Call for testing: TeX Collection 2019
Manfred Lotz
manfred at dante.de
Sun Apr 14 22:37:45 CEST 2019
Dick,
Thanks for the detailed description.
I too think we should stick with the current contents of the DVD.
Nevertheless, I would be happy if you could provide a short document
to tell how to fix the problem. I easily can add it to the current DVD.
My scripts are prepared for last minute changes like this.
Best, Manfred
On Sun, 14 Apr 2019 12:36:39 -0700
Richard Koch <koch at uoregon.edu> wrote:
> Manfred,
>
> I'm very sorry to report that there is indeed a problem, but only on
> Mojave. This problem is my fault, or else Apple's fault for springing
> this on us at the last moment.
>
> I'll describe the problem in a moment. I don't want to hold up the
> production of the DVD, and I believe that there are two possible
> solutions and we should choose between them
>
> a) Stick with the current contents of the DVD (which I lean
> to)
>
> b) Retreat to the original iso file we supplied. Do you have
> that file, or should I upload it again?
>
> I'll also raise this question in the MacTeX mailing list. I think you
> should proceed on the assumption that we stick with the current DVD.
>
> The problem occurred when I tried to typeset on Mojave with latex -->
> dvips --> ghostscript.
>
> -----------------------
>
> PROBLEM: When flat install packages are signed and notarized, the
> apps and command line programs in the package must also be signed and
> notarized. Signing causes no problems, but before an app or program
> is notarized, it must adopt a "hardened runtime." The problem lies in
> that "hardened runtime."
>
> In the new MacTeX, only three pieces adopted a hardened runtime:
> TeXShop, gs-X11, and gs-noX11. TeXShop has used a hardened runtime
> for several months with no reported problems. So we focus on gs-X11
> and gs-noX11.
>
> When running with a hardened runtime, an application is not allowed
> to do certain tasks unless it has requested an exception for that
> task. TeXShop request just one exception, to run applescript. I
> didn't ask for any exceptions for ghostscript.
>
> I'll give the full list of exceptions below for any reader who is
> interested. Here is the key one:
>
> Disable Library Validation Entitlement
> A Boolean value that indicates whether the app may load
> plug-ins or frameworks signed by other developers. Key:
> com.apple.security.cs.disable-library-validation
>
> Now obviously both TeXShop and ghostscript are going to load certain
> Apple libraries. This is about third-party libraries. When I create
> TeX binaries, I disable /usr/local, so almost all third party
> libraries cannot be involved. BUT: X11 is no longer provided by
> Apple, who turned over maintenance to a third party. And we do
> activate X11 for gs-X11 and for all TeX binaries.
>
> In my test on Sierra, ghostscript gs-X11 worked because Sierra isn't
> enforcing hardened runtime. But on Mojave, gs-X11 failed because
> Mojave is enforcing them.
>
> In the Mac installation, gs is a symbolic link to either gs-X11 or
> gs-noX11 depending on whether the user has installed X11 before
> installing Ghostscript. So on Mojave I switched the link to point to
> gs-noX11 and then typesetting as above worked. So the only problem
> with Ghostscript is that it doesn't work with X11.
>
> -------------------------
>
> Incidentally, if you are worried about TeX binaries running into this
> problem, don't, because the Unix install script handles those (and I
> certainly don't sign or require hardened runtime when compiling them).
>
> -------------------------
>
> If you keep the DVD as it is now, the only problem will be that users
> updating Ghostscript AND running Mojave will run into a problem: if
> they already installed X11, then their new Ghostscript will not work.
> This can be easily fixed in two different ways. First, they can just
> change the link, or they can reinstall Ghostscript from my web site.
>
> If you revert the DVD back, there will not be problems until the next
> operating system is released in the fall, and then all of our install
> packages will fail. Maybe Apple's current workaround will continue to
> work, but I think it would be unprofessional of us to say on our web
> site "Here's how to work around Apple's security barriers." We don't
> know for sure that there will be a workaround.
>
> There is one other possibility. I could add a one page document to
> the install directory explaining how to fix the Ghostscript problem
> if users run into it. I'll provide that in a new iso if you wish. But
> at this stage of the game, maybe it is better to leave the DVD alone
> so others will continue testing.
>
> Dick Koch
>
> ------------
>
> Here is the full list of exceptions:
>
> RUNTIME Exceptions
>
> Allow Execution of JIT-compiled Code Entitlement
> A Boolean value that indicates whether the app may create writable
> and executable memory using the MAP_JIT flag. Key:
> com.apple.security.cs.allow-jit Allow Unsigned Executable Memory
> Entitlement A Boolean value that indicates whether the app may create
> writable and executable memory without using the MAP_JIT flag. Key:
> com.apple.security.cs.allow-unsigned-executable-memory Allow DYLD
> Environment Variables Entitlement A Boolean value that indicates
> whether the app may be impacted by dyld environment variables, which
> can be used to inject code into the process. Key:
> com.apple.security.cs.allow-dyld-environment-variables Disable
> Library Validation Entitlement A Boolean value that indicates whether
> the app may load plug-ins or frameworks signed by other developers.
> Key: com.apple.security.cs.disable-library-validation Disable
> Executable Memory Protection Entitlement A Boolean value that
> indicates whether to disable code signing protections while launching
> the app. Key:
> com.apple.security.cs.disable-executable-page-protection Debugging
> Tool Entitlement A Boolean value that indicates whether the app is a
> debugger and may attach to other processes or get task ports. Key:
> com.apple.security.cs.debugger
>
>
> RESOURCE Access
>
> Audio Input Entitlement
> A Boolean value that indicates whether the app may record audio using
> the built-in microphone and access audio input using Core Audio. Key:
> com.apple.security.device.audio-input Camera Entitlement
> A Boolean value that indicates whether the app may capture movies and
> still images using the built-in camera. Key:
> com.apple.security.device.camera Location Entitlement
> A Boolean value that indicates whether the app may access location
> information from Location Services. Key:
> com.apple.security.personal-information.location Address Book
> Entitlement A Boolean value that indicates whether the app may have
> read-write access to contacts in the user's address book. Key:
> com.apple.security.personal-information.addressbook Calendars
> Entitlement A Boolean value that indicates whether the app may have
> read-write access to the user's calendar. Key:
> com.apple.security.personal-information.calendars Photos Library
> Entitlement A Boolean value that indicates whether the app may have
> read-write access to the user's Photos library. Key:
> com.apple.security.personal-information.photos-library Apple Events
> Entitlement A Boolean value that indicates whether the app may send
> Apple Events to other apps. Key:
> com.apple.security.automation.apple-events
>
>
>
>
>
>
More information about the tex-live
mailing list