Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread Rony G. Flatscher 
While testing a little bit, here is maybe another helpful insight: after 
downloading the ooRexx
installation package it is possible without super-user power to remove the 
quarantine attribute
using Renés example:

xattr -d com.apple.quarantine ooRexx-5.0.0-12280.macOS.x86_64.dmg

Then installing ooRexx by opening the dmg-file and following the installation 
directions yields a
working installation in /Applications/ooRexx5!

---rony


On 16.07.2021 14:27, René Jansen wrote:
> Running 
>
> sudo xattr -r -d com.apple.quarantine $YOUR_DIRECTORY 
>
> mostly helps.
>
> René
>
>> On 16 Jul 2021, at 14:10, P.O. Jonsson > > wrote:
>>
>> What version of MacOS are we talking about? In the past extracting the .dmg 
>> caused a warning that
>> could be overwritten but I never experienced that rexx would not launch? Is 
>> this a M1 thing only?
>> Or „Fat Binary“ problem? Does it help to install to ~/Applications (a local 
>> install) rather than
>> to /Applications (Install for all users)? 
>>
>> I run High Sierra (10.13) and the build machine runs Mojave (10.14). In view 
>> of the age of the
>> build machine (~ late 2014) I would not go beyond Catalina (10.15) and I see 
>> no gain in changing,
>> just risk of running into problems with outdated hardware.
>>
>> We do not have at our disposal any machine with macOS Big Sur (11.1) that 
>> can run on either Intel
>> or M1 hardware.
>>
>> What I can try to do is to see if I can get some Virtual Machines set up 
>> with Catalina/Big Sur.
>> But it will not be on M1 hardware.
>>
>> Hälsningar/Regards/Grüsse,
>> P.O. Jonsson
>> oor...@jonases.se 
>>
>>
>>
>>> Am 16.07.2021 um 13:47 schrieb Rony G. Flatscher >> >:
>>>
>>> Downloaded the latest MacOS version of ooRexx 5.0 from the ooRexx project 
>>> page at sourceforge.
>>>
>>> It turns out that Apple inhibits using anything from that dmg as it was 
>>> downloaded from the
>>> Internet and not from Apple's store! :(
>>>
>>> This is due to Apple's "security policy" that they put in effect, which 
>>> simply deprive the
>>> owners of those Apple computers.
>>>
>>> Here are two use cases, each demonstrated with an attached screenshot:
>>>
>>>   * Scenario 1: installing ooRexx according to the readme will create 
>>> "/Application/ooRexx5"
>>> with the "bin", "lib" etc directories. Trying to run 
>>> "/Application/ooRexx5/bin/rexx -v"
>>> causes "Screenshot 2021-07-16 at 12.46.04.png" to pop up. Apple 
>>> suggests to move the program
>>> to the bin! :-(
>>>
>>>   * Scenario 2: using Finder to "open" (run) 
>>> "/Application/ooRexx5/bin/rexx" yields at first a
>>> pop up that seems to indicate, that further opening would allow the 
>>> program to run from now
>>> on, cf. "Screenshot 2021-07-16 at 12.53.17.png". However when "rexx" 
>>> loads the
>>> "librexx.4.dylib" the "Move to Bin" popup as above gets displayed!
>>>
>>> Probably turning off SIP
>>> ()
>>> will allow this to work again, however, asking users to turn off SIP may be 
>>> too much.
>>>
>>> The alternative would be to get and use the keys from Apple and use them to 
>>> sign the ooRexx
>>> executables.
>>>
>>> The question then is, who should apply/buy this: RexxLA or some individual 
>>> developer in this
>>> group who signs the releases? Who is going to pursue this?
>>>
>>> ---rony
>>>
>>> P.S.: @Enrico: this may be also the reason why on M1 with a stricter 
>>> "security policy" in place
>>> would not pick the amd64 binaries from the fat distribution! If you look at 
>>> the first screen
>>> shot you can read "Reason: no suitable image found.", the same error 
>>> message as on M1, but here
>>> there is additional information pointing ad "Library Validation: ..." that 
>>> fails.
>>>
>>> This behavior might not be present if you create ooRexx on the M1 and run 
>>> it from there, as then
>>> the binaries did not come from "insecure locations" according to Apple 
>>> (which is the Internet
>>> and locations that are not under the control of Apple software).
>>>

___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel

Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread Rony G. Flatscher 
On 16.07.2021 15:03, P.O. Jonsson wrote:
... cut ...

