tlpretest question for luatex experts

Richard Koch koch at math.uoregon.edu
Sat Mar 7 04:52:08 CET 2020 

Folks,

This year the MacTeX install package will be notarized, and part of that procedure requires that all TeX binaries adopt a "hardened runtime." See "MacTeX-2019, notification, and hardened runtimes", pages 115-118, in TUGBOAT 2019,2.

Hardened runtimes prohibit operations which could lead to security attacks, like accessing location information. But "exceptions" can be requested for each such restriction. These exceptions are automatically granted without human intervention. Until this moment, we only had to request an exception for programs using X11. The exception allows programs to access third party libraries.

Today Herbert Schulz discovered that an unusual luatex program discussed on this list last year no longer works. That short program was provided with a library named foo.so; the tex source called into this library with a 

	\begin{luacode*}
	...
	\end{luacode*}

section.

It turned out that there were two problems. First we received "foo.so" via the internet, so it received a quarantine flag because it was not signed by an Apple Developer. We had to remove the flag using

	xattr -c foo.so

But that was not enough. In 2020, lualatex is a symbolic link to luahbtex, and we now have to claim two exceptions for this binary:

	com.apple.security.cs.disable-library-validation
	com.apple.security.cs.allow-dyld-environment-variables

Apple describes the first as "A Boolean value that indicates whether the app may load plug-ins or frameworks signed by other developers", and this is the exception we had to claim for applications using X11.

Apple describes the second as "A Boolean value that indicates whether the app may be impacted by dlyd environment variables, which can be used to inject code into the process."

------------

There are four lua binaries: luahbtex, luajithbtex, luatex, luajittex. 

LuaTeX experts, here are our questions:

	a) Should we claim the same exceptions for all four binaries?

	b) Are there short sample programs we can use to check that the binaries work correctly after the exceptions are applied?

Richard Koch

More information about the tex-live mailing list.