This would be a major change by Apple and a royal PITA. I hope it is only 
something in the current beta and not in the final release (which I have not 
yet installed).

We can probably sign through OSGEO. But when I looked into signing, it seems 
difficult unless you use Apple XCode. That would be a big step back from the 
current ease of compiling Mac binaries with Conda. When I looked into it 
several years ago, I could not find any clear instructions about how to sign 
code without XCode, although it may be possible.

Michael
_____________________________

C. Michael Barton
Associate Director, School of Complex Adaptive Systems 
(https://scas.asu.edu<https://scas.asu.edu/>)
Professor, School of Human Evolution & Social Change (https://shesc.asu.edu)
Director, Center for Social Dynamics & Complexity (https://complexity.asu.edu)
Arizona State University
Tempe, AZ 85287-2701
USA

Executive Director, Open Modeling Foundation 
(https://openmodelingfoundation.github.io<https://openmodelingfoundation.github.io/>)
Director, Network for Computational Modeling in Social & Ecological Sciences 
(https://comses.net)

personal website: http://www.public.asu.edu/~cmbarton


On Sep 22, 2023, at 10:34 AM, grass-dev-requ...@lists.osgeo.org wrote:

Date: Fri, 22 Sep 2023 17:33:54 +0000
From: Edouard Choini?re <e....@outlook.com<mailto:e....@outlook.com>>
To: Nicklas Larsson <n_lars...@yahoo.com<mailto:n_lars...@yahoo.com>>
Cc: GRASS developers 
<grass-dev@lists.osgeo.org<mailto:grass-dev@lists.osgeo.org>>
Subject: Re: [GRASS-dev] GRASS GIS for Apple Silicon Macs
Message-ID:
<sa1pr12mb73447ec8cde24093c1f2bd14ef...@sa1pr12mb7344.namprd12.prod.outlook.com<mailto:sa1pr12mb73447ec8cde24093c1f2bd14ef...@sa1pr12mb7344.namprd12.prod.outlook.com>>

Content-Type: text/plain; charset="utf-8"

I think I figured out an explanation. I tried to read about CI for macOS, then 
on why there aren?t a lot of CI for macOS (especially Apple Silicon). I also 
couldn?t look into the build infrastructure used for your grass macOS builds 
since they don?t seem to be available on GitHub. Is it local only?

Ok, so now to a possible explanation on why Rosetta 2 is asked to be installed.
It seems that with Apple Silicon, arm64 code needs to be signed (which is new), 
while x86_64 doesn?t, like before. I think it was mentioned in the thread that 
the app might be unsigned. So I suspect that even if a universal binary 
contains arm64 and x86_64 binaries, if it is unable to use the arm64 binary, it 
will try using the intel ones.


<https://urldefense.com/v3/__https://www.sentinelone.com/blog/why-your-macos-edr-solution-shouldnt-be-running-under-rosetta-2/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJwmGQB7Q$>
[Apple-Silicon-Rosetta-2-and-the-Challenges-for-Endpoint-Security-7.jpg]
Why Your macOS EDR Solution Shouldn't Be Running Under Rosetta 
2<https://urldefense.com/v3/__https://www.sentinelone.com/blog/why-your-macos-edr-solution-shouldnt-be-running-under-rosetta-2/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJwmGQB7Q$>
sentinelone.com<http://sentinelone.com/><https://urldefense.com/v3/__https://www.sentinelone.com/blog/why-your-macos-edr-solution-shouldnt-be-running-under-rosetta-2/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJwmGQB7Q$>

In particular, see the part where it says:


That?s because one of the changes Apple brought in with Big 
Sur<https://urldefense.com/v3/__https://www.sentinelone.com/blog/macos-big-sur-has-landed-10-essential-security-tips-you-should-know/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJLjqv1E8$
 > that only applies to Apple silicon Macs is that native arm64 code cannot 
execute on an M1 Mac unless it has a valid code signature.

An Apple silicon Mac doesn?t permit native arm64 code execution under any 
conditions unless a valid signature is attached. Translated x86_64 code, 
however, is not subject to this 
restriction<https://urldefense.com/v3/__https://support.apple.com/guide/security/rosetta-2-on-a-mac-with-apple-silicon-secebb113be1/web__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJR3pAVfc$
 >: translated x86_64 code is permitted to execute through Rosetta with no 
signature information at all.



There?s also that thread that was linked to from my reading some Reddit threads 
(like 
https://urldefense.com/v3/__https://www.reddit.com/r/programming/comments/15njgdc/apple_doesnt_want_you_developing_hobby_apps/jvmvxv6/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJuQeo8wU$<https://urldefense.com/v3/__https://www.reddit.com/r/programming/comments/15njgdc/apple_doesnt_want_you_developing_hobby_apps/jvmvxv6/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJe85GbbA$
 >, was useful if you ignore the purely Reddit-like comments)

<https://urldefense.com/v3/__https://github.com/Homebrew/brew/issues/9082__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJqX03vPY$
 >
[9082.png]
Codesigning on macOS 11 on Apple Silicon ? Issue #9082 ? 
Homebrew/brew<https://urldefense.com/v3/__https://github.com/Homebrew/brew/issues/9082__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJqX03vPY$
 >
github.com<http://github.com/><https://urldefense.com/v3/__https://github.com/Homebrew/brew/issues/9082__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJqX03vPY$
 >

These two sources also point to a potential problem with ?ad hoc? signing that 
would have a ?works on my machine? effect, if the executable changes somewhere. 
But the debugging done doesn?t indicate that this is what is happening now from 
the messages received.


I don?t own a macOS computer, nor a macOS computer with Apple Silicon in order 
to do any of the debugging needed to confirm all of this.


Edouard Choini?re


_______________________________________________
grass-dev mailing list
grass-dev@lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/grass-dev

Reply via email to