> A question on the „fat Binaries“: I cannot see any trace of different 
> versions of the files in the
> installer, can you please elaborate? I do not have any M1 hardware to test it 
> on.

This was a remark for Enrico, who kindly submitted changes to CMake to allow 
the creation of a
universal version of ooRexx which includes both architectures.  In parallel I 
created a fat version
of BSF4ooRexx to create an installation package that included both, the Intel 
and the M1 version.
Unfortunately, the arm64 binaries from BSF4ooRexx and ooRexx would not get 
loaded on M1 with a
rather meaningless error message ("... not found ..."). My take now is that it 
might have to do with
this "security policy" issue of which I am not sure whether it can be solved 
with Renés xattr
command there. Have asked a student who has a M1 and has been really, really 
eager to get BSF4ooRexx
installed and available on it as well. [Unfortunately, I do not have a M1 to 
test, so am dependent
on others and their ree time.]

The original idea was, that once this works, it should be incorporated into the 
official ooRexx
project (via a patch) as Enrico is good with doing so (I would declare this 
with the patch, such
that the origin and the license of the patch is put out of question). But have 
not heard from Enrico
in a while, maybe this findings can get everything going again.

---rony




___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel

Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread P.O. Jonsson 
> Am 16.07.2021 um 14:51 schrieb Rony G. Flatscher :
> 
> On 16.07.2021 14:47, P.O. Jonsson wrote:
>>> No, what has helped was René's suggestion: 
>>> sudo xattr -r -d com.apple.quarantine $YOUR_DIRECTORY 
>>> Ran it against /Applications/ooRexx5 and voilà now rexx -v works! (Still 
>>> tests to do, will symbollically create links in /usr/local/bin and 
>>> /usr/local/lib and if problems arise, will report back.)
>> 
>> We should thus have a post install script running this command then (or 
>> instructing the user to do so). But it will then not be „sudo free“ any more.
>> 
>> In any case the user need to add the /bin of the installation 
>> (/Applications/ooRexx5/bin normally) to the path. This is described in the 
>> installer.
> Yes, I followed those instructions. 
> In the next step I will link the ooRexx files to /usr/local for testing a new 
> version of the BSF4ooRexx command line installer with it (that version will 
> install to /opt/BSF4ooRexx and will have no entry in /Application). Have been 
> working on this now that the ooRexx project has official ooRexx distributions 
> for MacOS (the latest GUI-installer of BSF4ooRexx which contains ooRexx5 will 
> abort, if it finds /usr/local/bin/rexx to exist, otherwise it installs its 
> included ooRexx making that version system wide available).
> 
> —rony
> 

OK, I had not been installing ooRexx from the official build since some time so 
I did it as well. On High Sierra I get no warning and do not need to run the 
command above. I need to document this and put it in the installer.

A question on the „fat Binaries“: I cannot see any trace of different versions 
of the files in the installer, can you please elaborate? I do not have any M1 
hardware to test it on.

> 
> ___
> Oorexx-devel mailing list
> Oorexx-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/oorexx-devel

___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel

Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread Rony G. Flatscher 
On 16.07.2021 14:47, P.O. Jonsson wrote:
>>
>> No, what has helped was René's suggestion:
>>
>> sudo xattr -r -d com.apple.quarantine $YOUR_DIRECTORY
>>
>> Ran it against /Applications/ooRexx5 and voilà now rexx -v works! (Still 
>> tests to do, will
>> symbollically create links in /usr/local/bin and /usr/local/lib and if 
>> problems arise, will
>> report back.)
>>
>
> We should thus have a post install script running this command then (or 
> instructing the user to do
> so). But it will then not be „sudo free“ any more.
>
> In any case the user need to add the /bin of the installation 
> (/Applications/ooRexx5/bin normally)
> to the path. This is described in the installer.

