Still getting malware messages on reboot

[znorris]

Description

• reinstalled docker desktop
• ran check.sh to verify com.docker.vmnetd is signed
• reboot and login still shows malware message
• running docker desktop works, and so does running containers

Reproduce

have a mac with arm, have a preexisting docker install, login.

Expected behavior

No malware messages

docker version

Client:
 Version:           27.4.0
 API version:       1.47
 Go version:        go1.22.10
 Git commit:        bde2b89
 Built:             Sat Dec  7 10:35:43 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.37.2 (179585)
 Engine:
  Version:          27.4.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.10
  Git commit:       92a8393
  Built:            Sat Dec  7 10:38:33 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.21
  GitCommit:        472731909fa34bd7bc9c087e4c27943f9835f111
 runc:
  Version:          1.1.13
  GitCommit:        v1.1.13-0-g58aa920
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client:
 Version:    27.4.0
 Context:    desktop-linux
 Debug Mode: false
 Plugins:
  ai: Ask Gordon - Docker Agent (Docker Inc.)
    Version:  v0.5.1
    Path:     /Users/znorris/.docker/cli-plugins/docker-ai
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.19.2-desktop.1
    Path:     /Users/znorris/.docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.31.0-desktop.2
    Path:     /Users/znorris/.docker/cli-plugins/docker-compose
  debug: Get a shell into any image or container (Docker Inc.)
    Version:  0.0.37
    Path:     /Users/znorris/.docker/cli-plugins/docker-debug
  desktop: Docker Desktop commands (Beta) (Docker Inc.)
    Version:  v0.1.0
    Path:     /Users/znorris/.docker/cli-plugins/docker-desktop
  dev: Docker Dev Environments (Docker Inc.)
    Version:  v0.1.2
    Path:     /Users/znorris/.docker/cli-plugins/docker-dev
  extension: Manages Docker extensions (Docker Inc.)
    Version:  v0.2.27
    Path:     /Users/znorris/.docker/cli-plugins/docker-extension
  feedback: Provide feedback, right in your terminal! (Docker Inc.)
    Version:  v1.0.5
    Path:     /Users/znorris/.docker/cli-plugins/docker-feedback
  init: Creates Docker-related starter files for your project (Docker Inc.)
    Version:  v1.4.0
    Path:     /Users/znorris/.docker/cli-plugins/docker-init
  sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
    Version:  0.6.0
    Path:     /Users/znorris/.docker/cli-plugins/docker-sbom
  scout: Docker Scout (Docker Inc.)
    Version:  v1.15.1
    Path:     /Users/znorris/.docker/cli-plugins/docker-scout

Server:
 Containers: 8
  Running: 0
  Paused: 0
  Stopped: 8
 Images: 21
 Server Version: 27.4.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 472731909fa34bd7bc9c087e4c27943f9835f111
 runc version: v1.1.13-0-g58aa920
 init version: de40ad0
 Security Options:
  seccomp
   Profile: unconfined
  cgroupns
 Kernel Version: 6.10.14-linuxkit
 Operating System: Docker Desktop
 OSType: linux
 Architecture: aarch64
 CPUs: 11
 Total Memory: 7.653GiB
 Name: docker-desktop
 ID: 87bbf57b-ac4c-4b2c-8a6f-49fb8d9b58ed
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 HTTP Proxy: http.docker.internal:3128
 HTTPS Proxy: http.docker.internal:3128
 No Proxy: hubproxy.docker.internal
 Labels:
  com.docker.desktop.address=unix:///Users/znorris/Library/Containers/com.docker.docker/Data/docker-cli.sock
 Experimental: false
 Insecure Registries:
  hubproxy.docker.internal:5555
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: daemon is not using the default seccomp profile

Diagnostics ID

C3133A99-11C4-47F5-9100-925A7CBEA8C3/20250113184735

Additional Info

This has been a real mess and deserves a better solution than what you're posting on blogs and in issues.

[cdupuis]

@znorris, from looking at your diagnostics it appears that your com.docker.socket in /Library/PrivilegedHelperTools has not been updated as expected.

Could you please run sudo ./check.sh /Library/PrivilegedHelperTools/com.docker.socket and check to see if this file is current and correctly signed? If not, please update it with sudo cp /Applications/Docker.app/Contents/MacOS/com.docker.socket /Library/PrivilegedHelperTools/ and restart your machine.

[znorris]

@cdupuis, I greatly appreciate your quick response.

I ran the check.sh against the two files listed in #7527, but both files were not found. I copied the com.docker.socket, as you suggested, but that hasn't changed anything. When I reboot and log in, I get a malware warning.

