OSX El Capitan and Go 1.6
What I want is simpler than it sounds from the title.
The OSX firewall disallows any unknown application from accepting connections. When any such program starts, the user is presented with a dialog whether or not the said executable should be permitted to receive connections. The user's choice is then remembered.
The above works fine when for example one develops with node where the actual executable is a single binary and the user just needs to allow/deny it once.
When developing in go (and any other compiled language) the created executable is different every time. Which means I get the dialog every single time I start my server.
One way to avoid this dialog is to sign the executable with a self-signed certificate one generates in OSX itself. Once we have the certificate we simply sign the executable and allow/deny it once. Code signatures are always remembered even if the executable binary changes.
So, my question is:
Is there a way to make go run the signing command before running the compiled binary?
Even easier: start the server explicitly on localhost, like:
http.ListenAndServe("localhost:8080", nil)
I wrote a little piece on this recently:
suppressing-accept-incoming-network-connections-warnings-on-osx
Silly me. Took me 5 minutes to write the question and 2 minutes to find the answer and write the script that solves it. I'll post it here in case anybody stumbles on the same problem.
binary=$GOPATH/pkg/kliron/hiss/hiss.a
go build -o $binary hiss/main.go
codesign -f -s klironCode $binary --deep
$binary "$#"
Just use go build.
Related
I'm perplexed by this one and not sure what's relevant so will include all context:
MacBook Pro with an M1 Pro running macOS 12.6.
Apple clang version 14.0.0, freshly installed by deleting DeveloperTools folder and running xcode-select --install.
Using zsh in Terminal.
Network share mounted using no-configuration Finder method (seems to use standard SMB, but authenticates with my Apple ID)
Network share is my home directory on a iMac with a Core i5 running macOS 11.6.8.
Update: also tried root directory and using the tmp directory, to eliminate one category of doubt. Same result.
The minimum repeatable example of the issue I've managed to find is:
Use gcc from Apple's Developer Tools to compile a “Hello World” C application (originally discovered using ghc to compile Haskell - effect is the same).
Run the compiled executable. No surprises.
cd to the mounted network drive.
Do the same thing there - compiled executable hangs! First surprise, but relatively minor.
Return to the local machine. Original compiled executable still runs fine.
Use the DeveloperTools to compile anything, including the original source - compiled executable on local machine now hangs!
I've created an asciinema recording of the MRE. You can see the key part of the transcript in this still:
I’ve tried killing processes, checking lsof, unmounting the drive, logging in and out, checking the PATH, etc. Nothing gets me back to a working state short of a reboot.
Some more troubleshooting data:
gcc -v is identical for both executables, except for -fdebug-compilation-dir (set to cwd) and the name of the object file (randomly generated).
Just performing the compilation doesn't trigger the issue - running the networked executable does.
Trawling through the voluminous Console log reveals nothing relevant.
system.log shows no entries around the time of the issue.
lsof and ps -axww show reams and reams of output that is hard to spot patterns in, but I'm pretty sure there is no significant before/after differences.
I left the hung process running on the local machine overnight, and there's no change the next day.
Have I triggered some sandboxing or security fault and am being protected from disastrous consequences? Or this some clang/llvm related quirk I'm not familiar with? Or, given that ghc using its native code generator seems to have the same result, is this a bug in the way stdout is provided to executables? I'm at a loss!
Oh boy, avoiding Apple ID authentication of the network share fixed this for me.
I forced Finder to not use it’s magic no-configuration Apple ID login method, by opening the Location in Finder, clicking the "Disconnect" button and then clicking the "Connect As..." button that appears in its place. If I choose "Registered User" and use my username and password, I can then execute exactly the same commands (since the mount name ends up being the same) and execution works without an issue. I can continue to compile and execute to my heart's content.
