taskgated: no signature

Ian Wadham iandw.au at gmail.com
Mon Mar 17 17:50:09 PDT 2014 

On 17/03/2014, at 8:51 AM, Eric Gallager wrote:
> Yeah, that was all I meant by saying "on Mountain Lion and higher" was that it was conditionally declared like that; I did not mean to imply that I was on Mountain Lion myself... (I am actually still on Snow Leopard so `port notes gdb-apple` says the same thing for me as it did for Ian; I only knew about them because I have been working on my own copy of the Portfile recently...)

On my system (Lion), the plist file referred to in the Macports notes,
/System/Library/LaunchDaemons/com.apple.taskgated.plist, already
contains the required <key>ProgramArguments</key> sequence for
choosing the -s and -p options when taskgated executes, i.e. Apple
is phasing in the taskgated security check, which becomes fully
effective in Mountain Lion+ presumably.  Two further questions:

1. The check seems to be to prevent a program from starting a
    foreign process that could compromise the O/S (e.g. spyware?).
    In the long term, should MacPorts be recomending bypassing it
    with the -p and -s options?  I presume this is what MacPorts is doing.

2. This is off-topic but I hope someone can help.  Here is what
     "man taskgated" says.

     -p       Accepts the old (Tiger) convention that a process with a pri-
              mary effective group of procmod or procview is allowed to get
              task ports. Without this option, this legacy mode is not sup-
              ported.

     -s       Allow signed applications marked as "safe" to have free
              access to task ports, without having to pass an authorization
              check. Note that such callers must be marked both allowed and
              safe.

    Although I used to be a UNIX "guru"/sysadmin in a former life, I do
    not understand much of the language used here, specifically
    "effective group of procmod or procview", "signed applications",
    "marked as "safe"" and "marked both allowed and safe".

    So what would I really need to do here?

The Console log message I keep getting is:
17/03/14 12:35:27.355 PM taskgated: no signature for pid=1169 (cannot make code: host has no guest with the requested attributes)

I am asking all this because it may have a bearing on why KDE apps
sometimes fail to start in a MacPorts and OS X environment.  Also I am
trying to gain a better understanding of how KDE apps operate internally,
particularly if they have plugins or KParts.

There are two versions of my app, the MacPorts-installed version and my
development version. The MacPorts version can start a KDE plugin as a
separate UNIX-type process but my development version could not.

I have just now found a solution, but I do not really understand (yet) why
it works.  I usually run test-shots from the command-line, UNIX-style:
PalapeliBuild:palapeli> ./src/palapeli.app/Contents/MacOS/palapeli &

The OS X version of my KDE CMake and make procedures installs apps
in /Applications/KDE4/<appname>.app.  So, instead of the above, I tried:
PalapeliBuild:palapeli> open /Applications/KDE4/palapeli.app

The plugin then ran OK, but I still got that pesky taskgated message
and my debugging output all went to the Console of course.

All the best, Ian W.

More information about the macports-users mailing list