[sfichera]

Hi! I'm facing the same issue, booted, tried to install latest version 4.37.2 as per your recommendation... i've copied the files to and executed the checker script and i've got...

sficheras-MacBook-Pro:Downloads sfichera$ sudo ./check.sh /Library/PrivilegedHelperTools/com.docker.socket
unable to load certificate
140704469231168:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/Library/BuildRoots/c2cb9645-dafc-11ed-aa26-6ec1e3b3f7b3/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/crypto/pem/pem_lib.c:694:Expecting: TRUSTED CERTIFICATE

I'm on ventura 13.4.1 (22F82) with intel chip

UPDATE:
I was able to resolve the issue following detailed steps provided here (reboot after delete files at ~/.docker was crucial to get rid of the problem)
#7531 (comment)

[cdupuis]

@znorris, do you have any of the Allow the default Docker socket to be used (requires password) or Allow privileged port mapping (requires password) options enabled in your settings? If so, could you disable those and see if that changes anything?

Some users have reported similar issues when there was an old version in the macOS trash. Could empty your trash, please?

[znorris]

@znorris, do you have any of the Allow the default Docker socket to be used (requires password) or Allow privileged port mapping (requires password) options enabled in your settings? If so, could you disable those and see if that changes anything?

I had "allow the default Docker socket to be used" enabled.

Some users have reported similar issues when there was an old version in the macOS trash. Could empty your trash, please?

Not applicable in my case as I do not have anything in the trash.

After changing the "allow default docker socket" setting and rebooting, I still get the error. Malware blocked "com.docker.socket" was not opened...

[cdupuis]

The odd thing here is that your com.docker.socket binary seems outdated. Mine looks like this in /Library/PrivilegedHelperTools:

-rwx--x--x   1 root  wheel  1572192 Jan 13 07:21 com.docker.socket

or

$ ls -la /Applications/Docker.app/Contents/MacOS/com.docker.socket
-rwxr-xr-x  1 cdupuis  staff  1572192 Jan  9 08:40 /Applications/Docker.app/Contents/MacOS/com.docker.socket

[znorris]

@cdupuis
I've decided to follow the macOS uninstall instructions now.
I cannot rm -rf ~/Library/Containers/com.docker.docker as I get an operation not permitted error. /Users/znorris/Library/Containers/com.docker.docker/.com.apple.containermanagerd.metadata.plist specifically is the issue. Permissions look fine, though.

Update: I was able to delete that folder from the macOS finder, and I did not receive an error.

After rebooting, surprisingly, I'm still receiving the malware error.

[znorris]

I've followed the uninstall instructions without error and I'm still getting a malware error.

[mat007]

@znorris can you show the exact malware popup you’re seeing? Specifically is it about com.docker.vmnetd, com.docker.socket or Docker.app?

[mat007]

Ah sorry @znorris, just saw in one of your comments that you already answered this:

(…), I still get the error. Malware blocked "com.docker.socket" was not opened...

[mat007]

@znorris the script in https://docs.docker.com/desktop/cert-revoke-solution/#upgrade-to-docker-desktop-version-4372-recommended should solve this, i.e. this line in particular:

sudo launchctl bootout system/com.docker.socket 2>/dev/null || true

[znorris]

@znorris the script in https://docs.docker.com/desktop/cert-revoke-solution/#upgrade-to-docker-desktop-version-4372-recommended should solve this, i.e. this line in particular:

sudo launchctl bootout system/com.docker.socket 2>/dev/null || true

Thank you. Removing these files and preventing their startup has solved my warning problem. That, combined with the macOS uninstall guide, should have left me in a clean state.

I recommend adding this cert revoke solution to the documentation in the uninstall guide for macOS. IMO, it would be helpful to remove everything, and it would be in keeping with my expectations.

I appreciate both of your help, @mat007 and @cdupuis.

[MattyKuzyk]

The original solution in the blog post and linked issue also did not work for me. Doing the full uninstall at the bottom of this issue and running the cert revoke script worked for me. I would also ask you to please add something about this to the blog post. The information as of now seems quite scattered between the issue, the blog post, and the release page, as well as this issue (where I found my actual solution).

[mennomanschot]

@znorris the script in https://docs.docker.com/desktop/cert-revoke-solution/#upgrade-to-docker-desktop-version-4372-recommended should solve this, i.e. this line in particular:

sudo launchctl bootout system/com.docker.socket 2>/dev/null || true

this did the trick for me. thanks!