Thanksgiving-Black-Friday-Cybermonday Sale!

“Packaging for Apple Administrators” is on Sale until Cyber Monday!

Get 20% off!

Here in Europe we call the upcoming week-end the… uh… last week-end in November.

However, Americans have this wonderful week-end of commercial frenzy ahead. So I decided to give everyone who has been considering buying the book, but is still reluctant, a friendly nudge. And even though Thanksgiving-Black-Friday-Cybermonday is a US thing, my sale is in all the countries where my book is available!

Go and get the book on the iBook Store!

 

Prepare for autopkg Recipe auditing

Note: I am working on my next book ‘Automated Packaging for Apple Adminstrators’ and will cover this and other new features of autopkg v1.0 more in depth there. To pass the time until that book is published, get prepared with ‘Packaging for Apple Administrators’

A release candidate for autopkg v1.0 was released yesterday. As the version number implies, this is a big and important one.

Among a few other features, this release adds a new verb audit which checks a recipe and its parents for certain features which may have security implications. From the release notes:

New audit verb, used to output helpful information about any recipes that:

  • Are missing a CodeSignatureVerifier step
  • Use non-HTTP URLs for downloads
  • Supply their own processors and thus will run code not provided by AutoPkg itself
  • Use processors that may potentially be modifying the original software downloaded from the vendor

If you are hosting and sharing recipes, then there are a few steps you need to do to prepare for the release.

Once you have downloaded and installed the release candidate on your test machine, you can audit a recipe:

$ autopkg audit VMwareHorizonClient.download
    File path:        ./VMwareHorizonClient/VMwareHorizonClient.download.recipe
    Missing CodeSignatureVerifier

You can run audit against your entire repository with the find command:

$ cd ~/Library/AutoPkg/RecipeRepos/com.github.autopkg.scriptingosx-recipes/
$ find . -name '*.recipe' -exec autopkg audit {} ';' | open -f

This command pipes the output into TextEdit so you can review it better. You can of course pipe it into a file ( > audit.txt ) or your preferred text editor.

Then you have to work your way through the warnings.

Before you start working on fixes, you want to branch your repository, because some of the updated recipes may not work with older versions. You do not want to break your recipes until the final version of autopkg 1.0 is released. Remember to update the MinimumVersion value in your recipes.

There may be good reasons that you cannot fix all warnings. For example, there are a few products in my repository that aren’t signed by the developer, so I cannot add a CodeSignatureVerifier step.

I am not yet finished, but you can check out my branched recipe repository with the changes.

Here are a few notes as to what you may need to do:

Code Signature Verifier

Missing CodeSignatureVerifier

If the product you download is signed, you need to add a CodeSignatureVerifier Process to the download recipe. Read about this here: Using Code Signature Verification

Modifying Processors

The following processors make modifications and their use in this recipe should be more closely inspected:
        PkgCreator
        Copier

This warns of recipe processor that can change the content of what is downloaded. Of course in most cases this is intentional by the recipe author. However, the audit is merely warning you as a recipe user that you need to verify what is happening here.

As an author, you need to check if you can replace the common sequence of PkgRootCreator, Copier, PkgCreator with the new AppPkgCreator processor. This will not always be possible, but if you can this audit warning will go away (because AppPkgCreator does not change the content).

Insecure http URLs

    The following http URLs were found in the recipe:
        Input:
            DOWNLOAD_URL: http://download.ap.bittorrent.com/track/stable/endpoint/utmac/os/osx

Check if the software provider has secure https URLs instead.

Non standard Processors

    The following processors are non-core and can execute arbitrary code, performing any action.
    Be sure you understand what the processor does and/or you trust its source:
        Python3URLProvider

You will get this warning every time a recipe uses a Processor that is not part of the core processors provided by autopkg. If you use a custom processor to parse an URL and the version out of a website, you should check wether you can use URLTextSearcher instead.

Philips Hue bulb on sale

I have been dabbling with some home automation recently. I believe it makes more sense to control the light switches directly, rather than the individual bulbs. However, I have yet to find a system that has the longevity and availability in Europe that I expect from something that I would pay hundreds of Euros for.

Until I find that system I have put in a few Philips Hue White bulbs in strategic spots in the house. It is very cool when you pull up to the driveway and tell Siri to turn on the front light… Or dim the hallway lights when you are carrying stuff.

The prices for individual bulbs have dropped on Amazon yesterday. This may mean that an upgrade is imminent, but since the current bulbs work fine and work well with HomeKit  and Siri in iOS 9 and 10. This is a good chance to stock up on some units:

The links are affiliate links. When you buy I will get a small kickback… Thank you!