Re: taskgated: no signature
On 18 Mar 2014, at 3:00 am, macports-users-requ...@lists.macosforge.org wrote: Yeah, that was all I meant by saying on Mountain Lion and higher was that it was conditionally declared like that; I did *not* mean to imply that I was on Mountain Lion myself... (I am actually still on Snow Leopard so `port notes gdb-apple` says the same thing for me as it did for Ian; I only knew about them because I have been working on my own copy of the Portfile recently...) And shock horror gasp if you ever ‘upgrade’ you can’t go back, even if you have the install CDs (All about expired certificates for xcode) (I tried MBR and UEFI versions of various linux, always putting OSX back, so I installed Snow Leopard from CD 3 or 4 times, ha ha not any more) James ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
On 17/03/2014, at 8:51 AM, Eric Gallager wrote: Yeah, that was all I meant by saying on Mountain Lion and higher was that it was conditionally declared like that; I did not mean to imply that I was on Mountain Lion myself... (I am actually still on Snow Leopard so `port notes gdb-apple` says the same thing for me as it did for Ian; I only knew about them because I have been working on my own copy of the Portfile recently...) On my system (Lion), the plist file referred to in the Macports notes, /System/Library/LaunchDaemons/com.apple.taskgated.plist, already contains the required keyProgramArguments/key sequence for choosing the -s and -p options when taskgated executes, i.e. Apple is phasing in the taskgated security check, which becomes fully effective in Mountain Lion+ presumably. Two further questions: 1. The check seems to be to prevent a program from starting a foreign process that could compromise the O/S (e.g. spyware?). In the long term, should MacPorts be recomending bypassing it with the -p and -s options? I presume this is what MacPorts is doing. 2. This is off-topic but I hope someone can help. Here is what man taskgated says. -p Accepts the old (Tiger) convention that a process with a pri- mary effective group of procmod or procview is allowed to get task ports. Without this option, this legacy mode is not sup- ported. -s Allow signed applications marked as safe to have free access to task ports, without having to pass an authorization check. Note that such callers must be marked both allowed and safe. Although I used to be a UNIX guru/sysadmin in a former life, I do not understand much of the language used here, specifically effective group of procmod or procview, signed applications, marked as safe and marked both allowed and safe. So what would I really need to do here? The Console log message I keep getting is: 17/03/14 12:35:27.355 PM taskgated: no signature for pid=1169 (cannot make code: host has no guest with the requested attributes) I am asking all this because it may have a bearing on why KDE apps sometimes fail to start in a MacPorts and OS X environment. Also I am trying to gain a better understanding of how KDE apps operate internally, particularly if they have plugins or KParts. There are two versions of my app, the MacPorts-installed version and my development version. The MacPorts version can start a KDE plugin as a separate UNIX-type process but my development version could not. I have just now found a solution, but I do not really understand (yet) why it works. I usually run test-shots from the command-line, UNIX-style: PalapeliBuild:palapeli ./src/palapeli.app/Contents/MacOS/palapeli The OS X version of my KDE CMake and make procedures installs apps in /Applications/KDE4/appname.app. So, instead of the above, I tried: PalapeliBuild:palapeli open /Applications/KDE4/palapeli.app The plugin then ran OK, but I still got that pesky taskgated message and my debugging output all went to the Console of course. All the best, Ian W. ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
On Mon, Mar 17, 2014 at 8:50 PM, Ian Wadham iandw...@gmail.com wrote: 1. The check seems to be to prevent a program from starting a foreign process that could compromise the O/S (e.g. spyware?). In the long term, should MacPorts be recomending bypassing it with the -p and -s options? I presume this is what MacPorts is doing. I get the impression -s is needed if you want to attach to processes with a debugger or dtrace; as such it is appropriate for development systems. 2. This is off-topic but I hope someone can help. Here is what man taskgated says. -p Accepts the old (Tiger) convention that a process with a pri- mary effective group of procmod or procview is allowed to get task ports. Without this option, this legacy mode is not sup- ported. -s Allow signed applications marked as safe to have free access to task ports, without having to pass an authorization check. Note that such callers must be marked both allowed and safe. Although I used to be a UNIX guru/sysadmin in a former life, I do not understand much of the language used here, specifically effective group of procmod or procview, signed applications, marked as safe and marked both allowed and safe. procmod and procview are groups (/etc/groups on Unix, `dscl . list Groups` on OS X). The primary effective group ID is Apple saying must be the egid, not just in the group vector. (If your former life was long enough ago to be pre-SVR4, you might not know about group vectors; they're from BSD. In short, you have not only a primary group affiliation in your egid but an additional vector of groups of which you are a member; you can