Make IDEasy usable on MacOS with active Gatekeeper #451

hohwille · 2024-07-05T21:54:50Z

On modern MacOS devices gatekeeper is most likely activated to increase security.
As a result apps downloaded from the Internet, cannot be opened without strange quirks.
However, the entire purpose of IDEasy is to download apps from the internet and allow you to start them.
Therefore, with the MacOS gatekeeper active currently IDEasy is almost not usable since every app will open a popup like this:

Normal users will not know how to proceed since Cancel will prevent that the app is opened and Move to trash is even worse and will delete the app and break the installation that was just created by IDEasy.
There are some security mechanisms implemented in IDEasy that do checksum verification.

Surely the vendors like the apache software foundation could potentially publish a new release of their tool with evil code that will erase your disc or encrypt all your files and ask for ransom. However, open-source software is based on trust and transparency. If a prominent OSS tool would ever do that it will kill its entire reputation for the tool and the foundation behind it - forever.
Also since we test releases upfront, we hopefully notice and would ban the release from our urls repository so that it does not reach our users.

I just researched the topic and studied this article.

So after reading all the options, I come to conclusion that we should try to run something like this on the macos app after the installation:

xattr -d com.apple.quarantine /path-to-app

I am unsure if that operation will work for the entire app or has to be called recursively for every file in the app.

Workaround

Not really the proposed solution but as a simple workaround users can disable gatekeeper:

sudo spctl --global-disable

related issues

#452

The text was updated successfully, but these errors were encountered:

hohwille · 2024-07-05T21:58:26Z

Please also note that once the app is whitelisted for gatekeeper in the security settings (see other alternatives in the article) then the app is sealed and cannot be modified anymore. So we cannot copy our ide.software.version file inside.

hohwille · 2024-07-05T22:01:02Z

java.lang.IllegalStateException: Failed to copy /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/.ide.software.version to /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/IntelliJ IDEA CE.app/Contents/MacOS/.ide.software.version
	at com.devonfw.tools.ide.io.FileAccessImpl.copy(FileAccessImpl.java:317)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.createToolInstallation(LocalToolCommandlet.java:295)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.createToolInstallation(LocalToolCommandlet.java:302)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:165)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:133)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:120)
	at com.devonfw.tools.ide.tool.LocalToolCommandlet.doInstall(LocalToolCommandlet.java:77)
	at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.doInstall(IdeToolCommandlet.java:141)
	at com.devonfw.tools.ide.tool.ToolCommandlet.install(ToolCommandlet.java:186)
	at com.devonfw.tools.ide.tool.intellij.Intellij.install(Intellij.java:64)
	at com.devonfw.tools.ide.tool.intellij.Intellij.runTool(Intellij.java:42)
	at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.runIde(IdeToolCommandlet.java:211)
	at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.run(IdeToolCommandlet.java:201)
	at com.devonfw.tools.ide.context.AbstractIdeContext.applyAndRun(AbstractIdeContext.java:905)
	at com.devonfw.tools.ide.context.AbstractIdeContext.run(AbstractIdeContext.java:854)
	at com.devonfw.tools.ide.cli.Ideasy.runOrThrow(Ideasy.java:92)
	at com.devonfw.tools.ide.cli.Ideasy.run(Ideasy.java:52)
	at com.devonfw.tools.ide.cli.Ideasy.main(Ideasy.java:28)
	at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:279)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.nio.file.FileSystemException: /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/IntelliJ IDEA CE.app/Contents/MacOS/.ide.software.version: Operation not permitted
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixCopyFile.copyFile(UnixCopyFile.java:246)
	at java.base/sun.nio.fs.UnixCopyFile.copy(UnixCopyFile.java:603)
	at java.base/sun.nio.fs.UnixFileSystemProvider.copy(UnixFileSystemProvider.java:257)
	at java.base/java.nio.file.Files.copy(Files.java:1305)
	at com.devonfw.tools.ide.io.FileAccessImpl.copyRecursive(FileAccessImpl.java:337)
	at com.devonfw.tools.ide.io.FileAccessImpl.copy(FileAccessImpl.java:315)
	... 19 more

hohwille · 2024-07-06T11:23:54Z

The problem with Apple is that they publish updates and do significant breaking changes without caring about open-source ecosystems and non-apple-native developers. While I fully agree that security is a very imporant issue and that you sometimes need to do breaking changes to avoid legacy flaws blocking future development but Apple seems to be the absolute opposite of Microsoft and just keep their narrow-minded monopoly running ignoring the rest of the world. Sorry, for the harsh words, but to make clear points I tend to use strong words... After all they are rendering months if not years of open-source developer work void over night. That is a very frustrating experience since we are trying very hard to support MacOS over many years now and frequently get a hard time with that.

hohwille · 2024-07-12T09:48:12Z

https://disable-gatekeeper.github.io/

hohwille added the enhancement New feature or request label Jul 5, 2024

github-project-automation bot added this to IDEasy board Jul 5, 2024

github-project-automation bot moved this to 🆕 New in IDEasy board Jul 5, 2024

hohwille moved this from 🆕 New to 📋 Backlog in IDEasy board Jul 5, 2024

hohwille added the macOS specific for Apple MacOS label Jul 5, 2024

hohwille mentioned this issue Jul 6, 2024

FileAccessImplTest fails on MacOS with gatekeeper #452

Closed

hohwille added the blocker label Jul 6, 2024

hohwille added a commit to hohwille/IDEasy that referenced this issue Jul 6, 2024

devonfw#451: fixes and improvements for installation

9629ab4

hohwille added a commit to hohwille/IDEasy that referenced this issue Jul 6, 2024

devonfw#451: improve version resolution and error handling

124a804

hohwille added a commit to hohwille/IDEasy that referenced this issue Jul 6, 2024

devonfw#451: fixed EditionSetCommandletTest

52daa78

hohwille linked a pull request Jul 6, 2024 that will close this issue

#451: mac gatekeeper #453

Draft

jan-vcapgemini added a commit to hohwille/IDEasy that referenced this issue Jul 26, 2024

devonfw#451: fixed merge issues

a6cbea6

hohwille moved this from 📋 Backlog to 🆕 New in IDEasy board Aug 13, 2024

hohwille mentioned this issue Nov 22, 2024

Setup not working properly on Mac (and zsh) #795

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Make IDEasy usable on MacOS with active Gatekeeper #451

Make IDEasy usable on MacOS with active Gatekeeper #451

hohwille commented Jul 5, 2024 •

edited

Loading

hohwille commented Jul 5, 2024

hohwille commented Jul 5, 2024

hohwille commented Jul 6, 2024 •

edited

Loading

hohwille commented Jul 12, 2024

Make IDEasy usable on MacOS with active Gatekeeper #451

Make IDEasy usable on MacOS with active Gatekeeper #451

Comments

hohwille commented Jul 5, 2024 • edited Loading

Workaround

related issues

hohwille commented Jul 5, 2024

hohwille commented Jul 5, 2024

hohwille commented Jul 6, 2024 • edited Loading

hohwille commented Jul 12, 2024

hohwille commented Jul 5, 2024 •

edited

Loading

hohwille commented Jul 6, 2024 •

edited

Loading