Get started · Installation

Installation

Two paths: install the signed .dmg for the fastest start, or build from source if you want the bleeding edge or plan to contribute.

On this page

System requirements

RequirementMinimumNotes
macOS14.0 SonomaSome features (vsock, VirtioFS) require Apple Virtualization framework features only available on macOS 14+.
ArchitectureApple Silicon (M1+) or IntelmacOS guest VMs require Apple Silicon. Linux guests run on either.
RAM16 GBThe host needs enough headroom to run a guest VM (typically 4–8 GB) plus everything else you have open.
Disk20 GB freeVM bundles add up fast. A typical Linux VM disk is 20 GB; a macOS guest is 50–80 GB.
Xcode15.0+ (source builds only)Includes the Swift toolchain SecVF compiles with.
tshark4.x (optional)Required only for live packet capture. brew install wireshark.
Why macOS 14? SecVF leans on Apple Virtualization framework features added in Sonoma — including the rosetta translation layer for Linux guests, and the Virtio socket (vsock) device used by the AI sandbox for host↔guest IPC.

Install from .dmg

The .dmg is the recommended path for everyday use. It's signed with a Developer ID certificate and notarized by Apple, which means Gatekeeper trusts it on first launch.

  1. Download the latest release from the GitHub releases page.
  2. Verify the download (the SHA-256 is published next to the asset on the releases page): 
    shasum -a 256 SecVF-x.y.z.dmg
# compare against the SHA-256 column on the release page
  3. Mount the .dmg by double-clicking. Drag SecVF.app into Applications.
  4. Eject the disk image, then launch SecVF from Applications or Spotlight.
If Gatekeeper blocks first launch ("cannot be opened because the developer cannot be verified"), don't right-click → Open as a workaround — that bypasses notarization. Re-download the binary, re-verify the SHA-256, and check that the signature is intact: codesign --verify --deep --strict --verbose=2 /Applications/SecVF.app. A failed verify means the file was tampered with or didn't download cleanly.

Build from source

Use this path if you want the latest commit, want to modify SecVF, or are setting up a contributor environment.

Clone

git clone https://github.com/DaxxSec/SecVF.git
cd SecVF

Build with Xcode (GUI)

  1. open SecVF.xcodeproj
  2. Select the SecVF scheme and the My Mac (Designed for iPad off) destination.
  3. Press R to build & run.

Build from the command line

# Debug
xcodebuild -scheme SecVF -configuration Debug \
           -destination 'platform=macOS,arch=arm64' build

# Release
xcodebuild -scheme SecVF -configuration Release \
           -destination 'platform=macOS,arch=arm64' build

The product appears at ~/Library/Developer/Xcode/DerivedData/SecVF-*/Build/Products/<config>/SecVF.app.

Code signing for personal use

To run a custom build outside Xcode you need a signed binary — the Virtualization framework refuses to load unsigned guest configurations. Easiest path is your free Apple ID team:

# Pick the team in the Xcode project settings:
# SecVF target → Signing & Capabilities → Team → <your Apple ID>
# Bundle ID must be unique per team — change it from the default if you hit
# "this bundle id is already in use".
Distributing to others requires a paid Apple Developer Program membership ($99/yr) for Developer ID signing + notarization. Free Apple IDs only sign for the local machine.

Optional dependencies

tshark (packet capture)

Without tshark, the live packet panel still receives switch frames, but the deep-decode and PCAP export paths are disabled.

brew install wireshark            # CLI + GUI
# or, headless-only:
brew install wireshark --no-quarantine --formula  # CLI only

SecVF discovers tshark via $PATH. After install, restart the app — it caches the binary path on launch.

just (CLI quality-of-life)

The repo's justfile wraps common dev commands. Optional, only if you're building from source frequently.

brew install just
just                              # see available recipes

First run & permissions

On first launch SecVF prompts macOS for two permissions. Grant both.

PermissionWhy
NetworkDownloading ISOs and IPSWs, talking to guest VMs over the virtual switch.
Files & Folders → DownloadsOptional; only required if you import VM bundles or ISOs from ~/Downloads. Grant on demand.

SecVF does not ask for Full Disk Access, Accessibility, Screen Recording, or Camera. If a future build requests one of these, read the change log first — there should be a clear reason.

Data directory layout

Everything SecVF persists lives under ~/.avf/ in your home directory:

~/.avf/
├── Linux/<VMName>.bundle/      # Linux guest VMs
│   ├── Disk.img                # Disk image (sparse)
│   ├── NVRAM                   # Virtual NVRAM
│   ├── MachineIdentifier       # Stable VM ID
│   └── metadata.json           # CPU/RAM/network mode
├── MacOS/<VMName>.bundle/      # macOS guest VMs (same shape + .ipsw)
├── AISandbox/                  # AI sandbox base images + sessions
├── ISOCache/                   # SHA-256-verified ISO downloads
└── logs/
    ├── security-YYYY-MM-DD.log # Security event log (rotated daily)
    └── error-audit.log         # Typed-error audit trail
Backups: the entire ~/.avf tree is portable. Copy it to another Mac (Apple Silicon ↔ Apple Silicon) and SecVF will pick up the bundles. Don't include ~/.avf/logs if you're sharing with someone.

Verify the install

Quick sanity checks after launch:

  1. Menu bar shows "SecVF" — app launched and is the front process.
  2. VM Library window opens — the empty state shows the "+ New VM" button.
  3. Settings → About shows your version and build commit hash.
  4. Optional: tshark detected — open Packet Analysis (P); if tshark is installed and on $PATH, the "Start capture" button is enabled.

If anything looks off, the audit log usually has the answer:

tail -f ~/.avf/logs/error-audit.log

Uninstall

Three steps to leave no trace:

# 1. Quit SecVF
osascript -e 'quit app "SecVF"'

# 2. Remove the application
rm -rf /Applications/SecVF.app

# 3. Remove the data directory (this includes all VM bundles and logs)
rm -rf ~/.avf
Step 3 is destructive. Deleting ~/.avf wipes every VM bundle, ISO cache entry, and log. Back up any guest VMs you want to keep before running it.
Previous ← Documentation home