asepsis
asepsis copied to clipboard
binaryage
El Capitan compatibility
As I'm sure you're aware, public & developer betas are out for OS X 10.11 El Capitan.
During installation (pubic beta), Asepsis was explicitly noted as being incompatible and disabled by OS X.
Are you planning on releasing a version compatible with El Capitan, and if so is there a (rough) timeline?
AFAIK Asepsis under El Capitan with System Integrity Protection enabled is not possible.
I'm going to stop developing Asepsis and supporting it under El Capitan.
Interesting, I wasn't aware of this change, so good to know...
A bit of light reading for anyone else who comes across this and doesn't know about System Integrity Protection: Wikipedia and Apple El Capitan changes.
Apparently you can disable System Integrity Protection, but its not a simple setting in System Preferences, so presents a pretty big barrier for Asepsis and a lot of other utilities like it that inject/override/etc.
It'll be interesting to see if Apple allow specific exceptions to it, without entirely disabling System Integrity Protection... I'll certainly be submitting some feedback about this, and would encourage others to do so as well. My guess is they'd go for something like 'signed extensions' for this, rather than arbitrarily disabling specific aspects of SIP.
I've filed a 'bug' through the Feedback Assistant, and suggest others do the same. And yes, I'm aware of the bias against telling Apple what we actually want; imho the vote should be counted regardless.
I was (naïvely) hoping that Apple would finally at least provide an option in vanilla El Capitan to cease .DS_Store pollution. I guess I'll just keep waiting.
You say that "Asepsis under El Capitan with System Integrity Protection enabled is not possible". This feature can be disabled in Recovery Mode, though. Which I already did to make XtraFinder work :D Would it be possible to do the same with Asepsis? Is it safe to just try to install the latest version with SIP turned off?
I just tried...
"This version of Asepsis is only supported under OS X 10.8, 10.9 or 10.10.'
@DanielSmedegaardBuus I guess Asepsis works with SIP disabled under El Capitan. But I haven't tested it myself. I can prepare a new build with OS requirement check disabled.
http://downloads.binaryage.com/Asepsis-1.5.2.dmg
before installing please run this command in Terminal.app:
touch ~/.no-asepsis-os-restriction
I have just briefly tested it here on my El Capitan B6 system and Asepsis seems to work. The only problem is that some apps that link against DesktopServicesPriv.framework will be treated as newly downloaded from the internet. I had to click through all the warning dialogs again.
Everything other than the update checker seems to work here, assuming there isn't going to be another update can this be disabled to prevent the errors?
You have two options:
- This will just suppress update errors, but updater will run:
touch ~/.asepsis-suppress-update-errors
- This should uninstall updater component:
asepsisctl uninstall_updater
Awesome! Works :D Thank you so much :) OS X had already started cluttering my project directories, was so sad to not have Asepsis around anymore to prevent that :) :+1:
I had to click through all the warning dialogs again.
There is some talk around this that's not related to Asepsis: http://forums.macrumors.com/threads/getting-lots-of-the-first-time-warning-at-system-startup-after-upgraded-to-dp6.1905498/ - Some people there are having success with enabling auto-login. Maybe related?
Even after running the commands:
touch ~/.no-asepsis-os-restriction & touch ~/.asepsis-suppress-update-errors
the installer is still returning an install error ( using your 1.5.2 installer )
Anything else I can do?
@MichaelZaporozhets Try to disable https://forums.developer.apple.com/thread/3981 and touch ~/.no-asepsis-os-restriction use 1.5.2.installer , works for me
I saw the page got updated saying Asepsis is no longer maintained and will be made to work on El Capitan, which is sad.
Has been one month since this thread was active. Is there any update on this?
I have published the 1.5.2 version on the site and wrote this: http://asepsis.binaryage.com/#sip
It there anything I should add or explain better?
Did the installer get broken? When I try to run the installer it says: "Asepsis.pkg" can't be found.
@darwin Question: could Asepsis be altered in such a way that it could be installed by first disabling SIP, then installing the utility, then re-enabling SIP? Or is the way Asepsis works incompatible with that approach?
Also does disabling SIP make the OS any less secure than it was under Yosemite? It is strictly a new enhancement, right?
As far as I am aware, SIP needs to remain disabled for Asepsis to function normally (along with other Binary Age products, including TotalFinder and TotalTerminal).
Regarding security, again, as far as I'm aware, you aren't any less secure than under Yosemite - but there can be an issue with certain things, an example being the new Disk Utility app. It assumes permissions can't be modified, and thus doesn't include a permission repair tool (not even one we can access via terminal).
