[GRASS-dev] GRASS GIS for Apple Silicon Macs

Michael Barton Michael.Barton at asu.edu
Fri Sep 22 11:23:20 PDT 2023 

This would be a major change by Apple and a royal PITA. I hope it is only something in the current beta and not in the final release (which I have not yet installed).

We can probably sign through OSGEO. But when I looked into signing, it seems difficult unless you use Apple XCode. That would be a big step back from the current ease of compiling Mac binaries with Conda. When I looked into it several years ago, I could not find any clear instructions about how to sign code without XCode, although it may be possible.

Michael
_____________________________

C. Michael Barton
Associate Director, School of Complex Adaptive Systems (https://scas.asu.edu<https://scas.asu.edu/>)
Professor, School of Human Evolution & Social Change (https://shesc.asu.edu)
Director, Center for Social Dynamics & Complexity (https://complexity.asu.edu)
Arizona State University
Tempe, AZ 85287-2701
USA

Executive Director, Open Modeling Foundation (https://openmodelingfoundation.github.io<https://openmodelingfoundation.github.io/>)
Director, Network for Computational Modeling in Social & Ecological Sciences (https://comses.net)

personal website: http://www.public.asu.edu/~cmbarton


On Sep 22, 2023, at 10:34 AM, grass-dev-request at lists.osgeo.org wrote:

Date: Fri, 22 Sep 2023 17:33:54 +0000
From: Edouard Choini?re <e.chs at outlook.com<mailto:e.chs at outlook.com>>
To: Nicklas Larsson <n_larsson at yahoo.com<mailto:n_larsson at yahoo.com>>
Cc: GRASS developers <grass-dev at lists.osgeo.org<mailto:grass-dev at lists.osgeo.org>>
Subject: Re: [GRASS-dev] GRASS GIS for Apple Silicon Macs
Message-ID:
<SA1PR12MB73447EC8CDE24093C1F2BD14EFFFA at SA1PR12MB7344.namprd12.prod.outlook.com<mailto:SA1PR12MB73447EC8CDE24093C1F2BD14EFFFA at SA1PR12MB7344.namprd12.prod.outlook.com>>

Content-Type: text/plain; charset="utf-8"

I think I figured out an explanation. I tried to read about CI for macOS, then on why there aren?t a lot of CI for macOS (especially Apple Silicon). I also couldn?t look into the build infrastructure used for your grass macOS builds since they don?t seem to be available on GitHub. Is it local only?

Ok, so now to a possible explanation on why Rosetta 2 is asked to be installed.
It seems that with Apple Silicon, arm64 code needs to be signed (which is new), while x86_64 doesn?t, like before. I think it was mentioned in the thread that the app might be unsigned. So I suspect that even if a universal binary contains arm64 and x86_64 binaries, if it is unable to use the arm64 binary, it will try using the intel ones.


<https://urldefense.com/v3/__https://www.sentinelone.com/blog/why-your-macos-edr-solution-shouldnt-be-running-under-rosetta-2/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJwmGQB7Q$>
[Apple-Silicon-Rosetta-2-and-the-Challenges-for-Endpoint-Security-7.jpg]
Why Your macOS EDR Solution Shouldn't Be Running Under Rosetta 2<https://urldefense.com/v3/__https://www.sentinelone.com/blog/why-your-macos-edr-solution-shouldnt-be-running-under-rosetta-2/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJwmGQB7Q$>
sentinelone.com<http://sentinelone.com/><https://urldefense.com/v3/__https://www.sentinelone.com/blog/why-your-macos-edr-solution-shouldnt-be-running-under-rosetta-2/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJwmGQB7Q$>

In particular, see the part where it says:


That?s because one of the changes Apple brought in with Big Sur<https://urldefense.com/v3/__https://www.sentinelone.com/blog/macos-big-sur-has-landed-10-essential-security-tips-you-should-know/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJLjqv1E8$ > that only applies to Apple silicon Macs is that native arm64 code cannot execute on an M1 Mac unless it has a valid code signature.

An Apple silicon Mac doesn?t permit native arm64 code execution under any conditions unless a valid signature is attached. Translated x86_64 code, however, is not subject to this restriction<https://urldefense.com/v3/__https://support.apple.com/guide/security/rosetta-2-on-a-mac-with-apple-silicon-secebb113be1/web__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJR3pAVfc$ >: translated x86_64 code is permitted to execute through Rosetta with no signature information at all.



There?s also that thread that was linked to from my reading some Reddit threads (like https://urldefense.com/v3/__https://www.reddit.com/r/programming/comments/15njgdc/apple_doesnt_want_you_developing_hobby_apps/jvmvxv6/__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJuQeo8wU$<https://urldefense.com/v3/__https://www.reddit.com/r/programming/comments/15njgdc/apple_doesnt_want_you_developing_hobby_apps/jvmvxv6/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJe85GbbA$ >, was useful if you ignore the purely Reddit-like comments)

<https://urldefense.com/v3/__https://github.com/Homebrew/brew/issues/9082__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJqX03vPY$ >
[9082.png]
Codesigning on macOS 11 on Apple Silicon ? Issue #9082 ? Homebrew/brew<https://urldefense.com/v3/__https://github.com/Homebrew/brew/issues/9082__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJqX03vPY$ >
github.com<http://github.com/><https://urldefense.com/v3/__https://github.com/Homebrew/brew/issues/9082__;!!IKRxdwAv5BmarQ!fsArQT1R77zoM9dYDuSYWa2EDSuZWXHf8RL6ndhUKVFs465WYl5KI24PM-gzQSn-C40Ow3bvU871smBGyyY33dx99byJqX03vPY$ >

These two sources also point to a potential problem with ?ad hoc? signing that would have a ?works on my machine? effect, if the executable changes somewhere. But the debugging done doesn?t indicate that this is what is happening now from the messages received.


I don?t own a macOS computer, nor a macOS computer with Apple Silicon in order to do any of the debugging needed to confirm all of this.


Edouard Choini?re


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/grass-dev/attachments/20230922/e07ec26f/attachment-0001.htm>

More information about the grass-dev mailing list