Archive for October 17, 2019

Thursday, October 17, 2019

Core Data Derived Attributes

Scott Perry:

Documentation for Core Data’s new derived attributes feature is up!

It’s a really cool feature.

NSDerivedAttributeDescription (see also: derivationExpression):

Use derived attributes to optimize fetch performance[…]

[…]

Data recomputes derived attributes when you save a context. A managed object’s property does not reflect unsaved changes until you save the context and refresh the object.

That makes sense given that the derivation is implemented in the SQLite store using triggers. And you wouldn’t want every change to cause a fetch for properties that you might not need right away.

However, you have to be careful to manually refresh the objects that you care about because, since at least macOS 10.14, there’s a bug where NSFetchRequest’s shouldRefreshRefetchedObjects option doesn’t work (FB6161838). It fetches the right objects, but their properties may be stale. See, for example, this code:

import Foundation
import CoreData

class Entity: NSManagedObject {
    @NSManaged var attribute: String
}

let attribute = NSAttributeDescription()
attribute.name = "attribute"
attribute.attributeType = .stringAttributeType
let entityDescription = NSEntityDescription()
entityDescription.name = "Entity"
entityDescription.properties = [attribute]
entityDescription.managedObjectClassName = Entity.className()
let model = NSManagedObjectModel()
model.entities = [entityDescription]

let coordinator = NSPersistentStoreCoordinator(managedObjectModel: model)
// Also happens with SQLite store
try! coordinator.addPersistentStore(ofType: NSInMemoryStoreType, configurationName: nil, at: nil, options: [:])

let writeContext = NSManagedObjectContext(concurrencyType: .privateQueueConcurrencyType)
writeContext.persistentStoreCoordinator = coordinator
let readContext = NSManagedObjectContext(concurrencyType: .mainQueueConcurrencyType)
readContext.persistentStoreCoordinator = coordinator

let writeEntity = Entity(entity: entityDescription, insertInto: writeContext)
writeContext.performAndWait {
    writeEntity.attribute = "Old"
    try! writeContext.save()
}

var readEntity: Entity? = nil
readContext.performAndWait {
    let request = NSFetchRequest<Entity>(entityName: entityDescription.name!)
    readEntity = try! readContext.fetch(request).first!
    // Initially the attribute should be Old, and that's what's printed
    print(readEntity!.attribute)
}

writeContext.performAndWait {
    writeEntity.attribute = "New"
    try! writeContext.save()
}

readContext.performAndWait {
    let request = NSFetchRequest<Entity>(entityName: entityDescription.name!)
    request.shouldRefreshRefetchedObjects = true
    _ = try! readContext.fetch(request)
    // Now the attribute should be New, but it is still Old
    print(readEntity!.attribute)

    readContext.refresh(readEntity!, mergeChanges: false)
    // However, manually refreshing does update it to New
    print(readEntity!.attribute)
}

In this example, you could instead use notifications to merge changes from one context into the other. But that wouldn’t work with derived attributes since their changes aren’t reported in notifications.

Laptops Stolen From Cars

Merritt Baer:

Colleagues had a car broken into and laptops stolen in downtown Mountain View last night while we were at dinner. We wondered how they knew to break into the hatchback when it is not see- through.

They turn on bluetooth scanners and follow the beacon to find electronics.

There are probably Wi-Fi signals, too, if the Mac is in Power Nap. I guess it’s better to shut down instead of leaving it in sleep.

Mac-to-Mac Luna Display

Luna Display (via Matt Ronge):

But Mac-to-Mac is more than just taking your old Macs out of retirement — use it as a way to make yourself more mobile! Luna was made with nomadic workers in mind, and with Mac-to-Mac Mode, you can have even more freedom and flexibility to work on the go.

For example, if you have an iMac at your office, and a laptop that moves with you between work and home, pair your laptop with your iMac when in the office to make use of both devices. Or if you’re just working from home, pair your laptop to your iMac or Mac Mini and harness the power of those super computers from your comfy sofa.