Yes, I followed those instructions.

In the next step I will link the ooRexx files to /usr/local for testing a new 
version of the
BSF4ooRexx command line installer with it (that version will install to 
/opt/BSF4ooRexx and will
have no entry in /Application). Have been working on this now that the ooRexx 
project has official
ooRexx distributions for MacOS (the latest GUI-installer of BSF4ooRexx which 
contains ooRexx5 will
abort, if it finds /usr/local/bin/rexx to exist, otherwise it installs its 
included ooRexx making
that version system wide available).

---rony


___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel

Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread P.O. Jonsson 
> No, what has helped was René's suggestion: 
> sudo xattr -r -d com.apple.quarantine $YOUR_DIRECTORY 
> Ran it against /Applications/ooRexx5 and voilà now rexx -v works! (Still 
> tests to do, will symbollically create links in /usr/local/bin and 
> /usr/local/lib and if problems arise, will report back.)

We should thus have a post install script running this command then (or 
instructing the user to do so). But it will then not be „sudo free“ any more.

In any case the user need to add the /bin of the installation 
(/Applications/ooRexx5/bin normally) to the path. This is described in the 
installer.

___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel

Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread Rony G. Flatscher 
On 16.07.2021 14:27, René Jansen wrote:
> sudo xattr -r -d com.apple.quarantine $YOUR_DIRECTORY

Super, this has worked in this case, thank you very much for sharing!

---rony

___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel

Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread Rony G. Flatscher 
On 16.07.2021 14:10, P.O. Jonsson wrote:
> What version of MacOS are we talking about? 

11.4 BigSur on Intel.

ooRexx from SourceForge (r12280, Jul 12 2021).

> In the past extracting the .dmg caused a warning that could be overwritten 
> but I never experienced
> that rexx would not launch? Is this a M1 thing only? Or „Fat Binary“ problem? 
> Does it help to
> install to ~/Applications (a local install) rather than to /Applications 
> (Install for all users)?

No, what has helped was René's suggestion:

sudo xattr -r -d com.apple.quarantine $YOUR_DIRECTORY

Ran it against /Applications/ooRexx5 and voilà now rexx -v works! (Still tests 
to do, will
symbollically create links in /usr/local/bin and /usr/local/lib and if problems 
arise, will report
back.)

---rony

>
>
>> Am 16.07.2021 um 13:47 schrieb Rony G. Flatscher > >:
>>
>> Downloaded the latest MacOS version of ooRexx 5.0 from the ooRexx project 
>> page at sourceforge.
>>
>> It turns out that Apple inhibits using anything from that dmg as it was 
>> downloaded from the
>> Internet and not from Apple's store! :(
>>
>> This is due to Apple's "security policy" that they put in effect, which 
>> simply deprive the owners
>> of those Apple computers.
>>
>> Here are two use cases, each demonstrated with an attached screenshot:
>>
>>   * Scenario 1: installing ooRexx according to the readme will create 
>> "/Application/ooRexx5" with
>> the "bin", "lib" etc directories. Trying to run 
>> "/Application/ooRexx5/bin/rexx -v" causes
>> "Screenshot 2021-07-16 at 12.46.04.png" to pop up. Apple suggests to 
>> move the program to the
>> bin! :-(
>>
>>   * Scenario 2: using Finder to "open" (run) "/Application/ooRexx5/bin/rexx" 
>> yields at first a
>> pop up that seems to indicate, that further opening would allow the 
>> program to run from now
>> on, cf. "Screenshot 2021-07-16 at 12.53.17.png". However when "rexx" 
>> loads the
>> "librexx.4.dylib" the "Move to Bin" popup as above gets displayed!
>>
>> Probably turning off SIP
>> ()
>> will allow this to work again, however, asking users to turn off SIP may be 
>> too much.
>>
>> The alternative would be to get and use the keys from Apple and use them to 
>> sign the ooRexx
>> executables.
>>
>> The question then is, who should apply/buy this: RexxLA or some individual 
>> developer in this
>> group who signs the releases? Who is going to pursue this?
>>
>> ---rony
>>
>> P.S.: @Enrico: this may be also the reason why on M1 with a stricter 
>> "security policy" in place
>> would not pick the amd64 binaries from the fat distribution! If you look at 
>> the first screen shot
>> you can read "Reason: no suitable image found.", the same error message as 
>> on M1, but here there
>> is additional information pointing ad "Library Validation: ..." that fails.
>>
>> This behavior might not be present if you create ooRexx on the M1 and run it 
>> from there, as then
>> the binaries did not come from "insecure locations" according to Apple 
>> (which is the Internet and
>> locations that are not under the control of Apple software).
>>
>>
>> > 12.53.17.png>___
>> Oorexx-devel mailing list
>> Oorexx-devel@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel
>
>
>
> ___
> Oorexx-devel mailing list
> Oorexx-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/oorexx-devel

