Go Back   Cockos Incorporated Forums > REAPER Forums > REAPER Bug Reports

Reply
 
Thread Tools Display Modes
Old 10-13-2019, 10:52 PM   #1
#pragma
Human being with feelings
 
Join Date: Jan 2010
Location: Auckland, New Zealand
Posts: 4
Default Reaper must be notorised by Apple to run on Catalina

Hi folks

Well, MacOS 10.15 Catalina release came around, and I upgraded to it (I had reasons). Reaper ran fine, no problems at all - as long as you're not dependent on SWS extensions - Catalina has a security issue with its dylib.

Feeling slightly smug, I got on with it....until today's Reaper upgrade from 5.983 to 5.984. Now instead of Reaper, I have a MacOS X pop-up that says:

"REAPER64" can't be opened because Apple cannot check it for malicious software. This software needs to be updated. Contact the developer for more information.

So, dear folks at Cockos, I hope you were aware of this coming your way from Apple...?

From Apple News(https://developer.apple.com/news/?id=06032019i), all Mac apps, installer packages, and kernel extensions that are signed with Developer ID must also be notarized by Apple in order to run on macOS Catalina.
#pragma is offline   Reply With Quote
Old 10-13-2019, 11:37 PM   #2
mschnell
Human being with feelings
 
mschnell's Avatar
 
Join Date: Jun 2013
Location: Krefeld, Germany
Posts: 8,153
Default

Apple seems to be doomed

-Michael
mschnell is offline   Reply With Quote
Old 10-14-2019, 03:43 AM   #3
DarkStar
Human being with feelings
 
DarkStar's Avatar
 
Join Date: May 2006
Location: Surrey, UK
Posts: 18,078
Default

Several big developers have advised against updating to Catalina until they (the developers) have updated their programs / plug-ins / installers as needed.
__________________
DarkStar ... interesting, if true. . . . Inspired by ...
DarkStar is offline   Reply With Quote
Old 10-14-2019, 05:36 AM   #4
mschnell
Human being with feelings
 
mschnell's Avatar
 
Join Date: Jun 2013
Location: Krefeld, Germany
Posts: 8,153
Default

Quote:
Originally Posted by DarkStar View Post
Several big developers have advised against updating to Catalina until they (the developers) have updated their programs / plug-ins / installers as needed.
Supposedly some (less "big") never will...
-Michael
mschnell is offline   Reply With Quote
Old 10-14-2019, 06:39 AM   #5
Davimon
Human being with feelings
 
Join Date: Apr 2010
Posts: 5
Default ... thought the problem was resolved but it is not

Update: Error found with running Reaper in OS Catalina is not resolved by reboot.
Davimon is offline   Reply With Quote
Old 10-14-2019, 07:57 AM   #6
SSL4000E
Human being with feelings
 
Join Date: Oct 2018
Posts: 9
Default

If you right click on the app and click open it should work.
SSL4000E is offline   Reply With Quote
Old 10-14-2019, 09:07 AM   #7
schwa
Administrator
 
schwa's Avatar
 
Join Date: Mar 2007
Location: NY
Posts: 10,376
Default

It will work if you go to System Preferences > Security & Privacy, and click "Open Anyway" at the bottom. You only need to do that once, until you install a newer version of REAPER.
schwa is offline   Reply With Quote
Old 10-14-2019, 09:40 AM   #8
Justin
Administrator
 
Justin's Avatar
 
Join Date: Jan 2005
Location: NYC
Posts: 12,571
Default

Here is an instructional gif:

https://1014.org/_/reaper_catalina.gif
Justin is online now   Reply With Quote
Old 10-14-2019, 09:52 AM   #9
PhelixK
Human being with feelings
 
PhelixK's Avatar
 
Join Date: Mar 2019
Posts: 103
Default

Here Reaper works as expected under macOS10.15. SWS as well.

If continuous problems loading SWS plugin, you can try force code-sign like this,
Drag and drop the dylib extension (blue text) into Terminal after command:

codesign --force --deep --sign - /reaper_sws_extension.dylib

https://i.ibb.co/HdYtMRV/reaper-osx10-15.gif

.

