←back to thread

Catalina is checking notarization of unsigned executables

(lapcatsoftware.com)
361 points robenkleene | 3 comments | 23 May 20 09:42 UTC | HN request time: 0s | source
Show context
LeoPanthera ◴[23 May 20 19:28 UTC] No.23285659[source]
I can't reproduce the exact test specified in the article:

  $ echo $'#!/bin/sh\necho Hello' > /tmp/test.sh && chmod a+x /tmp/test.sh
  $ time /tmp/test.sh && time /tmp/test.sh
  Hello
  
  real 0m0.016s
  user 0m0.002s
  sys 0m0.010s
  Hello
  
  real 0m0.006s
  user 0m0.002s
  sys 0m0.004s
I don't believe the 0.01s difference is long enough, and could easily explained by filesystem caching. The article says:

> Some people try to explain away the delay, e.g., "I would put the 300 vs 5 ms down to filesystem caching", but such hand waving doesn't stand up to further scrutiny.

...but does not provide any "further scrutiny", so for me, occam's razor applies.

replies(4): >>23285714 #>>23285750 #>>23285970 #>>23285993 #
1. abathur ◴[23 May 20 20:13 UTC] No.23285970[source]
A few ideas:

1. confirm the checks are enabled:

    spctl --status
2. Make sure your terminal/shell/etc aren't already exempted System Preferences > Security & Privacy > Developer Tools.

3. If you already ran something that could generate a check in the last minute, the connection is still open. Most of the overhead people are recording is negotiation/handshake. If you're fairly close to the server, it seems plausible your observed time could be enough for the communication minus the negotiation. You can open Console.app and search `process:syspolicyd` in the device log to see the entries for the negotiation; wait for it to terminate.

4. Try removing and re-creating a new file as in the test you did before and check it a little more directly:

    spctl --assess -v --ignore-cache --no-cache /tmp/test.sh
If it's working, you should see a log entry with the text "summary for task success" in it with a detailed breakdown of the request (times taken per phase, bytes sent/received, etc).
replies(1): >>23286696 #
2. userbinator ◴[23 May 20 21:34 UTC] No.23286696[source]
I don't have a system to check this on, but Apple seriously named an option "asses"?
replies(1): >>23286730 #
3. abathur ◴[23 May 20 21:37 UTC] No.23286730[source]
Ha, no. I'm the ass, here. Fixed :)