Lisp HUG Maillist Archive

Tip to install LispWorks on OS X 10.8

Dear LispWorks users,

OS X 10.8 offers a new security feature named GateKeeper that prevents malicious code from running on the system by doing verifications on the code signing certificate embedded in an application.  The default setting is to authorise Mac App Store and identified developers applications only.  It is also possible to deactivate GateKeeper altogether.

The LispWorks Installer and LispWorks are unfortunately not signed, which is a problem when you want to launch them for the first time.  There is an easy workaround that allows ones to keep GateKeeper settings to their default:  Right click (or control-click) on the application you want to launch, and choose Open.  This will bypass GateKeeper for this time only.  Double-clicking or using Command-Down Arrow will still be blocked by GateKeeper, though.

So, if you need to launch the LispWorks installer or if you upgraded your system and don't understand why LispWorks wouldn't launch anymore, the simple solution is to use the Open menu item.  Don't be tempted to bypass GateKeeper, it's not worth the [future] trouble (OS X, as a very fast growing platform, is expected to be the target of more and more malware, like what plagued Microsoft Windows for years).


Best Regards,
Camille

PS: I don't see the lack of code signing for LispWorks as a strong problem as there are workarounds, but something confuses me.  I guess I just wished the LispWorks team would have released an update with code signing before the release of OS X 10.8. Code signing has been around since Mac OS X 10.5 — this was 5 years ago.


_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

On 14 Aug 2012, at 14:58, Camille Troillard wrote:

> PS: I don't see the lack of code signing for LispWorks as a strong problem as there are workarounds, but something confuses me.  I guess I just wished the LispWorks team would have released an update with code signing before the release of OS X 10.8. Code signing has been around since Mac OS X 10.5 — this was 5 years ago.

Given LW is a compiler (or has a compiler, rather) what is it intended to do about code it creates?

_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

On 14/8/12 at 19:27, tfb@cley.com (Tim Bradshaw) wrote:

>On 14 Aug 2012, at 14:58, Camille Troillard wrote:
>
>>PS: I don't see the lack of code signing for LispWorks as a strong problem as there are workarounds, but something confuses me.  I guess I just wished the LispWorks team would have released an update with
>code signing before the release of OS X 10.8. Code signing has been around since Mac OS X 10.5 — this was 5 years ago.
>
>Given LW is a compiler (or has a compiler, rather) what is it intended to do about code it creates?

Tim,

It is my understanding that that should not be a problem. The 
same situation pertains to AppleScript, Automator, and others: 
Gatekeeper should apparently tolerate apps that are generated 
locally (even, I think, copied across within a LAN).

It does however look for codesigning in those apps that are 
dowloaded or installed from outside, and it would be a great 
help if LispWorks were to follow the convention that Apple's 
Xcode does, and sign itself.

Xcode also gives those with signing authority (i.e. registered 
with Apple) the ability to sign generated apps for distribution 
- I do not know how hard that would be to incorporate into 
LispWorks, but you may be able to do so post hoc using Xcode, perhaps.

Although I agree to an extent with Camille that code signing has 
been around for some years on the Mac, until the release of 
Mountain Lion last month it was not really something that 
developers or users had to worry about.

Howard.


Dr Howard Oakley
Help columnist for MacUser magazine (UK)
http://www.macuser.co.uk/
http://www.ehnoakley.com/



_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

On 14 Aug 2012, at 20:00, Howard Oakley wrote:

> It is my understanding that that should not be a problem. The same situation pertains to AppleScript, Automator, and others: Gatekeeper should apparently tolerate apps that are generated locally (even, I think, copied across within a LAN).

Assuming it's even possible to sign an application which can execute writable memory (which I very much hope it is not), when I say (ql:quickload ...) pretty much right after installing LW, what comfort is having a signed LW installer getting me, exactly?  Gatekeeper is security theatre in this context.