Watch for Mac-to-Mac AirPlay in macOS 10.16. I’m only sort of kidding. In any case, this seems like it could be much better than using Screen Sharing.

Olivier Roux:

Boom! @siracusa’s dilemma solved: a new Mac Pro connected to an iMac through the LunaDisplay dongle. No crappy LG monitor, no horribly expensive XDR Display.

Previously:

Catalina Notarization

Rich Trouton:

This is not to say that you can hold up a “Notarized!” sign to the auditor, watch the auditor leave after just tossing the checklist aside and commence the post-audit party. But for those folks who have to undergo regular compliance auditing, I would recommend you examine your auditing requirements carefully to see which IT audit controls on your list now get handled automatically on macOS Catalina with its notarization requirements.

Gus Mueller:

“Your Mac software was successfully notarized.”

Thank god Apple finally changed the subject of the notarization email- it was driving me a little insane, one email at a time.

“You can now distribute your Mac software” was the previous subject. As if we weren’t doing OK before.

Rosyna Keller:

Now that macOS Catalina is live, I’m interested in any reports of users running into non-notarized software.

I’d really appreciate screenshots of the “not notarized” dialog and any information you have on the app or quarantined plugin that wasn’t notarized.

The most obvious example I ran into was Catalina’s own installer, which I copied from one of my Macs to the other via screen sharing.

Hayden:

Apple disabled the GUI option to allow unsigned apps in 10.15 and now users are passing around a sudo command on Twitter that disables all app security checks as the workaround to get things working again.

I think the “Anywhere” radio button in System Preferences was actually removed several releases ago.

Armin Briegel:

As with the previous Gatekeeper checks for a valid signature an administrator user can override the check by choosing ‘Open’ from the context menu instead of double-clicking to open.

[…]

When you install software using the installer command from the Terminal or a script, it will bypass quarantine and the Gatekeeper check.

This is also true when you install software using a management system such as Jamf Pro, Munki, Fleetsmith, etc.

[…]

There are some cases where notarization would be useful for MacAdmins but might not even be possible. I met a MacAdmin working at a university at MacSysAdmin last week. They need to re-package a VPN client with customized configuration files to be installed on student-owned machines.

There is really no solution without the students running into the notarization warning.

Howard Oakley:

From comments being posted on articles here, there’s still some confusion over whether macOS 10.15 Catalina will allow you to install and run old apps which aren’t notarized, or new ones which aren’t either. To clear this up, I’ve diagrammed the whole process in detail, to show you how you can work with Catalina’s new security rules.

Howard Oakley:

Using the Finder’s Open command doesn’t bypass the security assessment sub-system completely. It allows wider tolerance in the application of its rules, such as letting un-notarized apps run in Catalina, and unsigned apps run. Signature revocations and errors should still be detected and result in refusal to run, and XProtect should still check the app for known malware signatures.

Turn the whole sub-system off, and you going to be trying to force macOS to run something which is very likely to be malicious or damaged.

Removing the quarantine flag from a freshly-downloaded app or installer isn’t quite as bad, as signature checks still take place, and in Catalina (but not Mojave or earlier) the app should also be checked by XProtect.

ross tulloch (MacRumors):

I think Apple’s notarization server may have died under the Catalina induced load. I submitted a dmg 4+ hours ago. Still “in progress”.

I ran into delays as well, following Catalina’s release, and then performance returned to normal.

Jeff Johnson:

Don’t worry, they said. It won’t be a problem, they said. It just works, they said.

Frank Reiff:

Ok, so now that everybody is notarizing their apps at the same time.. it’s painfully slow. Who would have thought that Apple would build a required feature that does not scale?

