JSContext no longer present in Safari

[idmyn]

Hi, thanks for the project!

I've used the JSContext console for Phoenix in Safari quite a few times and found it really useful, but I reached for it today and the menu under Develop is giving me No Inspectable Applications. I've tried switching on Automatically Show Web Inspector for JSContexts and adding a debugger statement in my phoenix config (and uninstalling/reinstalling phoenix) but no luck. Any ideas?

• Version: 2.6.3
• macOS: 10.15.2

[mafredri]

Seems to be an issue with Phoenix 2.6.3, works fine one 2.6.2 (tried compiling both locally).

[kasper]

Thanks for reporting! I think this might be caused by the restricted runtime needed for notarising apps with Apple. I need to check whether we need to enable some exceptions for the developer tools.

[kasper]

Yes, indeed this seems to be caused by hardened runtime. I tried applying various different entitlements but to no avail. I have contacted Apple to see how to enable this support back. I did however confirm that you can still attach to the JSContext in debug builds, if you build the app from Xcode.

[seren]

Thanks for the update. That’s the only way to view the logs If we’re trying to debug configuration errors, right? I didn’t see anything useful for this in the console logs. Thanks!

[kasper]

@seren No, you can still use the Console app or your Terminal.

https://github.com/kasper/phoenix/blob/2.6.3/docs/API.md#logging-and-debugging

[kasper]

So I got a response from Apple, turns out you have to turn off pretty much all the security features to get this working with notarised apps. Not really sure yet what would the best approach.

[mafredri]

I guess one (not so good) option would be two builds? One for development and another for use.

At least for me I only need the JS context when I’m actively developing my config, and even then rarely. It’s very much a nice-to-have (for me) but for new users I imagine it’s gold worth.

Do you have any thoughts on what are the repercussions of turning off the security features?

[kasper]

@mafredri I think that would be one option, but not a really nice one. I think eventually Gatekeeper will just start complaining again if you start creating exceptions for the security features for signing.

[kasper]

However, I recommend against doing this for a production app. The get-task-allow entitlement undoes most of the security enhancements implied by the hardened runtime, and thus significantly undermines the security of your app. This process also requires you to disable library validation (via the com.apple.security.cs.disable-library-validation entitlement), which is similarly bad.

[justin-calleja]

@kasper re the following:

https://github.com/kasper/phoenix/blob/2.6.3/docs/API.md#logging-and-debugging

Using console.log statements does not output anything when streaming like so:

log stream --process Phoenix

I just get:

2020-05-04 19:15:34.466902+0200 0x22a6f    Activity    0x23346              24877  0    Phoenix: (SharedFileList) #SFLAPI LSSharedFileListCopySnapshot
2020-05-04 19:15:34.476126+0200 0x22a6f    Activity    0x23347              24877  0    Phoenix: (SharedFileList) #SFLAPI LSSharedFileListCopySnapshot
2020-05-04 19:15:34.495134+0200 0x22a6f    Default     0x0                  24877  0    Phoenix: Context loaded.

[seren]

FYI @justin-calleja, I had issues with this as well. Phoenix.log statements and javascript exceptions do show up for me now, but in the beginning I had messed up my config early enough in the load process that nothing useful made it to the console. You might try starting with a bare-bones config and a single Phoenix.log("test"); statement and see if it shows up.

[justin-calleja]

Thank you @seren for pointing out it's Phoenix.log - as it says in the docs now that I read it again.

I confirm that Phoenix.log does work for me too (I was using console.log).

[kasper]

@justin-calleja Seems like you figured it out. @seren Thanks for helping. 🙂 I’m sorry if the distinction is not clear enough between the two.

I’m still trying to figure out what is the best way to deal with the Web Inspector issue. Apple has pretty much locked it out with the modern security settings.

[d1rewolf]

Hi there.

I'm trying to get this to work, but it's not working at all for me....I get the same "No Inspectable Applications". I downloaded the official release (2.6.7), but the Safari menu under my hostname remained empty. I then downloaded the source and compiled (also verifying that the "Build Configuration" is set to "Debug", but the same result happens there as well....nada.

Any ideas what I might be missing?

Thanks in advance...

[d1rewolf]

Bump...anyone know? I'm very interested in having this workflow as I'm trying to migrate from hammerspoon to Phoenix, and having a live console would be invaluable.

Thanks!

[kasper]

@d1rewolf It should work at least when you build from Xcode and target “Debug”. I’ll at least write a guide for this, the other option is adding the ability to download a build that is not signed, but that feels wrong.

[d1rewolf]

@kasper yep, once I figured out to build the Debug build with:

xcodebuild -workspace Phoenix.xcworkspace -scheme Phoenix -configuration Debug SYMROOT="$PWD/build/" clean build

It's working perfectly. Is changing the configuration to debug basic macOS knowledge? If not, it would be really helpful to mention it somewhere in the documentation. I've generated a PR here if it helps...if not, feel free to reject: https://github.com/kasper/phoenix/pull/284

[SoylentGraham]

Is there a specific signing/compile/link flag (in the debug configuration) which enables it to be inspectable?

Previously it just required [any] app to be signed, right?

[mxkyb]

xcodebuild -workspace Phoenix.xcworkspace -scheme Phoenix -configuration Debug SYMROOT="$PWD/build/" clean build

Yep, works for me, too.

Is changing the configuration to debug basic macOS knowledge?

Not for web engineers, who probably will be using phoenix over hammerspoon because of javascript :)

[kasper]

@SoylentGraham Building the app in debug mode disables various security constraints. Hence JSContext linking also works.

@mxkyb I’ll document this one better as a solution for people who still want to use the debugging capabilities.

[SoylentGraham]

I think you misread my question? "Debug" mode is just an arbitrary configuration name. You could rename it Banana mode if you wanted to, but Im assuming specific settings allow safari to inspect the context... do you know what they are? I think in my engine, i can inspect release AND banana configurations

On Thu, 9 Dec 2021 at 7:27 am, Kasper Hirvikoski @.***> wrote:

@SoylentGraham https://github.com/SoylentGraham Building the app in debug mode disables various security constraints. Hence JSContext linking also works.

@mxkyb https://github.com/mxkyb I’ll document this one better as a solution for people who still want to use the debugging capabilities.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/kasper/phoenix/issues/254#issuecomment-989584937, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQVIBKW2A3XF5VBHZV5243UQBK4VANCNFSM4KPDPG3A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

--

• Graham Reeves panopo.ly https://www.panopo.ly/

[kasper]

It’s these ones: https://developer.apple.com/documentation/security/hardened_runtime

This was the quote from Apple when I asked about only enabling Safari debugging.

However, I recommend against doing this for a production app. The get-task-allow entitlement undoes most of the security enhancements implied by the hardened runtime, and thus significantly undermines the security of your app. This process also requires you to disable library validation (via the com.apple.security.cs.disable-library-validation entitlement), which is similarly bad.

[varp]

Don't we want to make Debug builds of the applications during release cycle? Can we use GitHub actions for this? @kasper

[kasper]

@varp Good question, but I don’t necessarily want to distribute debug builds signed with the my developer certificate.

[varp]

Must builds be signed with any developer certificate to allow debugging (connecting to) Safari JSContext?

[kasper]

@varp I think you need to sign them at least with your machine’s certificate for them to run with Gatekeeper enabled. Otherwise you also need to disable that protection on your machine.