There may be other assumptions like this throughout the operating system that could cause vulnerabilities with SIP off. Personally, I think as long as you use common sense and follow the same precautions you always have, it shouldn't be an issue. But technically speaking, it does make the system less secure than it could be, and the OS was built assuming it would remain on for normal use. Take from that what you will.
I actually downgraded back to Yosemite as the Capitan upgrade killed all of my permissions, and without a repair tool, it wasn't really feasible to try and sort through all the directories manually. I assume this was caused because I upgraded while having software like HomeBrew, Asepsis, and TotalTerminal - which intertwine with the OS in somewhat complicated ways. I will try again pretty soon, maybe once the first patch goes public. Hopefully a clean install will prevent the permissions nightmare I faced the first time.
On Wed, Oct 14, 2015 at 11:24 PM Mike Greiling [email protected] wrote:
@darwin https://github.com/darwin Question: could Asepsis be altered in such a way that it could be installed by first disabling SIP, then installing the utility, then re-enabling SIP? Or is the way Asepsis works incompatible with that approach?
Also does disabling SIP make the OS any less secure than it was under Yosemite? It is strictly a new enhancement, right?
— Reply to this email directly or view it on GitHub https://github.com/binaryage/asepsis/issues/30#issuecomment-148293487.
@darwin First of all, I would like to thank you very much for the hard work that has gone into developing some of my most valuable tools, namely TotalFinder, TotalTerminal and Asepsis. Updating to 10.11 has unfortunately impacted my work flows in a considerable way, because I cannot, more or less, rely on these great utilities anymore.
On the binaryage forum user aaaron_king mentioned that another developer evidently managed to circumvent SIP by having their code injection handled by a kernel extension.
@darwin I apologize in advance as I don't fully understand all the technical requirements involved here, but I was reading about code injection and I came across a mod called "DockMod" that figured out a way to do code injection in El Capitan without disabling SIP. Portions of their FAQ page says:
Dockmod 4 for El Capitan does not modify any system files. Apple introduced a new security policy on OS X El Capitan [SIP] that prevents modification of system files, even by privileged processes... To get around these measures and still achieve code injection, Docked 4 utilizes a signed kernel extension (KEXT) to handle the injection…
Docked 4 does not require you to disable System Integrity Protection (Rootless). See FAQ section on: https://www.spyresoft.com/dockmod/25
This option may not even be possible for TF, but I thought I'd bring it up in case no one else had.
Did you ever get a chance to look into this? It may or may not be the solution for TotalFinder, TotalTerminal and Asepsis. It almost sounds as if you could simply launch the injection process from the kext which has the necessary rights to do so. Unfortunately I wasn't personally able to test anything the like, as I currently don't have a paid Apple Developer membership which is required to codesign the kext these days…
@m-urban Thanks, I'm glad you find my apps useful. Dockmod approach was promising, we tried it recently, but KEXT signing must be approved by a live person in Apple and they declined our request.
... Kext signing is not intended for products that bypass OS X security features such as System Integrity Protection. ...
They should fix the damn underlying reasons people turn to things like Asepsis/Total/XtraFinder in the first place instead of just locking everything down without any consideration. I mean… would they prefer people disabling these security features altogether?
@danielbayley: people usually don't disable security features, the majority simply stops using our apps. I'm glad there is at least a way for technical people to disable SIP if they really have to. Could have been worse :)
@darwin Thanks for the explanation. That is too bad, really. I wonder how the Dockmod folks got to their certificate…
It seems that these Hackintosh Guys are struggling with the same kind of problems. From their forum posts I get that kexts are cached. If this happens while SIP is disabled, an unsigned kext will remain working even after SIP has been turned on again. Evidently one would have to repeat the same spiel every time the system is updated, though. Bummer.
Unfortunately I need some easy to follow / robust way how to let people use TotalFinder. I don't have bandwidth to support people who get stuck messing with their systems.
Actually there is a way how to run TotalFinder with full SIP enabled: http://totalfinder.binaryage.com/system-osax
But I don't advertise it much, because I cannot really support people when it stops working or something goes wrong.
@m-urban if that is the case, and this technique could be used for Asepsis, I could live with re-doing the procedure with each update. We pretty much had to re-install Asepsis with each update before this, albeit in a less complicated manner.
@darwin I wasn't aware of the OSAX approach, thanks for the link! I take it that this might also work for TotalTerminal, as the installer's pkg contains an osax file, too?
It looks like Asepsis is architected differently, though (no OSAX, right?). But I have to agree with @mikegreiling — if that is what it takes, I would gladly walk this route upon every system update. I have to agree with your statement regarding support for the average user, though — it isn't scalable.
Right, Asepsis does not use OSAX. Asepsis just patches some files in restricted areas. So I believe if you install Asepsis with SIP disabled and then reboot to fully enable it again, it should work (not tested).