“libgeos_c.dylib” cannot be opened because the developer cannot be verified.

[conradwt]

Describe the problem

Please describe the issue you observed, and any steps we can take to reproduce it:

When executing the cockroach demo as part of verifying the installation, I received a warning dialog that the developer couldn't be verified. I'm guessing that the files with the release were not notarized.

To Reproduce

What did you do? Describe in your own words.

If possible, provide steps to reproduce the behavior:

1. curl https://binaries.cockroachdb.com/cockroach-v22.2.0-rc.1.darwin-11.0-aarch64.tgz | tar -xJ && cp -i cockroach-v22.2.0-rc.1.darwin-11.0-aarch64/cockroach /usr/local/bin/
2. mkdir -p /usr/local/lib/cockroach
3. cp -i cockroach-v22.2.0-rc.1.darwin-11.0-aarch64/lib/libgeos.dylib /usr/local/lib/cockroach/
4. cp -i cockroach-v22.2.0-rc.1.darwin-11.0-aarch64/lib/libgeos_c.dylib /usr/local/lib/cockroach/
5. cockroach demo

Note: I was able to get past this step by changing the file ownership:

sudo chown -R $USER /usr/local/lib/cockroach 
sudo chown $USER /usr/local/bin/cockroach

6. cockroach demo

Note: Next, I needed to respond to several dialogs to provide permission for the app to load via System Preferences -> Security & Privacy -> Allow.

Expected behavior

I would expect to get past this step (i.e. cockroach demo) without receiving any warning dialogs from macOS. Also, I would expect to not have to change any file ownership here.

Additional data / screenshots

If applicable, add screenshots to help explain your problem.

Environment:

• CockroachDB version v22.2.0-rc.1.darwin-11.0-aarch64
• Server OS: macOS 12.6 / Apple M1 Max MacBook Pro
• Client app cockroach demo

Additional context

N/A

Jira issue: CRDB-21324

[blathers-crl[bot]]

Hello, I am Blathers. I am here to help you get the issue triaged.

Hoot - a bug! Though bugs are the bane of my existence, rest assured the wretched thing will get the best of care here.

I was unable to automatically find someone to ping.

If we have not gotten back to your issue within a few business days, you can try the following:

• Join our community slack channel and ask on #cockroachdb.
• Try find someone from here if you know they worked closely on the area and CC them.

_{:owl: Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.}

[blathers-crl[bot]]

Hi @celiala, please add branch-* labels to identify which branch(es) this release-blocker affects.

_{:owl: Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan.}

[rail]

@conradwt, looks like there is a work around.

When the archive is downloaded using a browser, MacOS adds a special attribute to the downloaded file and it's inherited even after you unpack the tarball.

To work around this limitation, you need to remove the added attribute by running the following command:

xattr -d com.apple.quarantine lib/libgeos*

After it's applied, you can try running cockraoch demo again.

Can you verify if it works for you?

[conradwt]

@rail The Apple Silicon binaries for CockroachDB haven't been properly notarized using the Apple Notarization service. I guess this will happen when these Apple Silicon binaries are put through the same release flow as the Intel binaries.

[rail]

AFAIK the issue is that we distribute the files in a tarball and MacOS signing requires app/pkg/dmg format in case you want to sign something other than the main binary (the dylibs in this case). So we end up with a properly signed and notarized binary (cockroach), but not the libraries.

[jlinder]

Closing this issue in favor of https://github.com/cockroachdb/cockroach/issues/93161. Please follow there for any future updates.