-- 
--
__

Prof. Dr. Rony G. Flatscher
Department Wirtschaftsinformatik und Operations Management
Institut für Wirtschaftsinformatik und Gesellschaft
D2c 2.086
WU Wien
Welthandelsplatz 1
A-1020  Wien/Vienna, Austria/Europe

http://www.wu.ac.at
__





___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel

Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread René Jansen 
Running 

sudo xattr -r -d com.apple.quarantine $YOUR_DIRECTORY 

mostly helps.

René

> On 16 Jul 2021, at 14:10, P.O. Jonsson  wrote:
> 
> What version of MacOS are we talking about? In the past extracting the .dmg 
> caused a warning that could be overwritten but I never experienced that rexx 
> would not launch? Is this a M1 thing only? Or „Fat Binary“ problem? Does it 
> help to install to ~/Applications (a local install) rather than to 
> /Applications (Install for all users)? 
> 
> I run High Sierra (10.13) and the build machine runs Mojave (10.14). In view 
> of the age of the build machine (~ late 2014) I would not go beyond Catalina 
> (10.15) and I see no gain in changing, just risk of running into problems 
> with outdated hardware.
> 
> We do not have at our disposal any machine with macOS Big Sur (11.1) that can 
> run on either Intel or M1 hardware.
> 
> What I can try to do is to see if I can get some Virtual Machines set up with 
> Catalina/Big Sur. But it will not be on M1 hardware.
> 
> Hälsningar/Regards/Grüsse,
> P.O. Jonsson
> oor...@jonases.se 
> 
> 
> 
>> Am 16.07.2021 um 13:47 schrieb Rony G. Flatscher > >:
>> 
>> Downloaded the latest MacOS version of ooRexx 5.0 from the ooRexx project 
>> page at sourceforge. 
>> 
>> It turns out that Apple inhibits using anything from that dmg as it was 
>> downloaded from the Internet and not from Apple's store! :(
>> 
>> This is due to Apple's "security policy" that they put in effect, which 
>> simply deprive the owners of those Apple computers. 
>> 
>> Here are two use cases, each demonstrated with an attached screenshot:
>> 
>> Scenario 1: installing ooRexx according to the readme will create 
>> "/Application/ooRexx5" with the "bin", "lib" etc directories. Trying to run 
>> "/Application/ooRexx5/bin/rexx -v" causes "Screenshot 2021-07-16 at 
>> 12.46.04.png" to pop up. Apple suggests to move the program to the bin! :-(
>> 
>> Scenario 2: using Finder to "open" (run) "/Application/ooRexx5/bin/rexx" 
>> yields at first a pop up that seems to indicate, that further opening would 
>> allow the program to run from now on, cf. "Screenshot 2021-07-16 at 
>> 12.53.17.png". However when "rexx" loads the "librexx.4.dylib" the "Move to 
>> Bin" popup as above gets displayed!
>> Probably turning off SIP 
>> (
>>  
>> )
>>  will allow this to work again, however, asking users to turn off SIP may be 
>> too much.
>> 
>> The alternative would be to get and use the keys from Apple and use them to 
>> sign the ooRexx executables. 
>> 
>> The question then is, who should apply/buy this: RexxLA or some individual 
>> developer in this group who signs the releases? Who is going to pursue this?
>> 
>> ---rony
>> 
>> P.S.: @Enrico: this may be also the reason why on M1 with a stricter 
>> "security policy" in place would not pick the amd64 binaries from the fat 
>> distribution! If you look at the first screen shot you can read "Reason: no 
>> suitable image found.", the same error message as on M1, but here there is 
>> additional information pointing ad "Library Validation: ..." that fails.
>> 
>> This behavior might not be present if you create ooRexx on the M1 and run it 
>> from there, as then the binaries did not come from "insecure locations" 
>> according to Apple (which is the Internet and locations that are not under 
>> the control of Apple software). 
>> 
>> 
>> 
>> > 12.53.17.png>___
>> Oorexx-devel mailing list
>> Oorexx-devel@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/oorexx-devel
> 
> ___
> Oorexx-devel mailing list
> Oorexx-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/oorexx-devel