That the Apple ID method is being used in the first place is not obvious (in true minimal design fashion), but subtly indicated at the top of the Finder window as "Connected as ". The only obvious difference this makes, is the username shown in mount:
Apple ID:
//com.apple.idms.appleid.prd.<UUID>#<HOSTNAME>._smb._tcp.local/<SHARE> on /Volumes/<SHARE> (smbfs, nodev, nosuid, mounted by <USERNAME>)
"Registered User":
//<USERNAME>#<HOSTNAME>._smb._tcp.local/<SHARE> on /Volumes/<SHARE> (smbfs, nodev, nosuid, mounted by <USERNAME>)
Obviously something far more significant is different, given the fundamental impact, but it's not at all clear to me what that is. So at this stage, this answer is just a workaround to a nasty bug.
stripis a unix command to remove all the debug information from an executable, or other information that is not needed for execution. Is there a way to "strip" a macos app to make it smaller and make reverse engineering more difficult? I tried viewing package contents, and striping /macOS/MyGame executable, but then it claimed that it messed it up, and then refused to launch. How do I strip it without "invalidating the code signature" I already asked and I need help.
What is your purpose?
If you plan to distribute the app then using XCode's archiving options is the way to go.
strip command works in MACOS.
Here is a useful script:
https://gist.github.com/neonichu/1662881
I've hooked the system call to typedef int (*orig_open_f_type)(const char *__file, int __oflag, ...); and thus, whenever a file gets opened, my code gets the event before it is passed on to the system. I created a dynamic library that overrides the open call and inject this library using DYLD_INSERT_LIBRARIES - working on a Mac machine and using XCode. It is a standard step that enables me to hook calls.
Now, I have bash script in which I have some files that I want to open. I have tried xdg-open , cat, exec - but they are not triggering the system call to open the file.
How should I invoke this open call in my bash script?
Please note that I have tested my open call hook, by opening files in C code.
I believe you're running foul of Apple's SIP (System Integrity Protection) which is designed to stop people doing things like that with system-provided executables. SIP was added to Mac OS X El Capitan (10.11) and continues in macOS Sierra (10.12).
To demonstrate whether this is the problem, consider copying /bin/cat to /usr/local/bin/cat and then try hooking (running) the local copy. You might get away with it there. This 'workaround' is purely for demonstration purposes. Basically, if I'm right, SIP is Apple's way of saying "don't go messing with our software".
You can follow links from Can Mac OS X El Capitan run software compiled for Yosemite that expects libraries in /usr/gnu/lib? to find out more about SIP. Following links via What is the "rootless" feature in El Capitan, really? on Ask Different to a blog article on System Integrity Protection, it says explicitly:
Runtime protection
SIP’s protections are not limited to protecting the system from filesystem changes. There are also system calls which are now restricted in their functionality.
task_for_pid() / processor_set_tasks() fail with EPERM
Mach special ports are reset on exec(2)
dyld environment variables are ignored
DTrace probes unavailable
However, SIP does not block inspection by the developer of their own applications while they’re being developed. Xcode’s tools will continue to allow apps to be inspected and debugged during the development process.
For more details on this, I recommend taking a look at Apple’s developer documentation for SIP.
Emphasis added
Basically, this means that you won't be able to hook calls to the open() system call for Apple-supplied software installed in the system directories. You will need to rethink what you are trying to do.
Running any normal command -- like cat -- that processes a file will cause the file to be opened. You can also open a file (and immediately close it) using the shell syntax:
: < /path/to/file
If your system call hook isn't getting called, something must be wrong with your hook -- there's no way these commands are working without opening the file. Alas, you haven't explained how you implemented your hook, so we have no way of debugging that.
The file command opens the file to look at its contents.
$ file /path/to/file
I have suggested this because it eventually leads to having the system call open which can be confirmed using strace.
$ strace file /path/to/file 2>&1 | grep open
I thought one of the good things about using file is that it opens the file in read only mode. In comparison to other ideas, unlike cat, it will not have to run through the entire file, just part of it, so the time complexity using file may be constant. Unlike vim, which someone has suggested, file will return when finished and not block like a text editor would.
On my Mac I have a load of Kexts appearing that read like this (there are 14 or so):
The system extension "/System/Library/Extensions/BJUSBLoad.kext" was installed improperly and cannot be used...
