Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installing via Homebrew has warnings #27

Open
shadowhand opened this issue Jan 24, 2022 · 7 comments
Open

Installing via Homebrew has warnings #27

shadowhand opened this issue Jan 24, 2022 · 7 comments

Comments

@shadowhand
Copy link

shadowhand commented Jan 24, 2022

I ran brew install 7777, it downloaded from https://releases.port7777.com/1.1.3/macos/7777.

When I ran 7777 it gave me the dreaded macOS cannot verify the developer of “7777” error and refused to open the app.

I was able to bypass this by running open /opt/homebrew/Caskroom/7777 and manually opening 7777 with a right click, and accepting the warning message.

@mnapoli
Copy link
Member

mnapoli commented Jan 26, 2022

Thanks! It seems with the latest macOS versions the security constraints get more and more annoying 😓

Maybe we should at least document an easy way to validate the binary, I've read this could work (quick test seemed to validate it):

spctl --add /usr/local/bin/7777

Later can also be removed via:

spctl --remove /usr/local/bin/7777

WDYT?

@shadowhand
Copy link
Author

shadowhand commented Jan 26, 2022

I mean, that could work, but... there must be a better way? Other casks (Docker, etc) don't have this issue, so why does 7777? Why would the manually downloaded version have different permissions than a Homebrew download?

mnapoli added a commit that referenced this issue Feb 9, 2022
@mnapoli
Copy link
Member

mnapoli commented Feb 9, 2022

I have no idea TBH, macOS restrictions change with every new OS version and I admit having trouble keeping up…

What I've done to improve the situation at least a little bit is document that in the README in 50690b4

@pooley182
Copy link

It appears that the version installed via homebrew isn't a signed package.
This is what seems to cause the issue with mac complaining that the developer can't be verified.

On the latest version 7777/1.1.4 darwin-x64 node-v14.4.0 it also means I'm prompted to allow 7777 firewall access every time I try and open a tunnel. Because it's not signed Mac OS inherently doesn't trust it.

Below is the output from codesign, you can see the executable is missing the 'Authority' fields that indicate it was signed with a valid certificate.

> $ codesign -d -vvvv /opt/homebrew/bin/7777
Executable=/opt/homebrew/Caskroom/7777/1.1.4/7777
Identifier=7777-555549446a4a87565acf3b3d84453a306fa654a0
Format=Mach-O thin (x86_64)
CodeDirectory v=20400 size=777670 flags=0x2(adhoc) hashes=24296+2 location=system
Hash type=sha256 size=32
CandidateCDHash sha256=fa37a2f77dd3fa6baa5260392ecccfff322a438a
CandidateCDHashFull sha256=fa37a2f77dd3fa6baa5260392ecccfff322a438a6872567994b20792d586bddf
Hash choices=sha256
CMSDigest=fa37a2f77dd3fa6baa5260392ecccfff322a438a6872567994b20792d586bddf
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=54644736
Executable Segment flags=0x1
Page size=4096
CDHash=fa37a2f77dd3fa6baa5260392ecccfff322a438a
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

@mnapoli
Copy link
Member

mnapoli commented Oct 17, 2022

@pooley182 do these instructions help: 50690b4 ? I used this and don't get any issue with firewall access on the latest macOS.

@pooley182
Copy link

Unfortunately not, I have run that command but it still prompts for firewall access every time the container starts.
I have also tried xattr -d com.apple.quarantine /opt/homebrew/bin/7777 which I initially used to allow 7777 to start after the initial homebrew install.

I don't want to come across as condescending but is your firewall actually turned on? By default the firewall is off on Mac OS, so there's a chance yours is off which is why you don't get the warning.

@mnapoli
Copy link
Member

mnapoli commented Oct 21, 2022

@pooley182 oh right! No worries, it was indeed disabled. I enabled it and it indeed asks to confirm.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants