Anyone dealing with notarization issues? (Catalina)

Last month, I rebuilt a domo server from scratch and chose Catalina. I know, whatever, too late now. Generally I haven't experienced any issues. But it doesn't like non-notarized software. A couple of plugins exhibit some challenges with Gatekeeper, such as PiBeacon and Grafana. Both of these have complex code packages installed within the plugin, and Catalina doesn't like that. Upon installation, it complains. You can easily get around it by going to Security preferences and clicking Open Anyway. But occasionally, the plugins will trigger updates or other things, and I'll come back to the Mac session and see that Catalina blocked the plugin again. I can re-authorize it, but that doesn't last forever, just 15min or whatever Apple chose.

So far, I've been able to work around these. But I fear that some update or natural process will make this thing pop up (and deny access to the plugin), when I'm unavailable and suddenly automation will start failing without any obvious reason until I check the screen.

Anyone dealing with this? Is there a way that we can check Gatekeeper logs? I could certainly scan those logs for new entries and send an alert to myself to go check it out. Alternatively, if we just sign the plugin packages, does that fix everything? I'm guessing anything with Execute permissions needs to be signed, but I haven't delved into the depths of how gatekeeper works.

[jay (support)]

But I fear that some update or natural process will make this thing pop up (and deny access to the plugin), when I'm unavailable and suddenly automation will start failing without any obvious reason until I check the screen.

<soapbox>Yes, we fear that this frenzied and reckless path towards "ultimate security" with little consideration to usability is only going to get worse. Apple has made complex software like ours increasingly difficult to install. Unfortunately, signing is no longer enough. In fact, we're pretty sure that starting in January it will be impossible for Indigo to meet all the requirements without a total redesign of how it works, forcing us to choose between the dire warning of running an unsigned installer or signing the installer and getting the even more scary malicious software dialog (it's unbelievable to me that the completely unprotected installer gets a softer sounding warning dialog).

In our opinion (and many others out on the net), Apple has gone too far down the security rathole. I'd like to think that after all the backlash and problem reports that they're getting, they will back off like Microsoft did after Vista (I think it was Vista), but my suspicion is that they will just double-down. They are driving developers from their platform because of the increasing hoops we have to jump through to develop for macOS. I don't think it's going to be long until the default setting will be to not allow any software to be installed that doesn't come from the App Store (again, we can't be in the app store without a total redesign/rewrite of Indigo). And changing that default will likely become more and more cumbersome until it's just removed.

At the very least, I hope that they will add a switch to turn off all this "protection" stuff for power users (the ones who are most experiencing these issues right now), but I'm not holding my breath...</soapbox>

Pibeacon on the indigo server only has one executable included : compress image
The rest is python and calls to system programs and eg matplot and expect ssh and sftp

On the rpi there are several executables but they have nothing to do w Catalina

UniFi uses expect and curl no other executables

Fing uses fing.bin that should be taken care of

If you see others errors let me know.

Karl


Sent from my iPhone using Tapatalk

[matt (support)]

You can strip off the quarantine bits from the plugins (or anything else) from the Terminal with:

Code: Select all

sudo xattr -rd com.apple.quarantine PLUGIN_PATH_HERE

One could run that on the entire Indigo Plugins folder if needed.