Archive for October 6, 2021

Wednesday, October 6, 2021

Reproducible Code Signing on Apple Silicon

Keith Smiley:

For people who expect reproducible builds, Apple Silicon machines provide an interesting challenge.


The gist of this logic is to fetch the UUID embedded in every binary and use that to derive the identifier. The reason this isn’t reproducible across architectures is because the UUID is based on the content of each binary, which differs across architectures.


While this was a very informative deep dive into this logic, if you rely on reproducible binaries and want to support Apple Silicon machines, you need to do 2 things for binaries without Info.plist files:

  1. Don’t allow the linker to automatically sign your binaries by passing -no_adhoc_codesign
  2. Pass an explicit identifier when linking binaries with --identifier to the codesign invocation


Mac Safari Extension: ActiveTab

Zhenyi Tan:

ActiveTab makes it easier to spot the active tab in Safari on Mac by drawing a line below it. It works by predicting the position of the active tab based on the size of your browser window and the number of tabs.


ActiveTab is available for $1.99 on the Mac App Store, with no in-app purchases, no ads, and no tracking.

This sounds great, although unfortunately, because it’s implemented using JavaScript, it needs full permissions for “Webpage Contents and Browsing History” even though all it really wants is to draw a rectangle.

See also: John Voorhees and Tim Hardwick.


iOS Safari Extension: StopTheScript

Jeff Johnson:

StopTheScript is my new Safari extension for iOS 15 and iPadOS 15 that stops all JavaScript on your selected websites!


If you install StopTheScript, you may find it strange that the extension has no settings. This is a technical limitation. Why? When a Safari extension is loaded into a web page, the extension’s settings are not available immediately; any settings must be fetched from storage, an async operation. The problem is that the <head> of an HTML document may contain <script> elements. If StopTheScript had to wait for settings to be fetched from storage, then it might be too late to stop the JavaScript from running already! Thus, StopTheScript has to do its “magic” at the very beginning of the document load, even before elements of the <head> are loaded. This is why StopTheScript relies on Safari’s own extension permission system. Safari users can grant an extension access to specific websites, and only those websites.


Will StopTheScript be coming to Safari on the Mac too? I hope so, in the future, but right now it can’t, unfortunately. […] The problem is that "run_at":"document_start" doesn’t work right in Safari on macOS, a bug that I blogged about over a year ago.


Update (2021-10-20): Kyle Nazario:

If you want to selectively block JavaScript in Safari, try JavaSnipt.

It works on both iOS and Mac.

“date -d” vs. “date -s”

Rachel Kroll:

$ date -d @1700000000
Tue Nov 14 14:13:20 PST 2023

The problem is, there’s another command very much like it that will even spit out the same output, only it has a nice little side-effect: it also sets the clock. That command is date -s.

If you’re on a QWERTY layout or are generally familiar with it, you might notice that [S] and [D] are right next to each other and are an easy typo to make with your left hand. That’s one way to screw up.

Another problem is that you might not have known that -s has that effect[…]

There doesn’t seem to be a -s in the Mac version of date.


Update (2021-10-08): Matt Garber:

That’s one of several differences between the GNU coreutils date on Linux, and the BSD version included in at least FreeBSD and macOS. Also, the BSD version’s -d flag is completely different: “Set the kernel’s value for daylight saving time”.

Simon Stiefel:

On macOS, no option is needed to change the flag which is arguably worse, e.g. date 1234 sets the time.

Chris Dzombak:

also, crontab -e vs. crontab -r