROJECT_NAME=ddev-foo docker-compose -f /Users/matt/.ddev/.router-compose-full.yaml -p ddev-router up --build -d', action='[-p ddev-router up --build -d]', err='exit status 1', stdout='', stderr=' Container ddev-router  Creating
 Container ddev-router  Created
 Container ddev-router  Starting
Error response from daemon: Ports are not available: exposing port TCP 127.0.0.1:803 -> 127.0.0.1:0: failed to connect to /var/run/com.docker.vmnetd.sock: is vmnetd running?: dial unix /var/run/com.docker.vmnetd.sock: connect: no such file or directory' 

I have tried everything and that service just never seems to work

EDIT:
Ok I finally got it sorted using the method here: #6677

I'll leave this comment here to maybe prevent someone else going round in circles all day

[joshuaray]

This didn't work for me...using the latest Mac OS Sequoia 15.3.1.

The malware popup just continuously shows up every few seconds until I restart my Mac, even after doing the fix above.

[jebeals]

Fixing Persistent "Docker will damage your computer" Pop-up – A Special Case

First off, a huge thanks to everyone contributing to this thread! The suggested fix helped a lot of people, and it’s great to see the community troubleshooting together. That said, I ran into a slightly different issue that required a few extra steps to fully resolve. I wanted to document it here in case anyone else finds themselves in the same situation.
🛠 The Problem: Docker Pop-up Wouldn’t Go Away (@joshuaray )

After uninstalling Docker, and trying the fix above (and even reinstalling the properly signed release), I kept getting the "Docker will damage your computer" pop-up, even after running the recommended fix in this thread. The pop-up persisted despite:
-Stopping and removing Docker services
-Removing binaries like vmnetd and socket
-Manually checking for lingering Docker files
(outlined above)

After digging deeper, I found that macOS security services (syspolicyd and XProtect) were still referencing a quarantined Docker file in my Trash.

🕵️‍♂️ How to Check If You Have the Same Issue
If you’re facing a persistent pop-up after uninstalling Docker, here are the steps to diagnose if you have the same root cause:

If you've uninstalled Docker and still get the "Docker will damage your computer" pop-up, macOS may still be referencing a quarantined file. This isn't covered in the usual uninstall scripts, so here’s how to check and fix it.

Disclaimer: I worked with ChatGPT 4o on this (since I'm still new to MacOS) and had it help me generate this report. I edited it after the fact and it's a good summary, but please know that it generated a lot of these diagnosis steps. With that:

1️⃣ Check If macOS Is Still Tracking Docker Files
Run:

sudo lsof | grep -i docker

If you see output showing syspolicyd, xprotectservice, or other system processes accessing a Docker-related file, macOS is still tracking it.

Example:
syspolicy 357 root 20r REG 1,17 85421280 /Users/username/.Trash/Docker.app/Contents/MacOS/com.docker.backend
This means a quarantined Docker file still exists, and macOS security services are flagging it.

2️⃣ Check for Quarantined Docker Files

macOS uses a quarantine flag (com.apple.quarantine) to block suspicious files. We need to check if Docker files are still being marked.

🔍 A. Scan Common Locations for Quarantined Files

Run:
sudo xattr -lr /Applications/Docker.app ~/Library/* ~/.Trash/* /private/var/root/.Trash/*

If any files show com.apple.quarantine, they are still flagged as potential threats, causing the persistent pop-up.

Example output:
com.apple.quarantine: 0083;64b5e6ff;Safari;B12DFD32-9F44-44F2-ABF1-53D939268248

This confirms macOS is still treating a Docker file as untrusted.
🗑️ B. Check If the Quarantined File Is Stuck in Trash

Since some users (including me) found that the issue came from a Docker file stuck in Trash, manually check:
sudo ls -lah ~/.Trash

If you see Docker.app or com.docker.backend, that means the file was never fully removed, and macOS security is still scanning it.

3️⃣ Attempt to Remove the Quarantine Flag & Delete the File

If a quarantined Docker file exists, first remove its quarantine flag:
sudo xattr -rd com.apple.quarantine /path/to/file

For example, if it’s in Trash:
sudo xattr -rd com.apple.quarantine ~/.Trash/Docker.app

Then, delete it:
sudo rm -rf ~/.Trash/Docker.app

🚀 If this works, you may NOT need to disable SIP!

4️⃣ If You Still Can’t Delete It, Check System Integrity Protection (SIP)

If the file still won’t delete, SIP is blocking its removal, even with sudo.
Check SIP status:
csrutil status

If you see "enabled", SIP is likely preventing removal.

5️⃣ (Last Resort) Temporarily Disable SIP to Delete the File
⚠️ Only disable SIP if necessary! (I had to go this route).

If none of the above worked, SIP is likely preventing deletion. Follow these steps:

🛑 Disable SIP (Temporarily):

1. Reboot into macOS Recovery Mode
   Open Terminal in Recovery Mode
   From the menu bar, go to Utilities > Terminal

`csrutil disable`

Note: This disables security on you MacOS.

