[chirp_users] MAC OS SIERRA (Tom Hayward)

Brian Dickman
Fri Jan 13 13:27:52 PST 2017


There's some misunderstanding about these two separate OS features.

System Integrity Protection (SIP), disabled with the "csrutil disable"
instructions, will allow loading of unsigned drivers (used to be the
nvram option kext-dev-mode before El Cap), as well as doing write
protection for system folders. It does not prevent/allow applications
themselves to run, unless those applications do questionable things at
launch such as writing to /System.

Gatekeeper, part of the popup message that you see when you launch a
new unsigned app, is unrelated to SIP. Gatekeeper is the system that
checks for signed applications and prevents launching them. If you are
having trouble launching an app, it's probably Gatekeeper. If you are
installing a 3rd party driver and that fails, it's likely SIP
(especially for poorly-behaved drivers installers that still try to
write files in /System/Library/Extensions instead of
/Library/Extensions). If CHIRP runs but you can't see a usb-serial
cable, that may be SIP blocking the driver load.

Here is the most reliable way to "first time launch" an app you trust:
1) Download, extract, copy to /Applications as usual.
2) Right-click the app, and pick "open".
3) Approve the dialog box that appears.

Yes, there's hidden magic behind right click->Open. I just tried this
with CHIRP daily on Sierra 10.12.2 and it worked great, first time and
subsequent launches (subsequent launches I double-clicked the icon
rather than using the Open option). SIP is still enabled on my system.

If you are still having problems launching an app, you can try out the
master Gatekeeper disable. Do this first before resorting to a SIP
disable, because it's likely Gatekeeper and not SIP that is causing a
launch issue. This is similar to the old option in the Privacy
Preferences called "allow apps from anyone":

https://www.tekrevue.com/tip/gatekeeper-macos-sierra/

tl;dr: If an app doesn't launch, right click and "Open". If you must,
use "sudo spctl --master-disable".

--
Brian

On Fri, Jan 13, 2017 at 10:20 AM, Niel Skousen
<nskousen at ecsecurityinc.com> wrote:
> I'm fairly certain the OS remembers by application, so if you turn of the csr to run an app (it is actually a per instance off, not a full daemon off...) it remains in force for the 'next' unsigned app it detects.
>
> Niel
>
> On Jan 13, 2017, at 10:10 AM, Tom Hayward <tom at tomh.us> wrote:
>
>> On Fri, Jan 13, 2017 at 9:06 AM, Eric Chopin <echopin27 at gmail.com> wrote:
>>> Hello Tom,
>>> Thank you for the procedure, though I am a bit reluctant to disable the SIP
>>> installed in the OS....I am not suggesting that there is some malware in
>>> CHIRP nonetheless the possibility will always be there.
>>> Lets assume I disable the csrutil to allow CHIRP to work, if I re-enable
>>> csrutil after I have run CHIRP, will this action prevent me using CHIRP
>>> again or will the OS remember that csrutil allowed CHIRP earlier on?
>>
>> I'm afraid I don't know the answer to your question. Hopefully someone
>> else can chime in.
>>
>> Tom
>> _______________________________________________
>> chirp_users mailing list
>> chirp_users at intrepid.danplanet.com
>> http://intrepid.danplanet.com/mailman/listinfo/chirp_users
>> This message was sent to Niel at nskousen at ecsecurityinc.com
>> To unsubscribe, send an email to chirp_users-unsubscribe at intrepid.danplanet.com
>>
>
> _______________________________________________
> chirp_users mailing list
> chirp_users at intrepid.danplanet.com
> http://intrepid.danplanet.com/mailman/listinfo/chirp_users
> This message was sent to Brian Dickman at brian.maybe at gmail.com
> To unsubscribe, send an email to chirp_users-unsubscribe at intrepid.danplanet.com



More information about the chirp_users mailing list