Unsigned binaries and libs causing issues in Big Sur

Question

So, the installation process is having issues on Big Sur, due to Big Sur's demand for signed binaries.  If you invoke `InstallMe.Osx64.sh`, It pops up a dialog about being from an untrusted developer downloadd, and bails out at:

./InstallMe.Osx64.sh: line 74: 12346 Killed: 9               ${VFXBINFILE} "cr .( type bye to exit ) cr"

Trying to use the usual mechanisms such as option-open the binary fails because it doesn't recognize the object type from the Finder.

I had to dig to find this: https://github.molgen.mpg.de/pages/bs/macOSnotes/mac/mac_procs_unsigned.html

Might I suggest looking into signing the shipping MacOS X binaries to appease the OS? Or at least document in the README that we have to do this.

It almost works if we do something like the following:

for TO_SIGN in $( find . -name \*.dylib ) $( find . -name \*.mo ); do

   echo ${TO_SIGN}

   FILE=$( basename ${TO_SIGN} )

   DIR=$( dirname ${TO_SIGN} )

   $( cd $DIR && spctl --add ${FILE} 2>/dev/null )

done

But on invocation of vfxforth64, we get three instances of:

“vfxsupp64.1.dylib” cannot be opened because the developer cannot be verified.

... and one instance of:

“libmpeparser64.0.dylib” cannot be opened because the developer cannot be verified.

... and it loads, but I'm not sure if it's working correctly at this point.

How are we doing a dlopen() -- is it via an absolute path or a relative path?

Answer 1

I went ahead and attempted to code sign the dynamic libraries with a script like the following:

SIGNATURE_ID="Apple Development: Wes Brown (W5D6Y3853Q)"

for TO_SIGN in $( find . -name \*.dylib ) $( find . -name \*.mo ); do

    codesign -s "${SIGNATURE_ID}" ${TO_SIGN}

    codesign --verify --verbose ${TO_SIGN}

done

Unfortunately, still doesn't work, pops up that it's not signed, etc.  Re-verified that the signed. and installed libraries are signed:

susanoo:VfxForthOsx64 wbrown$ codesign --verify /usr/local/lib/vfxsupp64.1.dylib  --verbose

/usr/local/lib/vfxsupp64.1.dylib: valid on disk

/usr/local/lib/vfxsupp64.1.dylib: satisfies its Designated Requirement

susanoo:VfxForthOsx64 wbrown$ codesign --verify /usr/local/lib/libmpeparser64.0.dylib  --verbosevfxsupp64.1.dylib

/usr/local/lib/libmpeparser64.0.dylib: valid on disk

/usr/local/lib/libmpeparser64.0.dylib: satisfies its Designated Requirement

Comments

Removed. See Georges answer ('though clearing quarantine flags is a possible option).

Answer 2

When I install VfxForthOsx64 with no Vfx files in /usr/local, I encounter two dialog boxes in succession for the executable and the dylibs.  The first dialog gives me the options "cancel" and "move to trash."  So I cancel and go to System Preferences > Security & Privacy  and click "allow anyway".  This action does *not* require me to "Click the lock to make changes."  When I run again, the second dialog gives the option to "open".  Clicking that usually does it without any further action.

Comments

OK, thank you!  When I did the following:

* Run `InstallMe.Osx64.sh`
* Hit `cancel`, and went to the Security and Privacy preferences panel, hit 'allow anyway'
* And for each prompt that I get for each dylib, I repeat the process above.

Then I get a load the second time without any prompts or errors.

There's a big difference between, 'it works on Big Sur/Catalina' vs, 'it works on Big Sur/Catalina if you do the following' :)

I think that these should be signed by MPE, as it's easy enough to do (theoretically!).

---

Code signing is on my list but there's a load of stuff in the way including Windows 64. If someone can help with templates, I'll be very grateful, but Christmas, moving house, pleasing Pat, walking the dogs ... and finally getting all the bureaucracy  done in Spain are my major targets for the rest of the year. Beta 4 has been released.