Now they didn't start appearing after I consciously did anything, and I've read various threads about it elsewhere. I wonder if there is a programming solution here (using Terminal, perhaps) - something that will suppress the kexts? They mostly seem to relate to hp printer drivers, that sort of thing. Stuff I never use.
None of them seem to relate to things in my Login Items in System Preferences.
Thanks
Tardy
You're off topic on Stack Overflow (this is only about software development), but I'll answer anyway, in the hope that a moderator can move the question to apple.stackexchange.com.
You don't specify which OS X version you're running. Since 10.10 Yosemite, third party kexts shouldn't be installed to /System/Library/Extensions/ but /Library/Extensions/ and need to be codesigned.
If you're really sure you don't need the kexts (or you know how to get them back) you can just delete them.
If you want to find out why they're considererd "installed improperly" you can instead run kextutil -n on them:
kextutil -n /System/Library/Extensions/BJUSBLoad.kext
This should tell you whether the problem is signing, permissions or something else.
I'm trying to get Wanderlust working in Windows to connect to Gmail. Compiling the code is much more painful than expected. Here are the barriers so far:
Can't download dependent packages: SEMI, APEL, and FLIM. I eventually found newer versions, but I'm not sure they will work. Anyone have the older versions?
Needs make and install. I used MSYS and it seems to have compiled okay.
SSL support. I was getting a "Cannot open load file: ssl" error. I found an ssl.el that comes with w3. So installed w3.
Bash command in ssl.el: ssl-get-command is running something from /bin/sh (not a directory I have in Windows). I really don't want to refactor this code. Is there a better way?
Others speak very highly of Wanderlust, so I want to give it a try. I feel like I'm almost there, but am pretty much worn out with all the crazy configuration I have to do. Does anyone have this working on Windows? I'm pretty sure it will work with Gmail, because of this post. But will it work in Windows too? If you have a few pointers, please help.
ssl.el is part of wanderlust. Just look in the wanderlust/utils directory.
For STARTTLS you may either use the starttls or gnutls-cli programs.
Unfortunately, both of these programs use signals (SIGALRM to be precise) which are not supported on Windows.
You need to use the Cygwin ports of these programs -- not MSYS!
Additionally, if you're using a Windows port of Emacs (ie. not Cygwin's emacs) you need to modify starttls.el (which is part of GNU Emacs) because the signal-process function doesn't do anything regarding SIGALRM. Replace all instances of
(signal-process (process-id process) 'SIGALRM)
with
(call-process kill-program nil nil nil
"-ALRM" (format "%d" (process-id process)))
and initialize kill-program somewhere apropriately to point to cygwin's kill.exe:
(setq kill-program "c:/cygwin/bin/kill.exe")
If you want to use SSL you have to set ssl-certificate-verification-policy to a value greater than 0. Otherwise connecting to Gmail would fail.
Using the wl configuration here:
http://box.matto.nl/emacsgmail.html
After adding ssl.el from here:
http://quimby.gnus.org/cgi-bin/cvsweb.cgi/gnus/contrib/ssl.el
I am able to get wanderlust talking just fine to gmail on a linux configuration of wanderlust, and since the ssl.el file there isn't really system-dependent (although it does require the openssl command-line tools), I don't see that there should be any problem with it working on msys.
The 'cannot open load file: ssl' error is exactly what I ran into until I installed that ssl.el file too :)
Edit; Just in case you have trouble finding it, the MSYS port of openssl you'll want is here:
http://sourceforge.net/projects/mingw/files/MSYS%20openssl/
[posted as a new answer since I think you'll get a notification that way :)]
I recently installed wl on a linux host, and had the same issue with not being able to locate the dependencies as specified. However, I, like you, found the 'more recent versions' and used them. They did indeed work fine, so unless those new versions have added any incompatibility with windows, they shouldn't present any problem.
The error you're receiving is because it's not finding the 'install' utility, which is part of GNU coreutils. Autotools (and it's family) depend on install being able to work, so if you want to continue with the cygwin method, then installing autotools should bring in the install program.
(I have no idea if wl will compile/work using cygwin otherwise, though.)