santa
santa copied to clipboard
PrinterProxy crashing on macOS Ventura
White testing beta releases of macOS Ventura, we have observed, that PrinterProxy did not start:
Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
We have observed that PrinterProxy should have an ad-hoc signature, but somehow Santa replaces the binary and the resulting binary is unable to start on macOS Ventura.
Steps to reproduce on a system with macOS Ventura and Santa enabled:
- remove app for a printer in ~/Library/Printers
- start a print dialog using the same printer (app will be recreated)
- the app for your printer will not open and it will crash if you start it manually
- verify the code signature of the PrinterProxy: on macOS Ventura it should be adhoc signed, but it is not
The same works flawlessly and without a crash after Santa is disabled.
Santa version is 2022.7.
This could be caused by the EnableBadSignatureProtection
option in Santa. Could you run santactl fileinfo
on the newly created app, and post the result here ?
# santactl fileinfo /Users/j905960/Library/Printers/PullPrint.app/Contents/MacOS/PrinterProxy
Path : /Users/j905960/Library/Printers/PullPrint.app/Contents/MacOS/PrinterProxy
SHA-256 : a385ef727cf74a53b8a14fa6982ba135618989f3e96be261cdc26b1f2e0a9705
SHA-1 : 85ff3d2afb830d4eea3f79da5fa16ebfcdd68ea8
Bundle Name : PrinterProxy
Bundle Version : 605
Bundle Version Str : 18
Type : Executable (arm64, x86_64)
Code-signed : Yes
Rule : Allowed (Certificate)
Signing Chain:
1. SHA-256 : d84db96af8c2e60ac4c851a21ec460f6f84e0235beb17d24a78712b9b021ed57
SHA-1 : efdbc9139dd98dbae5a9c7165a096511b15eaef9
Common Name : Software Signing
Organization : Apple Inc.
Organizational Unit : Apple Software
Valid From : 2020/10/29 19:32:38 +0100
Valid Until : 2026/10/24 19:39:41 +0200
2. SHA-256 : 5bdab1288fc16892fef50c658db54f1e2e19cf8f71cc55f77de2b95e051e2562
SHA-1 : 1d010078a61f4fa4694aff4db1ac266ce1b45946
Common Name : Apple Code Signing Certification Authority
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2011/10/24 19:39:41 +0200
Valid Until : 2026/10/24 19:39:41 +0200
3. SHA-256 : b0b1730ecbc7ff4505142c49f1295e6eda6bcaed7e2c68c5be91b5a11001f024
SHA-1 : 611e5b662c593a08ff58d14ae22452d198df6c60
Common Name : Apple Root CA
Organization : Apple Inc.
Organizational Unit : Apple Certification Authority
Valid From : 2006/04/25 23:40:36 +0200
Valid Until : 2035/02/09 22:40:36 +0100
EnableBadSignatureProtection
is not set in our config profile for santa.
Sorry, I thought is sounded familiar. I have a Printer proxy that santa blocks on my computer (12.5.1), but the signature is reported as Code-signed: Yes, but can't validate as Info.plist is missing
.
In fact, santa is not blocking our PrinterProxy, it is macOS Ventura that does not like the broken signature of the app and it prevents the app from starting. The signature gets broken by santa which replaces an adhoc signed binary by something else. That's the analysis of Apple:
2022-08-23 19:59:31.503835+0200 0x214bfa Default 0x0 400 0 com.google.santa.daemon: I com.google.santa.daemon: PrinterProxy workaround applied to: /Users/j905960/Library/Printers/PullPrint.app/Contents/MacOS/PrinterProxy
Santa replaces the binary inside the printer app with the original from /System/Library/PrivateFrameworks/PrintingPrivate.framework
because the adhoc signed one has no significant changes and due to not being signed is not trusted. This workaround is necessary so you don't have to allowlist every printer added to every machine. It looks like Ventura is not happy with this workaround and we'll need to find a replacement workaround
Another thing I learned today! While trying to understand what was going on, I also noticed that the first time I manually launch the Proxy in the terminal after configuring a printer on 12.5.1 (when it is still the ad-hoc signed version that will be replaced by Santa), it crashes with a code signature error. The second time, it works.
I do not know it it helps, but I have just tested in a ventura VM, and same thing: the first manual execution after the printer is created, when the binary on disk is still the ad-hoc signed one, fails. The second one is successful. The PrinterProxy binary copied from the private framework seems to work.
The behavior np5 describes above is the expected behavior but that is not what I'm seeing on Ventura β1, the OS is killing the copied binary because of a Launch Constraint violation. We'll need to look at whether we can work around this as the adhoc signed binary that the OS normally produces will be blocked by hosts in Lockdown mode.
Tested with beta 11, we no longer see PrinterProxy crashing on Ventura, even after Santa (testet with v2022.8) applied the existing workaround. So, it seems that Apple has changed something in macOS Ventura which prevents the bug.
Thanks for the update!