Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make IDEasy usable on MacOS with active Gatekeeper #451

Open
hohwille opened this issue Jul 5, 2024 · 5 comments · May be fixed by #453
Open

Make IDEasy usable on MacOS with active Gatekeeper #451

hohwille opened this issue Jul 5, 2024 · 5 comments · May be fixed by #453
Labels
blocker enhancement New feature or request macOS specific for Apple MacOS

Comments

@hohwille
Copy link
Member

hohwille commented Jul 5, 2024

On modern MacOS devices gatekeeper is most likely activated to increase security.
As a result apps downloaded from the Internet, cannot be opened without strange quirks.
However, the entire purpose of IDEasy is to download apps from the internet and allow you to start them.
Therefore, with the MacOS gatekeeper active currently IDEasy is almost not usable since every app will open a popup like this:
macos-app-will-damage-your-computer-move-to-trash
Normal users will not know how to proceed since Cancel will prevent that the app is opened and Move to trash is even worse and will delete the app and break the installation that was just created by IDEasy.
There are some security mechanisms implemented in IDEasy that do checksum verification.

Surely the vendors like the apache software foundation could potentially publish a new release of their tool with evil code that will erase your disc or encrypt all your files and ask for ransom. However, open-source software is based on trust and transparency. If a prominent OSS tool would ever do that it will kill its entire reputation for the tool and the foundation behind it - forever.
Also since we test releases upfront, we hopefully notice and would ban the release from our urls repository so that it does not reach our users.

I just researched the topic and studied this article.

So after reading all the options, I come to conclusion that we should try to run something like this on the macos app after the installation:

xattr -d com.apple.quarantine /path-to-app

I am unsure if that operation will work for the entire app or has to be called recursively for every file in the app.

Workaround

Not really the proposed solution but as a simple workaround users can disable gatekeeper:

sudo spctl --global-disable

related issues

#452

@hohwille hohwille added the enhancement New feature or request label Jul 5, 2024
@github-project-automation github-project-automation bot moved this to 🆕 New in IDEasy board Jul 5, 2024
@hohwille hohwille moved this from 🆕 New to 📋 Backlog in IDEasy board Jul 5, 2024
@hohwille hohwille added the macOS specific for Apple MacOS label Jul 5, 2024
@hohwille
Copy link
Member Author

hohwille commented Jul 5, 2024

Please also note that once the app is whitelisted for gatekeeper in the security settings (see other alternatives in the article) then the app is sealed and cannot be modified anymore. So we cannot copy our ide.software.version file inside.

@hohwille
Copy link
Member Author

hohwille commented Jul 5, 2024

java.lang.IllegalStateException: Failed to copy /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/.ide.software.version to /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/IntelliJ IDEA CE.app/Contents/MacOS/.ide.software.version
	at com.devonfw.tools.ide.io.FileAccessImpl.copy(FileAccessImpl.java:317)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.createToolInstallation(LocalToolCommandlet.java:295)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.createToolInstallation(LocalToolCommandlet.java:302)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:165)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:133)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:120)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.doInstall(LocalToolCommandlet.java:77)
	at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.doInstall(IdeToolCommandlet.java:141)
	at com.devonfw.tools.ide.tool.ToolCommandlet.install(ToolCommandlet.java:186)
	at com.devonfw.tools.ide.tool.intellij.Intellij.install(Intellij.java:64)
	at com.devonfw.tools.ide.tool.intellij.Intellij.runTool(Intellij.java:42)
	at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.runIde(IdeToolCommandlet.java:211)
	at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.run(IdeToolCommandlet.java:201)
	at com.devonfw.tools.ide.context.AbstractIdeContext.applyAndRun(AbstractIdeContext.java:905)
	at com.devonfw.tools.ide.context.AbstractIdeContext.run(AbstractIdeContext.java:854)
	at com.devonfw.tools.ide.cli.Ideasy.runOrThrow(Ideasy.java:92)
	at com.devonfw.tools.ide.cli.Ideasy.run(Ideasy.java:52)
	at com.devonfw.tools.ide.cli.Ideasy.main(Ideasy.java:28)
	at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:279)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.nio.file.FileSystemException: /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/IntelliJ IDEA CE.app/Contents/MacOS/.ide.software.version: Operation not permitted
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixCopyFile.copyFile(UnixCopyFile.java:246)
	at java.base/sun.nio.fs.UnixCopyFile.copy(UnixCopyFile.java:603)
	at java.base/sun.nio.fs.UnixFileSystemProvider.copy(UnixFileSystemProvider.java:257)
	at java.base/java.nio.file.Files.copy(Files.java:1305)
	at com.devonfw.tools.ide.io.FileAccessImpl.copyRecursive(FileAccessImpl.java:337)
	at com.devonfw.tools.ide.io.FileAccessImpl.copy(FileAccessImpl.java:315)
	... 19 more

@hohwille
Copy link
Member Author

hohwille commented Jul 6, 2024

The problem with Apple is that they publish updates and do significant breaking changes without caring about open-source ecosystems and non-apple-native developers. While I fully agree that security is a very imporant issue and that you sometimes need to do breaking changes to avoid legacy flaws blocking future development but Apple seems to be the absolute opposite of Microsoft and just keep their narrow-minded monopoly running ignoring the rest of the world. Sorry, for the harsh words, but to make clear points I tend to use strong words... After all they are rendering months if not years of open-source developer work void over night. That is a very frustrating experience since we are trying very hard to support MacOS over many years now and frequently get a hard time with that.

hohwille added a commit to hohwille/IDEasy that referenced this issue Jul 6, 2024
hohwille added a commit to hohwille/IDEasy that referenced this issue Jul 6, 2024
hohwille added a commit to hohwille/IDEasy that referenced this issue Jul 6, 2024
@hohwille hohwille linked a pull request Jul 6, 2024 that will close this issue
@hohwille
Copy link
Member Author

jan-vcapgemini added a commit to hohwille/IDEasy that referenced this issue Jul 26, 2024
@hohwille hohwille moved this from 📋 Backlog to 🆕 New in IDEasy board Aug 13, 2024
@hohwille
Copy link
Member Author

List of tools and their Gatekeeper status:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocker enhancement New feature or request macOS specific for Apple MacOS
Projects
Status: 🆕 New
Development

Successfully merging a pull request may close this issue.

1 participant