Last edited by PhelixK; 10-14-2019 at 10:19 AM. Reason: thumb
PhelixK is offline   Reply With Quote
Old 10-14-2019, 01:15 PM   #10
Justin
Administrator
 
Justin's Avatar
 
Join Date: Jan 2005
Location: NYC
Posts: 12,571
Default

For SWS you can fix it by running this from Terminal.app:

Code:
xattr -d com.apple.quarantine ~/Library/Application\ Support/REAPER/UserPlugins/reaper_sws_extension.dylib
Justin is online now   Reply With Quote
Old 10-14-2019, 03:58 PM   #11
nofish
Human being with feelings
 
nofish's Avatar
 
Join Date: Oct 2007
Location: home is where the heart is
Posts: 9,184
Default

Quote:
Originally Posted by PhelixK View Post
hmm, I believe I tried that as well.
Anyway, I see there's a typo, a reverse solidus, line should be:
Code:
xattr -d com.apple.quarantine ~/Library/Application Support/REAPER/UserPlugins/reaper_sws_extension.dylib
It's to escape the space in the filepath.
nofish is offline   Reply With Quote
Old 10-14-2019, 04:12 PM   #12
PhelixK
Human being with feelings
 
PhelixK's Avatar
 
Join Date: Mar 2019
Posts: 103
Default

Quote:
Originally Posted by nofish View Post
It's to escape the space in the filepath.
ah yes of course, works in Terminal, but not in Finder, thanks.
PhelixK is offline   Reply With Quote
Old 10-14-2019, 05:07 PM   #13
_Stevie_
Human being with feelings
 
_Stevie_'s Avatar
 
Join Date: Oct 2017
Posts: 3,020
Default

This is insane.... staying with Mojave for the time being.
__________________
My Reascripts forum thread | My Reascripts on GitHub | Stephan Römer - film composer
If you wish to donate for my scripts: please consider an organization like: animal shelter, doctors without borders, UNICEF, etc...
_Stevie_ is offline   Reply With Quote
Old 10-14-2019, 10:47 PM   #14
#pragma
Human being with feelings
 
Join Date: Jan 2010
Location: Auckland, New Zealand
Posts: 4
Default Devil's advocate

Quote:
Originally Posted by _Stevie_ View Post
This is insane.... staying with Mojave for the time being.
Well, no, I don't think it is.

When I started this thread I was slightly peeved at this hiccup (thanks folks, by the way, for the solution - worked like a dream) but I knew the risk I was taking without thoroughly researching readiness. I wouldn't do that on a client's production servers, but I chose to on my Mac. Caveat whatnot. But more importantly I'm not sure it's a Bad Idea.

Now, I'm coming late to the debate (I've been a developer for many years, but I'm not an active MacOS developer, so haven't been paying attention) so there may be something I'm unaware of, but I can see the merit in "notarising" packages. Given how it's being used, at least here, they're clearly taking some sort of checksum that MacOS systems can use to verify the contents. Sounds like a worthy goal and perhaps a reasonable plan to me, frankly. I don't see anyone else, outside of proprietary systems like iSeries, doing anything significant about the issue...

Are they charging for it or something?
#pragma is offline   Reply With Quote
Old 10-14-2019, 11:07 PM   #15
EvilDragon
Human being with feelings
 
EvilDragon's Avatar
 
Join Date: Jun 2009
Location: Croatia
Posts: 23,621
Default

No, they're not charging AFAIK, but you have to send your installer to them and then WAIT until they process their queue. Considering how fast Cockos can be with updates to Reaper, I don't see this as being useful to Cockos as it would just delay each and every release (whereas Win and Linux people can just get on with their lives without any of this crap), hence the user-side workarounds proposed.
EvilDragon is offline   Reply With Quote
Old 10-14-2019, 11:11 PM   #16
Tale
Human being with feelings
 
Tale's Avatar
 
Join Date: Jul 2008
Location: The Netherlands
Posts: 3,005
Default

Well, actually you do have to have a developer account, which is not free. But they are indeed not charging per upload.
__________________
Martinic Kee Bass - Scanner Vibrato - Elka Panther - Tale's JSFX Pack
Tale is offline   Reply With Quote
Old 10-14-2019, 11:16 PM   #17
EvilDragon
Human being with feelings
 
EvilDragon's Avatar
 
Join Date: Jun 2009
Location: Croatia
Posts: 23,621
Default

I'd assume Cockos already has that account. Still, it's a needless hassle that slows down your releases, particularly when they're as often occuring as they do with Cockos...
EvilDragon is offline   Reply With Quote
Old 10-15-2019, 12:19 AM   #18
Tale
Human being with feelings
 