switch the egid between any of the groups in your group vector without requiring elevated permissions. Only root can set the group vector, just as only root can change to an arbitrary gid. Files are created with the primary egid, but file group access checking checks egid and the group vector.) The others are Apple-isms; applications can be signed with an X.509 certificate. I'll leave the rest to someone who knows more about the specific details of Apple's code signing. `man codesign` might be somewhat enlightening, or might not. The Console log message I keep getting is: 17/03/14 12:35:27.355 PM taskgated: no signature for pid=1169 (cannot make code: host has no guest with the requested attributes) Again related to code signing; apparently that's taskgated-ese for I couldn't find the kind of code signature I was looking for. -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
Thanks, Brandon. You have given me some leads I can get my teeth into … or google. And you dated me pretty accurately re SVR4. I knew quite a bit about UNIX before that, but System V Release 4 was my first hands-on experience --- 1989-1998, with H-P, Sun, Prime and ICL. Cheers, Ian W. On 18/03/2014, at 12:36 PM, Brandon Allbery wrote: On Mon, Mar 17, 2014 at 8:50 PM, Ian Wadham iandw...@gmail.com wrote: 1. The check seems to be to prevent a program from starting a foreign process that could compromise the O/S (e.g. spyware?). In the long term, should MacPorts be recomending bypassing it with the -p and -s options? I presume this is what MacPorts is doing. I get the impression -s is needed if you want to attach to processes with a debugger or dtrace; as such it is appropriate for development systems. 2. This is off-topic but I hope someone can help. Here is what man taskgated says. -p Accepts the old (Tiger) convention that a process with a pri- mary effective group of procmod or procview is allowed to get task ports. Without this option, this legacy mode is not sup- ported. -s Allow signed applications marked as safe to have free access to task ports, without having to pass an authorization check. Note that such callers must be marked both allowed and safe. Although I used to be a UNIX guru/sysadmin in a former life, I do not understand much of the language used here, specifically effective group of procmod or procview, signed applications, marked as safe and marked both allowed and safe. procmod and procview are groups (/etc/groups on Unix, `dscl . list Groups` on OS X). The primary effective group ID is Apple saying must be the egid, not just in the group vector. (If your former life was long enough ago to be pre-SVR4, you might not know about group vectors; they're from BSD. In short, you have not only a primary group affiliation in your egid but an additional vector of groups of which you are a member; you can switch the egid between any of the groups in your group vector without requiring elevated permissions. Only root can set the group vector, just as only root can change to an arbitrary gid. Files are created with the primary egid, but file group access checking checks egid and the group vector.) The others are Apple-isms; applications can be signed with an X.509 certificate. I'll leave the rest to someone who knows more about the specific details of Apple's code signing. `man codesign` might be somewhat enlightening, or might not. The Console log message I keep getting is: 17/03/14 12:35:27.355 PM taskgated: no signature for pid=1169 (cannot make code: host has no guest with the requested attributes) Again related to code signing; apparently that's taskgated-ese for I couldn't find the kind of code signature I was looking for. ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
On 16/03/2014, at 12:05 AM, Eric Gallager wrote: The only thing I know about taskgated is that you have to modify its launchd plist (by adding the '-p' option) to allow gdb to control other processes (on Mountain Lion and higher you can see this with `port notes gdb-apple`)... Have you done this at all? I have no clue whether that might be relevant to the specific error that you are experiencing, but I suppose it could be worth checking anyways… Thanks, Eric, but I could not find any notes on gdb-apple. I tried installing it first, but still got: Palapeli:palapeli [master]port notes gdb-apple gdb-apple has no notes. But I have OS X 10.7.5 Lion, not Mountain Lion. Can you tell me exactly what the notes say? Thanks in advance, Ian W. On Sat, Mar 15, 2014 at 12:50 AM, Ian Wadham iandw...@gmail.com wrote: On the Apple OS X Console log, I am seeing the following message whenever Palapeli runs and crashes. 15/03/14 3:01:16.751 PM taskgated: no signature for pid=900 (cannot make code: host has no guest with the requested attributes) Can anybody tell me what it means? If it is fatal, what do I need to do to correct it? man taskgated says it is a security check on one process starting another, as I understand it. ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
Hi Ian, On 16 Mar 2014, at 09:00 , Ian Wadham iandw...@gmail.com wrote: Thanks, Eric, but I could not find any notes on gdb-apple. I tried installing it first, but still got: here on my install I see this: --- $ port notes gdb-apple gdb-apple has the following notes: You will need to make sure /System/Library/LaunchDaemons/com.apple.taskgated.plist has the '-p' option, e.g. keyProgramArguments/key array string/usr/libexec/taskgated/string string-sp/string /array — How come it is not visible on your end? Sure you’re up to date? Have you perhaps a forgotten local port file for gdb-apple active? Greets, Marko ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
