[MacPorts] #70945: All code needs to be signed as of macOS 15
MacPorts
noreply at macports.org
Fri Sep 27 03:29:22 UTC 2024
#70945: All code needs to be signed as of macOS 15
-------------------------+---------------------
Reporter: ryandesign | Owner: (none)
Type: defect | Status: new
Priority: Normal | Milestone:
Component: base | Version: 2.10.1
Resolution: | Keywords: sequoia
Port: |
-------------------------+---------------------
Description changed by ryandesign:
Old description:
> After installing the buildbot worker software on a 2018 Mac mini running
> macOS Sequoia, it could not connect to the buildmaster, claiming "No
> route to host", despite `ping` and `ssh` being able to reach that host
> just fine from the Terminal.
>
> It sounds like macOS 15 requires all code to be signed to access devices
> on the local network, unless they are run manually in the Terminal. After
> I ran
>
> {{{
> sudo codesign -dv -r-
> /opt/bblocal/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
> }}}
>
> I got a dialog box asking if I wanted to allow Python to connect to
> devices on the local network, and after I said yes, then buildbot was
> able to connect to the master. Only after doing this did Python appear in
> System Settings > Privacy & Security > Local Network.
>
> Previously I had installed buildbot on an unsupported Mac running macOS
> Sequoia via OpenCore Legacy Patcher and had not encountered this problem,
> probably because OCLP disables some aspects of System Integrity
> Protection.
>
> The need to sign all code on macOS 15 was also mentioned in
> https://github.com/macports/macports-ports/pull/25862 where it was
> proposed to add code to a single port to sign its files. It needs to be
> handled in MacPorts base so that such signing code doesn't need to be
> added to all 40,000 ports individually.
>
> How we are going to handle pushing out signed versions of all the ports
> that macOS 15 users have already installed without revbumping all ports,
> I don't know.
New description:
After installing the buildbot worker software on a 2018 Mac mini running
macOS Sequoia, it could not connect to the buildmaster, claiming "No route
to host", despite `ping` and `ssh` being able to reach that host just fine
from the Terminal.
It sounds like macOS 15 requires all code to be signed to access devices
on the local network, unless they are run manually in the Terminal. After
I ran
{{{
sudo codesign --force -s -
/opt/bblocal/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
}}}
I got a dialog box asking if I wanted to allow Python to connect to
devices on the local network, and after I said yes, then buildbot was able
to connect to the master. Only after doing this did Python appear in
System Settings > Privacy & Security > Local Network.
Previously I had installed buildbot on an unsupported Mac running macOS
Sequoia via OpenCore Legacy Patcher and had not encountered this problem,
probably because OCLP disables some aspects of System Integrity
Protection.
The need to sign all code on macOS 15 was also mentioned in
https://github.com/macports/macports-ports/pull/25862 where it was
proposed to add code to a single port to sign its files. It needs to be
handled in MacPorts base so that such signing code doesn't need to be
added to all 40,000 ports individually.
How we are going to handle pushing out signed versions of all the ports
that macOS 15 users have already installed without revbumping all ports, I
don't know.
--
--
Ticket URL: <https://trac.macports.org/ticket/70945#comment:1>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list