_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

On 14/8/12 at 20:38, tfb@cley.com (Tim Bradshaw) wrote:

>On 14 Aug 2012, at 20:00, Howard Oakley wrote:
>
>>It is my understanding that that should not be a problem. The same situation pertains to AppleScript, Automator, and others: Gatekeeper should apparently tolerate apps that are generated locally (even, I
>think, copied across within a LAN).
>
>Assuming it's even possible to sign an application which can 
>execute writable memory (which I very much hope it is not), 
>when I say (ql:quickload ...) pretty much right after 
>installing LW, what comfort is having a signed LW installer 
>getting me, exactly?  Gatekeeper is security theatre in this context.

Tim,

Could I suggest that you read Apple's developer docs for code 
signing before you declare it to be "security theatre" in any 
context? The Code Signing Guide comes in the 10.8 documentation 
set with Xcode, and is available for separate download.

The point of Gatekeeper is that it assumes that OS X users can 
opt to be treated like adults and do things like create their 
own apps (which will inevitably not be signed). However it is 
intended to provide a very good level of protection from 
malware, which by and large is not generated locally unless you 
have strange hobbies (or evil intent!). Note that code signing 
and Gatekeeper are distinct from the App Sandbox.

The problem with LispWorks is its ability to save an executable 
image, which will mean that any signed original would then lose 
validity of the original signature. However there are mechanisms 
by which that can be tackled - for instance, code signing is not 
intended to determine whether an app loads unsafe or altered 
code in that form of a plug-in or extension. But those are 
issues for LispWorks (the company) to consider, surely - and to 
guide users as to how best to deal with Gatekeeper given any 
changes needed to LispWorks (the product), such as it being signed.

Howard.


Dr Howard Oakley
Help columnist for MacUser magazine (UK)
http://www.macuser.co.uk/
http://www.ehnoakley.com/



_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

On 14 Aug 2012, at 21:26, Howard Oakley wrote:

> Could I suggest that you read Apple's developer docs for code signing before you declare it to be "security theatre" in any context? The Code Signing Guide comes in the 10.8 documentation set with Xcode, and is available for separate download.

OK, so since you clearly know so much about this, perhaps you could explain exactly what sense code signing would be useful (would buy you any security at all as opposed to a false impression of such) for a Common Lisp IDE?  (Note: *not* an end-user application written using a Lisp IDE, but an IDE).

_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

On 14/8/12 at 22:40, tfb@cley.com (Tim Bradshaw) wrote:

>On 14 Aug 2012, at 21:26, Howard Oakley wrote:
>
>>Could I suggest that you read Apple's developer docs for code signing before you declare it to be "security theatre" in any context? The Code Signing Guide comes in the 10.8 documentation set with Xcode,
>and is available for separate download.
>
>OK, so since you clearly know so much about this, perhaps you 
>could explain exactly what sense code signing would be useful 
>(would buy you any security at all as opposed to a false 
>impression of such) for a Common Lisp IDE?  (Note: *not* an 
>end-user application written using a Lisp IDE, but an IDE).

Tim,

You make an unjustified assertion. All I have done is pointed 
you in the direction of Apple's documentation.

How do you consider that code signing a CL IDE is just "security theatre"?

(And please avoid ad hominems, sarcasm, etc.)

Howard.


Dr Howard Oakley
Help columnist for MacUser magazine (UK)
http://www.macuser.co.uk/
http://www.ehnoakley.com/



_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

Hi all,

I have not yet installed Mountain Lion on any computers here, knowing that I would likely face issues for legacy software. 

But what I have found so far on Lion and Snow Leopard is that our audio plugins need to be code-signed (mandatory for Lion), but that there is nothing standing in the way of fork / exec loading of additional components nor of dynamic libraries which are not signed.

We have adopted the protocol of building skeleton AU Plugins in C++, then code signing these. Our binary obfuscation tools from Arxan Corp. modify the structure of compiled C++ signal processing core dynlibs to the extent that they cannot be code signed by Apple's tools. And neither can our compiled Lisp crypto/loader modules. 

I"m no whiz on Apple's programming extensions in Cocoa, but I'm an old Unix person. And while some other fancy method might exist for a 32-bit Cocoa C program to load and execute a 64-bit compiled binary, I just fell back to using what I knew, which was fork / exec. That works just fine under Lion, once the code-signed skeleton code has been loaded by OS X.