Tale's Avatar
 
Join Date: Jul 2008
Location: The Netherlands
Posts: 3,005
Default

Quote:
Originally Posted by EvilDragon View Post
Still, it's a needless hassle that slows down your releases, particularly when they're as often occuring as they do with Cockos...
Amen to that!
__________________
Martinic Kee Bass - Scanner Vibrato - Elka Panther - Tale's JSFX Pack
Tale is offline   Reply With Quote
Old 10-15-2019, 05:08 AM   #19
mschnell
Human being with feelings
 
mschnell's Avatar
 
Join Date: Jun 2013
Location: Krefeld, Germany
Posts: 8,153
Default

Quote:
Originally Posted by EvilDragon View Post
I'd assume Cockos already has that account. Still, it's a needless hassle that slows down your releases, particularly when they're as often occuring as they do with Cockos...
In fact actually preventing any Beta testing.
-Michael
mschnell is offline   Reply With Quote
Old 10-15-2019, 09:03 AM   #20
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,644
Default

Quote:
Originally Posted by mschnell View Post
In fact actually preventing any Beta testing.
-Michael
Can't you pass a beta through the Apple notarisation system? You can for iOS, in any case.

It's much more harmful for open source software, especially libraries. Not to mention 3rd party kernel extensions won't be possible anymore either, IIUC.
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein
cyrano is offline   Reply With Quote
Old 10-15-2019, 12:08 PM   #21
mschnell
Human being with feelings
 
mschnell's Avatar
 
Join Date: Jun 2013
Location: Krefeld, Germany
Posts: 8,153
Default

Quote:
Originally Posted by cyrano View Post
It's much more harmful for open source software, especially libraries. Not to mention 3rd party kernel extensions won't be possible anymore either, IIUC.
I suppose this is the hidden goal of the effort: even more lock the users in their commercial universe.
-Michael
mschnell is offline   Reply With Quote
Old 10-16-2019, 02:03 AM   #22
cyrano
Human being with feelings
 
cyrano's Avatar
 
Join Date: Jun 2011
Location: Belgium
Posts: 4,644
Default

At the same time, they're pushing Swift on Linux. The just released a new one for Ubuntu yesterday.

Gotta love Apple
__________________
“It has become appallingly obvious that our technology has exceeded our humanity” Albert Einstein
cyrano is offline   Reply With Quote
Old 10-18-2019, 05:04 AM   #23
dupont
Human being with feelings
 
dupont's Avatar
 
Join Date: Nov 2007
Location: France
Posts: 655
Default

is it time to leave OSX.
I will probably buy a new mac next year and I don't want to purchase an expensive and useless computer ?
dupont is offline   Reply With Quote
Old 10-22-2019, 10:20 AM   #24
serr
Human being with feelings
 
Join Date: Sep 2010
Posts: 8,477
Default

Quote:
Originally Posted by dupont View Post
is it time to leave OSX.
I will probably buy a new mac next year and I don't want to purchase an expensive and useless computer ?
OSX isn't broken yet. When it finally dies... Let's say 10.13.6 is the last stable version they ever release. Based on previous patterns, you'll have 10 years before any 3rd party software stops supporting that OS and tells you it's too old.

The last genuine "Apple" Apple computers are the mid 2012 models. Post Steve Jobs machines are fragile and not very Apple-like. These are what I call "in-between times". Buy used right now if you want an Apple. The new post-Jobs machines are so fragile that even a 10 year old genuine Apple will still outlast them. There are risks with buying used of course but when you can buy 5 machines with higher spec for the same as the cost of a single machine...
serr is offline   Reply With Quote
Old 10-26-2019, 03:34 PM   #25
cfillion
Human being with feelings
 
cfillion's Avatar
 
Join Date: May 2015
Location: Québec, Canada
Posts: 2,886
Default

Right clicking on the REAPER .app and selecting "Open" let's it be opened without having to open the system preferences and entering a password.

https://i.imgur.com/xBfOPua.gif
cfillion is offline   Reply With Quote
Old 10-30-2019, 12:50 PM   #26
spblat
Human being with feelings
 
Join Date: May 2015
Posts: 7
Default

Catalina is definitely fine. As above, to get REAPER to run the first time, find the application icon, right click, open, click ok at the warning. REAPER will always launch after that. It's the same for any other unsigned application.

And Justin's workaround above for SWS is also confirmed working for me under Catalina.
spblat is offline   Reply With Quote
Old 11-04-2019, 02:27 PM   #27
Flint_6
Human being with feelings
 
Join Date: Sep 2016
Posts: 19
Default

I have very mixed feelings about this. On the one hand - by updating - the normal installation procedure of my Mac exploded in my face with music software. All music software companies are currently warning their users not to update yet, for a good reason. So I'm "inconvenienced" by this change.

On the other hand. The world is changing. We're using cloud drives instead of external HDs, cloud services, many new technologies. And want our OS to keep up and use those new possibilities as well. We want change, cool new things that help our workflows, as long as everything stays the same (meaning we're want new things but we don't want anything that's different, which of course doesn't work). New things mean change. New functions. New security problems.

