Most active commenters

    ←back to thread

    MacOS Catalina: Slow by Design?

    (sigpipe.macromates.com)
    2031 points jrk | 22 comments | 22 May 20 15:39 UTC | HN request time: 2.113s | source | bottom
    Show context
    davidvartan ◴[22 May 20 15:53 UTC] No.23273396[source]
    > a degraded user experience, as the first time a user runs a new executable, Apple delays execution while waiting for a reply from their server.

    The way to avoid this behavior is to staple the notarization ticket to your bundle (or dmg/pkg), i.e. "/usr/bin/stapler staple <path>." Otherwise, Gatekeeper will fetch the ticket and staple it for the user on the first run.

    (I'm the author of xcnotary [1], a tool to make notarization way less painful, including uploading to Apple/polling for completion/stapling/troubleshooting various code signing issues.)

    [1] https://github.com/akeru-inc/xcnotary

    replies(5): >>23273530 #>>23273867 #>>23273940 #>>23275792 #>>23279360 #
    1. xenadu02 ◴[22 May 20 16:30 UTC] No.23273867[source]
    Xcode (the UI) is able to bypass GateKeeper checks for things it builds.

    The "Developer Tool" pane in System Prefs, Security, Privacy is the same power. Drag anything into that list you'd like to grant the same privilege (such as xcodebuild). This is inherited by child processes as well.

    The point of this is to avoid malware packing bits of Xcode with itself and silently compiling itself on the target machine, thus bypassing system security policy.

    replies(7): >>23274912 #>>23275307 #>>23275358 #>>23275865 #>>23278110 #>>23283242 #>>23284958 #
    2. closeparen ◴[22 May 20 17:49 UTC] No.23274912[source]
    This is life-changing. Thank you!
    replies(1): >>23277547 #
    3. LeoPanthera ◴[22 May 20 18:27 UTC] No.23275307[source]
    Putting Terminal (and your favorite text editor) in this category and in "Full Disk Access" will change your life.
    replies(2): >>23276327 #>>23280562 #
    4. grishka ◴[22 May 20 18:32 UTC] No.23275358[source]
    So since these permissions apply to process trees, what happens if you put launchd in there?
    replies(1): >>23276564 #
    5. indemnity ◴[22 May 20 19:21 UTC] No.23275865[source]
    Reminds me of the AV exception folder our corporate IT created for developers. Soon absolutely everything developers needed or created was installed into that folder. Applications, IDEs, you name it.
    replies(1): >>23290529 #
    6. sneak ◴[22 May 20 20:06 UTC] No.23276327[source]
    Yes, falling victim to ransomware is definitely lifechanging if you don’t have good backups.
    replies(1): >>23277089 #
    7. aasasd ◴[22 May 20 20:28 UTC] No.23276564[source]
    The computer will probably hang while it tries to solve the chicken-egg problem.

    Isn't launchd Mac's ‘init’? I.e. run before anything else.

    replies(1): >>23277155 #
    8. LeoPanthera ◴[22 May 20 21:11 UTC] No.23277089{3}[source]
    That is a non-sequitur.
    replies(1): >>23277717 #
    9. grishka ◴[22 May 20 21:16 UTC] No.23277155{3}[source]
    Yes, and that's the point — everything you run will theoretically inherit the permission from it.
    10. pindab0ter ◴[22 May 20 21:58 UTC] No.23277547[source]
    What did you notice?
    11. mperham ◴[22 May 20 22:19 UTC] No.23277717{4}[source]
    It's not; they are stating that if you bypass these security checks, you open the machine up to ransomware.
    replies(1): >>23280063 #
    12. wila ◴[22 May 20 23:07 UTC] No.23278110[source]
    GateKeeper only triggers the check for things downloaded from the internet. IOW, it checks if your binary has a quarantine flag attached via an extended attribute.
    replies(1): >>23278576 #
    13. xenadu02 ◴[23 May 20 00:16 UTC] No.23278576[source]
    That is not correct starting with Catalina.
    14. justinmeiners ◴[23 May 20 05:04 UTC] No.23280063{5}[source]
    better not turn on it at all, to be extra safe
    15. MrBuddyCasino ◴[23 May 20 06:45 UTC] No.23280562[source]
    How does "Full Disk Access" help?
    replies(1): >>23281431 #
    16. lloeki ◴[23 May 20 09:17 UTC] No.23281431{3}[source]
    You can browse Time Machine backup directory trees from the CLI again.
    17. acecilia ◴[23 May 20 14:33 UTC] No.23283242[source]
    Can you advise on how to make the "Developer Tool" panel in "System Prefs, Security, Privacy" appear if it is not present? Cant find a way: https://stackoverflow.com/questions/60176405/macos-catalina-...
    replies(1): >>23289992 #
    18. make3 ◴[23 May 20 17:56 UTC] No.23284958[source]
    How do I get a "Developer Tool" pane in System Prefs? Do I have to install X-Code? I would really rather not
    replies(1): >>23289991 #
    19. saagarjha ◴[24 May 20 08:05 UTC] No.23289991[source]
    https://news.ycombinator.com/item?id=23278629
    20. saagarjha ◴[24 May 20 08:05 UTC] No.23289992[source]
    https://news.ycombinator.com/item?id=23278629
    replies(1): >>23290651 #
    21. kunday ◴[24 May 20 10:18 UTC] No.23290529[source]
    Guilty as accused. I try to keep to an absolute minimum. Like docker data-dir and IDE. With that i can atleast use my machine.

    otherwise this macos notarisation, along with a possibly of cpu heating issues with left thunderbolt usage and corporate av scanning, makes my machine, next to useless

    22. acecilia ◴[24 May 20 10:46 UTC] No.23290651{3}[source]
    Thanks for the link. Tried it, but that did not work