[KevinH]

I was checking the sha56 checksums from our github build to what I uploaded to my repo to make sure my initial upload was not broken.

Apple applies stricter security when you run or unpack things inside Downloads.

I always drag it out of Downloads to the Desktop manually. I actually have a Droplet App that runs that command line command to remove the com.apple.quarantine extended attribute that Apple adds to everything you download. On my wife's machine I had to do it by hand.

That attribute is like a virus in that everything you unpack on Apple gets that attribute defines to all its contents if the package itself has that extended attribute.

To really have fun, go to your some busy folder on your Mac and open Terminal and type:

ls -a@el

to get a full listing of all of your extended attributes on your existing files in that folder then compare it with what you trust or do not trust. It is freaky anything runs at all.

I regularly run clean up runs on my home and dev machines to remove those silly attributes from github checkouts, images, etc

Apple really should have an easy way for a user to say I trust something. After 40+years of contributing to various open source projects and shareware before that, and over a decade on Sigil alone, I think a bit of trust should be given for what I produce. But Apple treats everything and everyone as suspect unless it is them.