taskgated: no signature

[Ian Wadham]

Thanks, Brandon.  You have given me some leads I can get my teeth
into … or google.  And you dated me pretty accurately re SVR4.  I knew
quite a bit about UNIX before that, but System V Release 4 was my first
"hands-on" experience --- 1989-1998, with H-P, Sun, Prime and ICL.
Cheers, Ian W.

On 18/03/2014, at 12:36 PM, Brandon Allbery wrote:
> On Mon, Mar 17, 2014 at 8:50 PM, Ian Wadham <iandw.au at gmail.com> wrote:
> 1. The check seems to be to prevent a program from starting a
>     foreign process that could compromise the O/S (e.g. spyware?).
>     In the long term, should MacPorts be recomending bypassing it
>     with the -p and -s options?  I presume this is what MacPorts is doing.
> 
> I get the impression -s is needed if you want to attach to processes with a debugger or dtrace; as such it is appropriate for development systems.
> 
> 2. This is off-topic but I hope someone can help.  Here is what
>      "man taskgated" says.
> 
>      -p       Accepts the old (Tiger) convention that a process with a pri-
>               mary effective group of procmod or procview is allowed to get
>               task ports. Without this option, this legacy mode is not sup-
>               ported.
> 
>      -s       Allow signed applications marked as "safe" to have free
>               access to task ports, without having to pass an authorization
>               check. Note that such callers must be marked both allowed and
>               safe.
> 
>     Although I used to be a UNIX "guru"/sysadmin in a former life, I do
>     not understand much of the language used here, specifically
>     "effective group of procmod or procview", "signed applications",
>     "marked as "safe"" and "marked both allowed and safe".
> 
> "procmod" and "procview" are groups (/etc/groups on Unix, `dscl . list Groups` on OS X). The primary effective group ID is Apple saying "must be the egid, not just in the group vector". (If your "former life" was long enough ago to be pre-SVR4, you might not know about group vectors; they're from BSD. In short, you have not only a primary group affiliation in your egid but an additional vector of groups of which you are a member; you can switch the egid between any of the groups in your group vector without requiring elevated permissions. Only root can set the group vector, just as only root can change to an arbitrary gid. Files are created with the primary egid, but file group access checking checks egid and the group vector.)
> 
> The others are Apple-isms; applications can be signed with an X.509 certificate. I'll leave the rest to someone who knows more about the specific details of Apple's code signing. `man codesign` might be somewhat enlightening, or might not.
> 
> The Console log message I keep getting is:
> 17/03/14 12:35:27.355 PM taskgated: no signature for pid=1169 (cannot make code: host has no guest with the requested attributes)
> 
> Again related to code signing; apparently that's taskgated-ese for "I couldn't find the kind of code signature I was looking for".