MacOS signing

MacOS signing

[Alan Third]

On Sun, Apr 10, 2022 at 11:23:32PM -0400, Richard Stallman wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> 
>   > It might be worth trying Jim's builds from
>   > https://github.com/jimeh/emacs-builds, as I understand it they're
>   > signed and so on, which might avoid some problems with running it.
> 
> Would some Mac expert please explain to me (off the list) what's
> going on here?

I'm not really up-to-date with the ins and outs of macOS's security
model, but as I understand it macOS expects applications to be
"signed" by some developer certificate provided by Apple.

This has never affected me because I always build my own Emacs and, at
least on the ancient version of macOS I'm running, self-built
applications are exempt from this.

There is some way to work around it. It used to be that you just had
to click through a security warning the first time the application
ran, but I think it's more complex now.

The reason I suggested the OP try Jim Myrhberg's builds over the
emacsformacosx.com ones is that not only are Jim's signed, but the
latter use a script to select and execute the Emacs binary, and that
seems to cause further trouble with the macOS security model.

Perhaps someone who actually uses macOS can explain this better.
-- 
Alan Third

Re: MacOS signing

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

It sounds like MacOS is becoming what we call a "jail", like
iMonsterOS.

-- 
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)

Re: MacOS signing

[Uwe Brauer]

[-- Attachment #1: Type: text/plain, Size: 2100 bytes --]

>>> "AT" == Alan Third <alan@idiocy.org> writes:

> On Sun, Apr 10, 2022 at 11:23:32PM -0400, Richard Stallman wrote:
>> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
>> [[[ whether defending the US Constitution against all enemies,     ]]]
>> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>> 
>> > It might be worth trying Jim's builds from
>> > https://github.com/jimeh/emacs-builds, as I understand it they're
>> > signed and so on, which might avoid some problems with running it.
>> 
>> Would some Mac expert please explain to me (off the list) what's
>> going on here?

> I'm not really up-to-date with the ins and outs of macOS's security
> model, but as I understand it macOS expects applications to be
> "signed" by some developer certificate provided by Apple.

> This has never affected me because I always build my own Emacs and, at
> least on the ancient version of macOS I'm running, self-built
> applications are exempt from this.

> There is some way to work around it. It used to be that you just had
> to click through a security warning the first time the application
> ran, but I think it's more complex now.

> The reason I suggested the OP try Jim Myrhberg's builds over the
> emacsformacosx.com ones is that not only are Jim's signed, but the
> latter use a script to select and execute the Emacs binary, and that
> seems to cause further trouble with the macOS security model.

> Perhaps someone who actually uses macOS can explain this better.

Which version of MacOS is this? I am using, partially, 10.15 and still
can build my own Emacs. I have not upgraded MacOS to newer versions,
since fink still has problems, but if it is true that MacOS follows suit
iOS policy, as RMS suggests, and jails non signed software, I have a
reason more *not* to upgrade.

Uwe Brauer 

-- 
I strongly condemn Putin's war of aggression against the Ukraine.
I support to deliver weapons to Ukraine's military. 
I support the ban of Russia from SWIFT.
I support the EU membership of the Ukraine. 

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5673 bytes --]

Re: MacOS signing

[Robert Pluim]

>>>>> On Wed, 13 Apr 2022 08:24:23 +0200, Uwe Brauer <oub@mat.ucm.es> said:

    >> Perhaps someone who actually uses macOS can explain this better.

    Uwe> Which version of MacOS is this? I am using, partially, 10.15 and still
    Uwe> can build my own Emacs. I have not upgraded MacOS to newer versions,
    Uwe> since fink still has problems, but if it is true that MacOS follows suit
    Uwe> iOS policy, as RMS suggests, and jails non signed software, I have a
    Uwe> reason more *not* to upgrade.

Newer versions of macOS will still let you run unsigned
software. Depending on how you launch the program, you may have to
perform extra steps via the Security preferences panel, but it doesnʼt
stop you.

FWIW, I never have this problem because I launch Emacs from the cli,
which sidesteps this particular nonsense.

(this is for macOS 11.6.5, Big Sur. Later versions may behave
differently)

Robert
-- 

Re: MacOS signing

[Ted Reed via Emacs development discussions.]

Robert Pluim <rpluim@gmail.com> writes:

> Newer versions of macOS will still let you run unsigned
> software. Depending on how you launch the program, you may have to
> perform extra steps via the Security preferences panel, but it doesnʼt
> stop you.
>
> FWIW, I never have this problem because I launch Emacs from the cli,
> which sidesteps this particular nonsense.
>
> (this is for macOS 11.6.5, Big Sur. Later versions may behave
> differently)

I have a computer running macOS 12.3, which I believe is the most recent
public version and have no trouble running the nixpkgs macport
(mituharu) version on it. As far as I can tell, there's no signing step
in the build scripts, and I've used the same scripts to build it from
scratch with a an additional build-time option without anything
requiring signing that I've seen.

I looked up how to verify such signatures and I think this indicates
that it's not signed, although I'm not 100% certain I got the command
right:

❯ codesign -dv --verbose=4 /nix/store/0hysqxpi2fwrwpivza8ca7z5fr9hyzkh-emacs-mac-27.2-8.2/Applications/Emacs.app
/nix/store/0hysqxpi2fwrwpivza8ca7z5fr9hyzkh-emacs-mac-27.2-8.2/Applications/Emacs.app: code object is not signed at all

I also can launch it from the CLI or via Spotlight without any
difficulty, except that Spotlight has a hard time finding the most
recent version consistently, so I mostly launch from my terminal now,
just to ensure it's using the right one.

-- Ted Reed

Re: MacOS signing

[Alan Third]

On Mon, Apr 11, 2022 at 11:19:49PM -0400, Richard Stallman wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> 
> It sounds like MacOS is becoming what we call a "jail", like
> iMonsterOS.

I believe there are concerns in the non-fanboy Mac community that
that's the plan, but I don't really follow Apple news much.

-- 
Alan Third