At that, thanks to all the cloud-bonanza and always-connectedness, bad guys have found a very lucrative way of making money. Ransomware. It's probably the anti-word of the year 2019. When you read the news, you'll see that no week goes by where there's not a ransomware attack. Probably multiple. And some state, school, police department, hospital ... was hit. Millions of dollars are asked to get vital data back. This is the reality, and it happens really a lot these days. Computers are supposed to "just work", but have so many security flaws, especially the users sitting in front of it, that this happens all the time.

OS vendors should protect their users as much as possible. By notarising, Apple introduces a very annoying step for developers. But it gives Apple a very powerful tool to stop malware. Remember when VLC was hacked to spread malware? This would not have happened if VLC had been notarised. Also, should at any point, a malware infected build slip through, Apple can just revoke the certificate and no subsequent installation would work, effectively stopping the malware from spreading.

It is unfortunately the online and connected world we live in and attacks on computer systems, professional or personal, will only get better. They never get worse. And they will get more numerous. Because there is a fortune to be made with ransomware these days. It's a real gold mine.

Currently, I'm greatly inconvenienced as a user, as are many many devs. Melda Production was so pissed they even advised their customers to switch to Windows I would not like my work to be held hostage and when I think of all the moms and pops using computers, clicking on any crap on a website that tells them to download and install something, I'm more than happy to currently have a hiccup or two on the way if it means they'll be safer down the road. As will I.

Nobody is forced to move to Catalina now. It's the devs currently having the majority of work. We can still remain on Mojave.

Think of it this way. In the beginning, there were no speed limits because cars were a new concept. But today, there is a reason there are speed limits on the highway. Yes, you cannot go from A to B at 200mph, even if your car would be capable of it. On the other hand, everybody is more safe because you can't. Including you. Connected computers are a risk these days. Not because of Microsoft or Apple, but because bad guys can make a lot of money with it.

Last edited by Flint_6; 11-04-2019 at 02:34 PM.
Flint_6 is offline   Reply With Quote
Old 11-05-2019, 01:13 AM   #28
zabukowski
Human being with feelings
 
zabukowski's Avatar
 
Join Date: Nov 2009
Posts: 111
Default

The true and false security benefits of Mac app notarization ...

"False Benefit: Malware Scan"

https://lapcatsoftware.com/articles/notarization.html
__________________
My software & music...
http://www.zabukowski.com/software
http://www.zabukowski.com
zabukowski is offline   Reply With Quote
Old 11-05-2019, 02:34 AM   #29
Flint_6
Human being with feelings
 
Join Date: Sep 2016
Posts: 19
Default

Quote:
Originally Posted by zabukowski View Post
"False Benefit: Malware Scan"
Correct. It's not about "scanning" for malware. And I didn't say it's about scanning. It's about preventing malware from even coming to the system. It's reversing the way software is executed. Or at least this is the way it should work.

Past: Allowing everything to just download and execute, scanning for malware along the way, hoping the scanner already knows about all the bad stuff out there. The thing is, malware creation software introduces randomness on the fly and there's so much new stuff out there it's impossible to keep up.

Present: Locking the door by default. And when somebody rings, have a look who's there. It's what we have to do at home anyway. Nobody would leave their door unlocked and everybody could just come in and we would hope all of those people are nice. We lock the door by default and look who's there. We open when we think it's OK.

That's what notarisation does. By default, the door is locked. And it only lets software execute that comes from trusted sources and that are who they claim to be. For example they come with a postal service uniform, or UPS uniform. Mac now checks their ID so nobody just dresses as a postman.

Like in the case of VLC, where hackers got hold of the repository and introduced malware to the download that infected everybody that happened to download VLC from the website during that period of time. Hackers can still do that. But since they don't have access to the dev account, they cannot sign it. They could not make VLC execute on any Mac.

Reading your article, I see the drawbacks. It's not a perfect system, that's for sure. And I hope Apple will develop it further. This is just a first step and at some point, the dev needs to do the annoying mumbo-jumbo so the OS can more aggressively lock down the system. Currently, it's a balance between some added security in some cases, a lot of added annoyance, some comfort features so user's don't get to see an annoying dialog EVERY time they download an app update. I guess those rules are going to become more strict and secure so the security benefits will grow.

