Fossil User Forum

MacOS Catalina and digital signature
Login

MacOS Catalina and digital signature

Chronological

MacOS Catalina and digital signature

(1) By anonymous on 2019-10-14 13:23:36 [link] [source]

Unfortunately, after upgrade to MacOS Catalina, fossil stopped working. The new version of MacOS checks digital signatures and refuses to run unsigned software. Are there any plans to sign the binary? Thanks.

(2) By Joel Dueck (joeld) on 2019-10-14 14:15:01 in reply to 1 [link] [source]

Am I correct in assuming you acquired Fossil by downloading it through your web browser? I’m also curious, did you download this particular copy of Fossil after installing/upgrading to Catalina?

I am not on Catalina yet, but from what I understand, you can still run unsigned software. For example, if you compile Fossil on your machine (which is quite easy to do), you will be able to run it with no problem. Also I understand that CLI software installed with homebrew still works with no problems.

If you want to stick with the downloaded binary, try this: locate the binary in Finder, right-click it and click “Open” in the popup menu. When the confirmation dialog appears, click “Open” again. This will clear the quarantine bit set on the program by the browser when Fossil was downloaded, and you only need to do it once.

You might also try the command-line equivalent of the above:

xattr -d com.apple.quarantine PATH/TO/FOSSIL

Here’s a helpful blog post I found with more information: https://eclecticlight.co/2019/10/04/will-gatekeeper-let-me-run-that-app-in-catalina/

(3) By Richard Hipp (drh) on 2019-10-14 15:47:40 in reply to 1 [link] [source]

Joeld's suggestion for turning off the quarantine bit sounds good.

I am also told that you can run this command:

 sudo spctl --master-disable

That command will change the "Security & Privacy" setting dialog box to provide a new "Anywhere" option to the "Allow apps downloaded from:" selection.

(4) By ckennedy on 2019-10-14 16:26:38 in reply to 1 [link] [source]

The issue with Code Signing is the cost of the certificates. DRH would have to purchase a Code Signing Certificate for anywhere from $85/year to $500/year depending on provider and level. For an open source project this is a not-insignificant cost. I don't believe Fossil is set up at this time for donations.

(5) By Richard Hipp (drh) on 2019-10-14 16:56:38 in reply to 1 [link] [source]

I have uploaded a new Fossil 2.10 binary for Mac that is signed (I think). Please, anybody with MacOS 10.15, download this new binary and try it out and report back success or failure here.

The additional build steps have been added to the Release Build How-To wiki page.

(6) By Joel Dueck (joeld) on 2019-10-14 17:14:57 in reply to 5 [link] [source]

Again, I’m not yet on Catalina so I can’t test. But from what I understand, it’s not just signing that Apple is requiring to allow programs to run freely, but notarization. Unless you also follow the new notarization process, I don’t think signing Fossil is going to provide any benefit whatsoever.

(7) By stevel on 2019-10-15 00:03:55 in reply to 5 [source]

It won't run "out of the box" - you get a dialog saying fossil can't be opened because Apple cannot check it for malicious software, and to contact the developer. To avoid this you (or whomever built the binary) needs to request Apple notarize it before distributing it, as per the instructions in Joel's post.

However, you can still use the non-notarized binary. After seeing the dialog go to Settings / General and you'll see the message that "fossil was blocked from use because it is not from an identified developer". Clock on the "Allow Anyway" button and you are done.