2. Reboot back into normal mode (or Safe Mode).

🗑️ Delete the Problematic Docker File

sudo rm -rf ~/.Trash/Docker.app

3. 🔄 Restart macOS Security Services
   sudo launchctl stop com.apple.syspolicyd && sudo launchctl start com.apple.syspolicyd

4. ✅ Re-enable SIP

Once the pop-up is gone, go back to macOS Recovery Mode and turn SIP back on:
csrutil enable

5. Then reboot normally.

🎯 Key Takeaways
The original fix in this thread is great for stopping Docker services, but does not check for quarantined files, which was my actual issue. If the pop-up persists after uninstalling Docker, check for macOS security services referencing a quarantined file (sudo lsof | grep -i docker).
If a quarantined file exists, remove its com.apple.quarantine attribute before trying to delete it.
Only disable SIP if necessary—most people won’t need to if they remove quarantine attributes first!

💡 Hope this helps others who hit this more stubborn version of the issue!
If anyone runs into this and the steps help, drop a reply here! Would love to know if this workaround is useful.

Shoutout to ChatGPT 4o for helping me document this troubleshooting process—make sure to verify any steps before running commands from the internet.

Hope this helps! Good luck! 🚀

[baslia]

Thank you !

[hitshiroya]

Thanks it did work for me.
Removing socket binary and stopping services work for me atm.

[Nagibaba]

If you're using a Mac with an M3 chip and macOS Sonoma, you need to make sure you're using the Docker version that's compatible with Apple Silicon.

Here's how to resolve this Docker installation issue on your M3 (Last is best):

1. Download the correct version: Make sure you're downloading Docker Desktop for Mac with Apple Silicon from the official Docker website.

2. Override the security warning:

   • After downloading, locate the Docker.dmg file in your Downloads folder
   • Mount the DMG file by double-clicking it
   • Instead of dragging the Docker app to Applications, right-click (or Control+click) on the Docker app
   • Select "Open" from the context menu
   • When prompted with the warning, click "Open"

3. If that doesn't work:

   • Open System Settings
   • Go to Privacy & Security
   • Scroll down to the Security section
   • Look for a message about Docker being blocked
   • Click "Allow Anyway" or similar option
   • Try opening Docker again

4. Check for Rosetta 2:

   • Some components of Docker might still require Rosetta 2
   • If prompted to install Rosetta 2, allow it
   • You can also manually install Rosetta 2 by running this in Terminal:

   softwareupdate --install-rosetta
   

5. 🚀Last resort - temporarily adjust security settings:

   • Open Terminal
   • Run: sudo xattr -r -d com.apple.quarantine /Applications/Docker.app
   • Enter your password when prompted
   • Try opening Docker again

The M3 chip should provide excellent performance for Docker once you get it installed properly. The initial warning is just macOS's security system being cautious about applications that modify system settings.

[maneja81]

I got this working with the bash script, thank you for sharing the workaround.

[SakhileMamba]

vmnetd was not running, and killing the docker process and starting it again gives the same result.

Ah right, so Docker Desktop does not re-install vmnetd in that case. You can do

sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

then restart Docker Desktop.

edit: this probably needs you to update to at least Docker Desktop 4.35 before cp’ing

This worked for me.

[dandigangi]

Thank you so much. This worked for me. Not being able to run services locally was killing me.

[bkalaaa]

What helped me was disabling docker in "Open at Login" part of settings

[Yuff-927]

I've uninstalled Docker before. Last time I fixed it with some codes online which I forgot). The pop-up showed again after I restarted my Laptop. I followed the steps in jebeals post

Try "1️⃣ Check If macOS Is Still Tracking Docker Files
Run:

sudo lsof | grep -i docker. "

____------my terminal output : syspolicy 462 root 18r REG 1,13 80527424 16169400 /Users/yuf***/.Trash/Docker.app/Contents/MacOS/com.docker.backend

2️⃣ Check for Quarantined Docker Files

macOS uses a quarantine flag (com.apple.quarantine) to block suspicious files. We need to check if Docker files are still being marked.

🔍 A. Scan Common Locations for Quarantined Files

Run:
sudo xattr -lr /Applications/Docker.app ~/Library/* ~/.Trash/* /private/var/root/.Trash/*

____------my terminal output :
no matches found: /Users/yuf****/.Trash/*

🗑️ B. Check If the Quarantined File Is Stuck in Trash

sudo ls -lah ~/.Trash

____------my terminal output: total 0

What do you think I should do next?

March 26 ,2025, updated: I found the code worked for me last time ."brew uninstall --cask docker --force brew uninstall --formula docker --force " . But it will pop up when I restart the laptop. I noticed it showed "verifying docker...." when restarted, and then the warning showed up!!!

[chris-crone]

Hi @Yuff-927! You can find the instructions here

[HashbangGames]

The solution that worked for me, was to ensure that:

• sudo cp /Applications/Docker.app/Contents/Library/LaunchServices/com.docker.vmnetd /Library/PrivilegedHelperTools/

Secondly:
System Settings -> Privacy & Security -> Full Disk Access | Add /Applications/Docker

Restart System.

[iamironman6]

Thanks a lot @acassioaraujo it helped me !

[jaydasani]

This workaround resolved the issue for me. Thank you! @acassioaraujo

[KooperL]

Have been pulling my hair out - thank you for the workaround

[d-silva]

Thanks a lot @acassioaraujo 🍻

[josenbobby]

none of the methods above worked. Installing docker shouldnt be this hard.

[cheuk209]

Completely reinstalling docker via brew worked for me:

brew uninstall --cask docker --force
brew uninstall --formula docker --force
brew install --cask docker

absolute G in a Gi