Apple:

We will be conducting scheduled maintenance on Sunday, October 20, 2019 at 6:00 a.m. PT for up to 8 hours. App Store Connect on the web, the App Store Connect app, the App Store Connect API, and the Developer ID notary service will be unavailable during this time. We apologize for any inconvenience and recommend that you make critical deliveries or changes on another day.

All distribution of Mac software will be blocked for 8 hours. Apple’s servers are a chokepoint even if you aren’t using the Mac App Store. Hopefully no one needs to ship an emergency update.

Michael Love:

The big worry censorship-wise is that notarization still presents a single point of failure; in theory the PRC could mandate that Apple use different sideloading code signing certificates for them and that only apps that register w/govt and pass censors can get signed.

Previously:

Update (2019-10-18): Rosyna Keller:

The “Upload Your App to the Notarization Service” section of the Customizing the Notarization Workflow documentation has been updated to include descriptions of new features in altool 4.0 such as making a keychain entry, listing provider membership.

Mark Munz:

Also, the fact that I’m forced to agree to some new Paid Applications Schedule to NOTARIZE my app (not in app store) is absolute crap!!

Update (2019-10-22): Mark Munz:

Where do I go at Apple to get my entire lost morning back while waiting for Apple’s notary service to “bless” my app?

Update (2019-10-23): Mark Munz:

Apple has been providing its Notary Service since June 2018.

This morning, it went from Performance issues to later finally admitting an outright Outage.

Luc Vandal:

I hope you had nothing important to ship today. 🤨

Jeff Johnson:

They took it down on purpose Sunday.

Now it’s down again.

Mark Munz:

Apple’s Developer ID Notary Service back up after being out most of the day.

Great service you got Apple, can’t wait for the next time this REQUIRED SERVICE injects itself into my critical path and eats away at my productivity. 🙄

Update (2019-11-01): Paul Kim:

Anyone seeing issues with notarized apps being unable to run third party Automator actions?

To follow up: to run Automator workflows with third-party actions, you need to check the Disable Library Validation in the hardened runtime entitlements.

[…]

Also, if you create a new workflow and drag a third party action into it, you’ll get a warning. Clicking that brings up an alert where you can enable third-party actions. I don’t see any evidence of this setting in Security & Privacy

Rosyna Keller:

If an app plugin created after June 1st, 2019 is ever going to be quarantined* on Catalina, it needs to be notarized, or else users must approve it in the Security & Privacy prefpane.

*Occurs when downloading from the internet, transferring via AirDrop, iMessage, et cetera.

Update (2019-11-06): Howard Oakley:

I first submitted SilentKnight version 1.5 using Xcode. This was the first time that I had used version 11.2, and I proceeded in the normal way. It reported that the app had been successfully uploaded, and a few minutes later I was puzzled that it hadn’t yet been notarized and was still not ready to distribute. I gave it a bit longer, then checked its service status, which was green. But when I queried the status of my notarization request within Xcode, it reported that no record of that request could be found, and advised me to submit it afresh.

[…]

[Developers need:]

Accurate error messages which provide the right advice. As it turned out, every error had been misleading, and repeatedly resubmitting wasn’t the right way forward. Had the service informed me there was a problem and notarization would be delayed, I could have done something else instead of wasting most of an evening.

Accurate service status indicators. The service was down, but there was no indication of any problem except after you had submitted a request.

A contact point (Twitter, email) for informing Apple that the service wasn’t working properly.

Update (2019-11-26): James Thomson:

The yellow diamond of doom.

Update (2020-04-23): Norbert Doerner:

Apple claims you can use their main developer tool Xcode to notarize your macOS application with a few simple clicks.

Truth is, that doesn’t seem to be the case. For our NeoFinder project, for example, Xcode doesn’t even show the options to notarize the build and archived product. And yes, we have filed a bug report about this 16 months ago, and Apple said that somehow Xcode couldn’t really see that NeoFinder was actually really an application, so it probably possibly didn’t really work. And that was all. No help from Apple at all beyond that point.