[MacPorts] #70945: All code needs to be signed as of macOS 15

MacPorts noreply at macports.org
Fri Sep 27 03:29:22 UTC 2024


#70945: All code needs to be signed as of macOS 15
-------------------------+---------------------
  Reporter:  ryandesign  |      Owner:  (none)
      Type:  defect      |     Status:  new
  Priority:  Normal      |  Milestone:
 Component:  base        |    Version:  2.10.1
Resolution:              |   Keywords:  sequoia
      Port:              |
-------------------------+---------------------
Description changed by ryandesign:

Old description:

> After installing the buildbot worker software on a 2018 Mac mini running
> macOS Sequoia, it could not connect to the buildmaster, claiming "No
> route to host", despite `ping` and `ssh` being able to reach that host
> just fine from the Terminal.
>
> It sounds like macOS 15 requires all code to be signed to access devices
> on the local network, unless they are run manually in the Terminal. After
> I ran
>
> {{{
> sudo codesign -dv -r-
> /opt/bblocal/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
> }}}
>
> I got a dialog box asking if I wanted to allow Python to connect to
> devices on the local network, and after I said yes, then buildbot was
> able to connect to the master. Only after doing this did Python appear in
> System Settings > Privacy & Security > Local Network.
>
> Previously I had installed buildbot on an unsupported Mac running macOS
> Sequoia via OpenCore Legacy Patcher and had not encountered this problem,
> probably because OCLP disables some aspects of System Integrity
> Protection.
>
> The need to sign all code on macOS 15 was also mentioned in
> https://github.com/macports/macports-ports/pull/25862 where it was
> proposed to add code to a single port to sign its files. It needs to be
> handled in MacPorts base so that such signing code doesn't need to be
> added to all 40,000 ports individually.
>
> How we are going to handle pushing out signed versions of all the ports
> that macOS 15 users have already installed without revbumping all ports,
> I don't know.

New description:

 After installing the buildbot worker software on a 2018 Mac mini running
 macOS Sequoia, it could not connect to the buildmaster, claiming "No route
 to host", despite `ping` and `ssh` being able to reach that host just fine
 from the Terminal.

 It sounds like macOS 15 requires all code to be signed to access devices
 on the local network, unless they are run manually in the Terminal. After
 I ran

 {{{
 sudo codesign --force -s -
 /opt/bblocal/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
 }}}

 I got a dialog box asking if I wanted to allow Python to connect to
 devices on the local network, and after I said yes, then buildbot was able
 to connect to the master. Only after doing this did Python appear in
 System Settings > Privacy & Security > Local Network.

 Previously I had installed buildbot on an unsupported Mac running macOS
 Sequoia via OpenCore Legacy Patcher and had not encountered this problem,
 probably because OCLP disables some aspects of System Integrity
 Protection.

 The need to sign all code on macOS 15 was also mentioned in
 https://github.com/macports/macports-ports/pull/25862 where it was
 proposed to add code to a single port to sign its files. It needs to be
 handled in MacPorts base so that such signing code doesn't need to be
 added to all 40,000 ports individually.

 How we are going to handle pushing out signed versions of all the ports
 that macOS 15 users have already installed without revbumping all ports, I
 don't know.

--

-- 
Ticket URL: <https://trac.macports.org/ticket/70945#comment:1>
MacPorts <https://www.macports.org/>
Ports system for macOS


More information about the macports-tickets mailing list