___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel

Re: [Oorexx-devel] ooRexx and Apple's "security police" on MacOS

2021-07-16 Thread P.O. Jonsson 
What version of MacOS are we talking about? In the past extracting the .dmg 
caused a warning that could be overwritten but I never experienced that rexx 
would not launch? Is this a M1 thing only? Or „Fat Binary“ problem? Does it 
help to install to ~/Applications (a local install) rather than to 
/Applications (Install for all users)? 

I run High Sierra (10.13) and the build machine runs Mojave (10.14). In view of 
the age of the build machine (~ late 2014) I would not go beyond Catalina 
(10.15) and I see no gain in changing, just risk of running into problems with 
outdated hardware.

We do not have at our disposal any machine with macOS Big Sur (11.1) that can 
run on either Intel or M1 hardware.

What I can try to do is to see if I can get some Virtual Machines set up with 
Catalina/Big Sur. But it will not be on M1 hardware.

Hälsningar/Regards/Grüsse,
P.O. Jonsson
oor...@jonases.se



> Am 16.07.2021 um 13:47 schrieb Rony G. Flatscher :
> 
> Downloaded the latest MacOS version of ooRexx 5.0 from the ooRexx project 
> page at sourceforge. 
> It turns out that Apple inhibits using anything from that dmg as it was 
> downloaded from the Internet and not from Apple's store! :(
> 
> This is due to Apple's "security policy" that they put in effect, which 
> simply deprive the owners of those Apple computers. 
> Here are two use cases, each demonstrated with an attached screenshot:
> 
> Scenario 1: installing ooRexx according to the readme will create 
> "/Application/ooRexx5" with the "bin", "lib" etc directories. Trying to run 
> "/Application/ooRexx5/bin/rexx -v" causes "Screenshot 2021-07-16 at 
> 12.46.04.png" to pop up. Apple suggests to move the program to the bin! :-(
> 
> Scenario 2: using Finder to "open" (run) "/Application/ooRexx5/bin/rexx" 
> yields at first a pop up that seems to indicate, that further opening would 
> allow the program to run from now on, cf. "Screenshot 2021-07-16 at 
> 12.53.17.png". However when "rexx" loads the "librexx.4.dylib" the "Move to 
> Bin" popup as above gets displayed!
> Probably turning off SIP 
> (
>  
> )
>  will allow this to work again, however, asking users to turn off SIP may be 
> too much.
> 
> The alternative would be to get and use the keys from Apple and use them to 
> sign the ooRexx executables. 
> The question then is, who should apply/buy this: RexxLA or some individual 
> developer in this group who signs the releases? Who is going to pursue this?
> 
> ---rony
> 
> P.S.: @Enrico: this may be also the reason why on M1 with a stricter 
> "security policy" in place would not pick the amd64 binaries from the fat 
> distribution! If you look at the first screen shot you can read "Reason: no 
> suitable image found.", the same error message as on M1, but here there is 
> additional information pointing ad "Library Validation: ..." that fails.
> 
> This behavior might not be present if you create ooRexx on the M1 and run it 
> from there, as then the binaries did not come from "insecure locations" 
> according to Apple (which is the Internet and locations that are not under 
> the control of Apple software). 
> 
>  12.53.17.png>___
> Oorexx-devel mailing list
> Oorexx-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/oorexx-devel

___
Oorexx-devel mailing list
Oorexx-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/oorexx-devel