On 16/03/2014, at 7:28 PM, mk-macpo...@techno.ms wrote: On 16 Mar 2014, at 09:00 , Ian Wadham iandw...@gmail.com wrote: Thanks, Eric, but I could not find any notes on gdb-apple. I tried installing it first, but still got: here on my install I see this: --- $ port notes gdb-apple gdb-apple has the following notes: You will need to make sure /System/Library/LaunchDaemons/com.apple.taskgated.plist has the '-p' option, e.g. keyProgramArguments/key array string/usr/libexec/taskgated/string string-sp/string /array — Thanks, Marko. Before I go ahead and try it, should that second last line say -p, not sp? I am new to plists … :-) How come it is not visible on your end? Sure you’re up to date? Have you perhaps a forgotten local port file for gdb-apple active? No. I have never had anything to do with gdb-apple before. I did a port selfupdate about 14 hours ago. Followed by a port upgrade outdated. After that I tried to find the notes, but failed. As I said, I am on Lion. Eric said he is on Mountain Lion. Cheers, Ian W. ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
On 16 Mar 2014, at 12:12 , Ian Wadham iandw...@gmail.com wrote: Thanks, Marko. Before I go ahead and try it, should that second last line say -p, not sp? I am new to plists … :-) If it says so it wants it like that. No. I have never had anything to do with gdb-apple before. I did a port selfupdate about 14 hours ago. Followed by a port upgrade outdated. After that I tried to find the notes, but failed. As I said, I am on Lion. Eric said he is on Mountain Lion. Perhaps you do another selfupdate and try “port notes” once again! ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
On Sun, Mar 16, 2014 at 7:41 AM, mk-macpo...@techno.ms wrote: On 16 Mar 2014, at 12:12 , Ian Wadham iandw...@gmail.com wrote: No. I have never had anything to do with gdb-apple before. I did a port selfupdate about 14 hours ago. Followed by a port upgrade outdated. After that I tried to find the notes, but failed. As I said, I am on Lion. Eric said he is on Mountain Lion. Perhaps you do another selfupdate and try “port notes” once again! It's not applicable on Lion. The `notes` declaration is in a conditional: if {${os.platform} eq darwin ${os.major} = 12} { ... -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
Yeah, that was all I meant by saying on Mountain Lion and higher was that it was conditionally declared like that; I did *not* mean to imply that I was on Mountain Lion myself... (I am actually still on Snow Leopard so `port notes gdb-apple` says the same thing for me as it did for Ian; I only knew about them because I have been working on my own copy of the Portfile recently...) On Sun, Mar 16, 2014 at 9:33 AM, Brandon Allbery allber...@gmail.comwrote: On Sun, Mar 16, 2014 at 7:41 AM, mk-macpo...@techno.ms wrote: On 16 Mar 2014, at 12:12 , Ian Wadham iandw...@gmail.com wrote: No. I have never had anything to do with gdb-apple before. I did a port selfupdate about 14 hours ago. Followed by a port upgrade outdated. After that I tried to find the notes, but failed. As I said, I am on Lion. Eric said he is on Mountain Lion. Perhaps you do another selfupdate and try port notes once again! It's not applicable on Lion. The `notes` declaration is in a conditional: if {${os.platform} eq darwin ${os.major} = 12} { ... -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users
Re: taskgated: no signature
The only thing I know about taskgated is that you have to modify its launchd plist (by adding the '-p' option) to allow gdb to control other processes (on Mountain Lion and higher you can see this with `port notes gdb-apple`)... Have you done this at all? I have no clue whether that might be relevant to the specific error that you are experiencing, but I suppose it could be worth checking anyways... On Sat, Mar 15, 2014 at 12:50 AM, Ian Wadham iandw...@gmail.com wrote: Hi guys, I am trying to track down a problem in KDE's Palapeli jigsaw puzzle game, being the current source-code developer. The problem is that the Macports installed version of Palapeli runs OK, but my development version crashes during its startup phase. I have narrowed the problem down to a point where Palapeli is calling for a plugin to create one of the standard puzzles which come with Palapeli, but have not yet been created in my development area. The plugin is found OK, but then the KDE library reports that it cannot load it. On the Apple OS X Console log, I am seeing the following message whenever Palapeli runs and crashes. 15/03/14 3:01:16.751 PM taskgated: no signature for pid=900 (cannot make code: host has no guest with the requested attributes) Can anybody tell me what it means? If it is fatal, what do I need to do to correct it? man taskgated says it is a security check on one process starting another, as I understand it. I googled on 'taskgated no signature' and found some references from a few years back re no system signature involving some /opt/local programs, but that seemed to be about a different problem. Also I looked through the man page on taskgated. And I found no hit on either taskgated or no signature on Macports tickets. Any ideas? Cheers, Ian W. ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users ___ macports-users mailing list macports-users@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-users