Our rather convoluted (intentionally) loading procedure has:

Cocoa skeleton AU Plugin (32 bit / code-signed) --> obfuscated C launcher lib (32-bit, does fork / exec) --> compiled 64-bit LW crypto and loader --> obfuscated 32-bit C signal processing library.

Dr. David McClain
dbm@refined-audiometrics.com



Re: Tip to install LispWorks on OS X 10.8


On 15 Aug 2012, at 10:02, Howard Oakley wrote:

> You make an unjustified assertion. All I have done is pointed you in the direction of Apple's documentation.

It might help to know that I've written code-signing tools. Sorry I should perhaps have pointed that out: I didn't because they were in a rather different context (not binaries) and were never adopted (for non-technical reasons).

> 
> How do you consider that code signing a CL IDE is just "security theatre"?

I wrote a long thing on this, but I suspect people are not really interested.

To be useful to users code-signing has two possible roles:

(1) it should warrant that the thing you are running is what it says it is.

(2) it should warrant that the thing you are running is not dangerous.

The former is pretty easy to do.  The latter is, in the general case, not even possible: the best that can be hoped for is that the thing is not "detectably dangerous", where the detection might be done partly by a human and partly by a machine (obviously you can tie things down far enough so "detectably dangerous" and "dangerous" are the same thing, but you typically can't get any useful work done on those platforms).

So here's the thing: Lisp development environments, as they generally exist, *are dangerous*: it should be pretty obvious that a Lisp development environment is a far less safe thing than, say, a C compiler.  That's just an awkward truth.

That being the case, a tool which purports to warn you about dangerous things should warn you about Lisp development environments.  Not doing so would be giving the impression of security but not actually providing any: there is a phrase for things that do that.

Now, fortunately, a native-code Lisp development environment is also generally detectably dangerous, because it must have memory which is both writable and executable, and that is detectable.  A code-signing tool should, at minimum, flag something like this.

There is an awkward problem with non-native-code Lisps: they are generally pretty much as dangerous as native-code ones but detection may not be so straightforward.

In fact, someone pointed out to me in an off-list message that it's not even possible to sign a binary which modifies its TEXT segment on OSX.  If I interpret as meaning more generally "has memory pages which are both writable and executable" (which is a slightly stronger constraint since it includes stack pages and so on) then a native-code in-core compiler, such as LW, presumably can not be signed at all.

That's all I have to say on this.

--tim

_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

On 16/8/12 at 09:05, tfb@cley.com (Tim Bradshaw) wrote:

[snip]
>That's all I have to say on this.

Tim,

I think that you have established that your views on code 
signing are different from those of Apple. However as you wish 
to proceed by declaration rather than by discussion, that 
doesn't really get anyone any further, IMHO.

Howard.


Dr Howard Oakley
Help columnist for MacUser magazine (UK)
http://www.macuser.co.uk/
http://www.ehnoakley.com/



_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html

Re: Tip to install LispWorks on OS X 10.8

Unable to parse email body. Email id is 11727

Re: Tip to install LispWorks on OS X 10.8

On 16 Aug 2012, at 12:58, Howard Oakley wrote:

> I think that you have established that your views on code signing are different from those of Apple. However as you wish to proceed by declaration rather than by discussion, that doesn't really get anyone any further, IMHO.

For what it's worth, my point was that I think having a long discussion which would be mostly about either general Lisp environment safety or, more likely, Apple's code-signing rules anf why you might not want to trust them (and probably would rapidly deteriorate from there) *on lisp-hug* would be rude to the LW people, who provide this list as a service to us, as well as to other list subscribers whose interest might be in hearing about LW.  I'd be happy to have such a discussion on some other forum (albeit I hardly use any – reddit perhaps), but I already feel uncomfortable about the amount I have written here.

--tim

_______________________________________________
Lisp Hug - the mailing list for LispWorks users
lisp-hug@lispworks.com
http://www.lispworks.com/support/lisp-hug.html
Updated at: 2020-12-10 08:36 UTC