MacOS permission issue with XCRC Executable File

spotify / XCRemoteCache

Other

835 stars 52 forks source link

MacOS permission issue with XCRC Executable File #154

Closed canhth closed 2 years ago

canhth commented 2 years ago

Description

Team size: >40 members
CICD machine: >5 machines
Cocoapods plugin setup.

My team is facing this issue “developer cannot be verified” when the other tries to run bundle exec pod install for Consumer mode. (This XCRC/ folder was downloaded automatically via XCRemoteCache Cocoapod Plugin)

The weirdest thing is the problem never happened in our CICD machines. But in local machines from developers, they will get this issue and have to click Move To Trash and run pod install again.

-> My temporary solution: put XCRC/ folder to .gitignore. But this will slow down our CI jobs a bit by spending time downloading and unzip >20MB XCRC package.

Question

Is there anyway we can avoid that Privacy issue without ignoring XCRC folder?

A suggestion

It would be nice if we can have a short document of the best practices for setup XCRemoteCache in real project.

polac24 commented 2 years ago

If I understand correctly, that problem exists if you commit in XCRemoteCache binaries to the git repo. Even that isn't the best practice (git is not optimized to store binaries), you could try to eliminate this warning with:

xattr -d com.apple.quarantine /local/to/xcremotecache/binaries

Also, maybe the binary committed-in to the repo was downloaded via a browser?

BTW. Which macOS version are you using?

canhth commented 2 years ago

Yup, I committed the binaries to the git repo.

xattr -d com.apple.quarantine path-XCRC                               (-d not work, -dr works to me)

--> Does it mean to run this command in every machine? If yes, I think this is unnecessary, because people can click Move to Trash and run pod install again, the new binaries will be downloaded automatically again.

What I'm looking for is to avoid the problem above when enabling this to other machines.

Also, maybe the binary committed-in to the repo was downloaded via a browser?

Nope. The XCRC folder is downloaded automatically with this function: download_latest_xcrc_release.

BTW. Which macOS version are you using?

I'm using Big Sur (Intel), CI machines are Monterey (M1), and other dev some use Big Sur, some use Monterey.

polac24 commented 2 years ago

Does it mean to run this command in every machine?

We don't recommend committing-in binaries to the git repo so I don't have any tips to share. Git shouldn't add xattributes so that shouldn't be needed, but maybe in some specific scenarios (like downloading repo via https) it adds quarantine to binaries? If you think FAQ, should have some notes, feel free to create a PR.

polac24 commented 2 years ago

That seems to be a problem with git + quarantine attributes. Not related to the XCRemoteCache itself.