search

devonfw / IDEasy

Tool to automate the setup and updates of a development environment for any project (Successor of devonfw-ide).
Apache License 2.0
7 stars 18 forks source link

Make IDEasy usable on MacOS with active Gatekeeper #451

Open hohwille opened 3 days ago

hohwille commented 3 days ago

On modern MacOS devices gatekeeper is most likely activated to increase security. As a result apps downloaded from the Internet, cannot be opened without strange quirks. However, the entire purpose of IDEasy is to download apps from the internet and allow you to start them. Therefore, with the MacOS gatekeeper active currently IDEasy is almost not usable since every app will open a popup like this: macos-app-will-damage-your-computer-move-to-trash Normal users will not know how to proceed since Cancel will prevent that the app is opened and Move to trash is even worse and will delete the app and break the installation that was just created by IDEasy. There are some security mechanisms implemented in IDEasy that do checksum verification.

Surely the vendors like the apache software foundation could potentially publish a new release of their tool with evil code that will erase your disc or encrypt all your files and ask for ransom. However, open-source software is based on trust and transparency. If a prominent OSS tool would ever do that it will kill its entire reputation for the tool and the foundation behind it - forever. Also since we test releases upfront, we hopefully notice and would ban the release from our urls repository so that it does not reach our users.

I just researched the topic and studied this article.

So after reading all the options, I come to conclusion that we should try to run something like this on the macos app after the installation:

xattr -d com.apple.quarantine /path-to-app

I am unsure if that operation will work for the entire app or has to be called recursively for every file in the app.

related issues

452

hohwille commented 3 days ago

Please also note that once the app is whitelisted for gatekeeper in the security settings (see other alternatives in the article) then the app is sealed and cannot be modified anymore. So we cannot copy our ide.software.version file inside.

hohwille commented 3 days ago 
java.lang.IllegalStateException: Failed to copy /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/.ide.software.version to /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/IntelliJ IDEA CE.app/Contents/MacOS/.ide.software.version
    at com.devonfw.tools.ide.io.FileAccessImpl.copy(FileAccessImpl.java:317)
    at com.devonfw.tools.ide.tool.LocalToolCommandlet.createToolInstallation(LocalToolCommandlet.java:295)
    at com.devonfw.tools.ide.tool.LocalToolCommandlet.createToolInstallation(LocalToolCommandlet.java:302)
    at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:165)
    at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:133)
    at com.devonfw.tools.ide.tool.LocalToolCommandlet.installInRepo(LocalToolCommandlet.java:120)
    at com.devonfw.tools.ide.tool.LocalToolCommandlet.doInstall(LocalToolCommandlet.java:77)
    at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.doInstall(IdeToolCommandlet.java:141)
    at com.devonfw.tools.ide.tool.ToolCommandlet.install(ToolCommandlet.java:186)
    at com.devonfw.tools.ide.tool.intellij.Intellij.install(Intellij.java:64)
    at com.devonfw.tools.ide.tool.intellij.Intellij.runTool(Intellij.java:42)
    at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.runIde(IdeToolCommandlet.java:211)
    at com.devonfw.tools.ide.tool.ide.IdeToolCommandlet.run(IdeToolCommandlet.java:201)
    at com.devonfw.tools.ide.context.AbstractIdeContext.applyAndRun(AbstractIdeContext.java:905)
    at com.devonfw.tools.ide.context.AbstractIdeContext.run(AbstractIdeContext.java:854)
    at com.devonfw.tools.ide.cli.Ideasy.runOrThrow(Ideasy.java:92)
    at com.devonfw.tools.ide.cli.Ideasy.run(Ideasy.java:52)
    at com.devonfw.tools.ide.cli.Ideasy.main(Ideasy.java:28)
    at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:279)
    at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.nio.file.FileSystemException: /Users/hohwille/projects/_ide/software/default/intellij/intellij/2024.1.4/IntelliJ IDEA CE.app/Contents/MacOS/.ide.software.version: Operation not permitted
    at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:100)
    at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
    at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
    at java.base/sun.nio.fs.UnixCopyFile.copyFile(UnixCopyFile.java:246)
    at java.base/sun.nio.fs.UnixCopyFile.copy(UnixCopyFile.java:603)
    at java.base/sun.nio.fs.UnixFileSystemProvider.copy(UnixFileSystemProvider.java:257)
    at java.base/java.nio.file.Files.copy(Files.java:1305)
    at com.devonfw.tools.ide.io.FileAccessImpl.copyRecursive(FileAccessImpl.java:337)
    at com.devonfw.tools.ide.io.FileAccessImpl.copy(FileAccessImpl.java:315)
    ... 19 more
hohwille commented 3 days ago

The problem with Apple is that they publish updates and do significant breaking changes without caring about open-source ecosystems and non-apple-native developers. While I fully agree that security is a very imporant issue and that you sometimes need to do breaking changes to avoid legacy flaws blocking future development but Apple seems to be the absolute opposite of Microsoft and just keep their narrow-minded monopoly running ignoring the rest of the world. Sorry, for the harsh words, but to make clear points I tend to use strong words... After all they are rendering months if not years of open-source developer work void over night. That is a very frustrating experience since we are trying very hard to support MacOS over many years now and frequently get a hard time with that.