I also hate the idea of Apple being a gate keeper and only allowing software they like on their system, effectively locking it down like iOS. I love all the independent tools the Mac offers. But when you look at SSL certificates, where thousands of commercial companies basically can sign certificates and there's no central instance verifying them all, basically hackers are free to do what they want. Security news is also littered with cases where bad guys created false certificates for Google, Facebook and many others and countries that are more repressive and have less democracy and more surveillance use this technique to spy on their users by generating SSL certificates for Facebook so they act as a man-in-the-middle and read all traffic going through. If you open up this system, it's not going to work. It's either dangerous or more secure. Finding an acceptable balance is the hard part. And there will be tears along the way. For now, we still have options, like staying on Mojave for example.

The OSses, all of them, have to become more secure, there's no question about it. The internet has become a place where hackers can almost without fear of being caught, make millions by encrypting users' machines. It's a real plague. And even though I have lots of different backups, I don't want to get in a situation where I need those.

Last edited by Flint_6; 11-05-2019 at 07:15 AM.
Flint_6 is offline   Reply With Quote
Old 11-05-2019, 08:03 AM   #30
serr
Human being with feelings
 
Join Date: Sep 2010
Posts: 8,477
Default

You can always just turn it off too if you please.
The 3rd "Allow from anywhere" option on the System Preferences security page is still hidden. (Going on 3 revisions of OSX now. Looks to be intentional.) But it's still there and you can set it with a Terminal command.

sudo spctl --master-disable

And then go back to the old method of making sure your backup clone of your system drive is current before grabbing that piratebay download. Clone back and overwrite when it turns out to be not what it said it was.

To me, this is still simple and quick and doesn't rely on trusting anything or anyone.
serr is offline   Reply With Quote
Old 11-08-2019, 03:04 AM   #31
Flint_6
Human being with feelings
 
Join Date: Sep 2016
Posts: 19
Default

Also, creating an account at Apple and notarizing a build you do might take longer than not doing it at all, but it doesn't seem like it's a multi month process. The outcry is now during the transition period and in 6 months we'll have forgotten it ever existed. Also, critical apps like iLok managed to get it working by now. This enforces my understanding that it doesn't seem to be that hard. We just have to wait a little. Or turn the security feature off, as @serr said.

Problems I see is when you developed an app in a more careless way. Careless I means in the sense of the places you write data to. It is of course easy to just request to be able to write data anywhere and then you're free to do whatever you want. But it is the user's machine after all. One should not litter files around everywhere. When you write license files in some system directory, for example. This should always have been a no no. When you wildly want to access system folders, user's data folders, downloads folder. This rightly should raise alarm flags in the OS.

I hope this will eventually also end up in more organised apps and config file places. I for example cannot understand why config files need to be littered all over the place. Preferences folder, application support folders, containers. It's really annoying how Mac is set up in that way. But Windows is not a lot better with its different App Data folders and user data folder. Why not make a config folder in the user's data folder and place everything there. Next time I set up my new machine, I just sync my data folder and everything is done. I don't have to guess and look in 5 places where all the settings I carefully made are.
Flint_6 is offline   Reply With Quote
Old 11-08-2019, 07:19 AM   #32
doppelganger
Human being with feelings
 
Join Date: Feb 2017
Posts: 418
Default

Quote:
Originally Posted by Flint_6 View Post
Problems I see is when you developed an app in a more careless way. Careless I means in the sense of the places you write data to. It is of course easy to just request to be able to write data anywhere and then you're free to do whatever you want. But it is the user's machine after all. One should not litter files around everywhere. When you write license files in some system directory, for example. This should always have been a no no. When you wildly want to access system folders, user's data folders, downloads folder. This rightly should raise alarm flags in the OS.
It's a job for root/admin rights, not notarization.

Quote:
Originally Posted by Flint_6 View Post
Also, creating an account at Apple and notarizing a build you do might take longer than not doing it at all, but it doesn't seem like it's a multi month process. The outcry is now during the transition period and in 6 months we'll have forgotten it ever existed. Also, critical apps like iLok managed to get it working by now. This enforces my understanding that it doesn't seem to be that hard. We just have to wait a little. Or turn the security feature off, as @serr said.
If you go somewhere and explicitly download some 3-rd party app, you realize the risk and explicitly bypass security/notarization check by yourself anyway, then what's the point of this notarization in the first place?
Just don't download software from unknown source and you'll be fine even without notarization. ))
And obviously, people, who write malware,
they don't do this on legit mac with legit personal data and legit developer id,
obviously it's stolen or anonymous ID on virtual machine.
If apple will remove possibility to run un-notarized software completely or will make,
that to notarize an app in future you'll need to have legit developer id, which costs 100$ per year,
then many devs, who just make some kexts, free apps, etc, will say:



and i'm almost sure, that this "one more level of security" is just to make it paid in future to create one more money-milking "service", like signing right now))
doppelganger is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 05:41 PM.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.