SageMath-9.0 authentication error

asked 2020-02-20 22:36:36 -0500

rana-aerea gravatar image

updated 2020-02-21 10:10:00 -0500

SageMath-9.0.app copied from mounted disk image file sage-9.0-OSX_10.15.2-x86_64.app.dmg was refused by macOS Mojave on my machine. I managed to bypass authentication for my machine in some way. But, this experience might suggest a bigger trouble. So, I would like to explain my workaround and then ask questions. I also ask cooperation of the developers and the users.

Symptom

A possible reason is the signature of Info.plist in SageMath-9.0.app.

```Console
        myhome$ codesign --verify /Applications/SageMath-9.0.app/
        /Applications/SageMath-9.0.app/: invalid Info.plist
        (plist or signature have been modified)
        In architecture: x86_64
```

Bypassing Authentication

On macOS Mojave, it is hard to work around this error. Articles on internet say that GUI-interface for skipping authentication was removed from macOS Mojave. I cannot verify the precise meaning of this change because I moved from macOS Mavericks to macOS Mojave skipping several versions. I also hesitate to upgrade to macOS Catalina because I am using some old software I do not expect to work in macOS Catalina.

Anyway, I managed to find a workaround for my machine. It was to use spctl command from Terminal.app. I describe it here.

First step is to disabling SecAssessment system.

```Console
        myhome$ sudo spctl  --master-disable
```

The second step is double clicking the Mac Application SageMath-9.0.app. (Depending on the settings of Finder, the file name may read SageMath-9.0.)

  1. A dialogue window appears and asks if it is OK to open SageMath-9.0.app. Click Open.
  2. Then, click Continue for the dialogue of Read-only Sage.
  3. If there is a .sage folder in the home folder, click Ask me Lator for the dialogue of Sage Notebook Upgrade.
  4. Web page loading-page.html and Jupyter's login page show-up. Close these two pages and quit Sage from menu of Icosahedron Icon.

The third step is to enable SecAssessment system.

```Console
        myhome$ sudo spctl  --master-enable
```

Analyzing the Trouble

I tested the situation in 2x2 = 4 combinations. Each time, I deleted SageMath-9.0.app and copied SageMath-9.0.app from the disk image file.

  1. Double click SageMath-9.0.app before unix command /Applications/SageMath-9.0.app/sage or in the reverse order.
  2. Double click SageMath-9.0.app while SecAssessment system is enabled and double click SageMath-9.0.app after SecAssessment system is disabled.

Altering contents of SageMath-9.0.app by relocate-once.py of invocation of /Applications/SageMath-9.0.app/sage earlier than the authentication does not change the situation.

I also applied codesign command immediately after copying SageMath-9.0.app from the disk image file. The command detected error in signature of Info.plist.

All these results suggest Info.plist of SageMath-9.0.app was altered after it was signed and before it was shipped out. Or a more serious possibility is different versions of macOS have different behaviour of authentication, which cause SageMath-9.0.app refused by different versions of macOS from the developer's environment.

I guess this should be solved in the next release.

Two Questions and Call for Cooperation

_The first question is if the developer' s environment accepts SageMath-9.0.app?_ If the environment accepts the software it has once accepted, test for this issue must include verfication of signature by codesign command. (An example of such a verification is quoted at the beginning.)

Here, I expect different behaviour of authentication from the one I observed. This is because I expect the developer compiles the software into the same application bundle in the same location overwriting the software, which might influence different behaviour of authentication from the user's machine.

_The second question is if is it OK to run /Applications/SageMath-9.1.app/sage from Terminal.app before authentication process (which is triggered by double clicking SageMath-9.1.app)?_ This is about the situtation in which SageMath-9.1 would pass the authentication process of macOS if authentication is earlier than the command line invocation of SageMath-9.1.app. As what Apple does is mysterious, I feel we should check this issue.

(I have in mind: a unix user helps his fiend installing SageMath-9.1.app knowing his fiend is scared of command line. However, for demonstration of how Sagemath works, he invokes the SageMath-9.1.app/sage. This can be at lunch time after sage is assinged in math class. They seperate and after several classes, the friend tries to use SageMath-9.1.app double clicking it. Unfortunately, the friend does not understand command line. The report on sage is impossible to be in time.)

Up to here, I was mainly writing to the developers. I also want to ask one thing to the users.

I heard authentication of macOS is getting stronger and stronger for these four years. I am afraid this means finalization of SageMath-9.1 requires testing authentication on macOS Sierra, macOS High Sierra, macOS Mojave and macOS Catalina. I volunteer to be the tester of authentication for macOS Mojave. _I ask the developers and the users to coopereate testing authentication of SageMath-9.1.app._

Addition: I found relevant questions.

  • ask sagemath
    • Sage 9.0 installation issues on macOS 10.15.2 Catalina
    • SageMath 9.0 app macOS: jupyter server fails to start
    • New SageMath 9.0 installation not running on Catalina. SageMath 8.7 worked fine.
  • sage support
    • "SageMath is damaged and can't be opened" on macOS 10.14
    • Jupiter Server fails to start on macOS Catalina
    • New User to SageMath Setup Issues
    • Sage 9.0 macOS Jupyter Server failed to start
    • sage does not run on Mac Catalina
    • SageMath-9.0.app fails to start on macOS 10.14.6

Possibly relevant:

  • sage support
    • I can't run SageMath neither 8.9 nor 9.0 on my iMac (Catalina)

None of them sugget testing codesign. I think this post is one little step forward.

edit retag flag offensive close merge delete