Do you know if your MacBook Pro has a T2 chip in it?
Here’s an easy way to tell:
Goto Identify your MacBook Pro model
Then look for the the murderous autonomous robot. Easy!
You can also run this:
/usr/libexec/PlistBuddy -c "print :0:_items:0:ibridge_model_name" /dev/stdin 2>/dev/null <<< "$(/usr/sbin/system_profiler -xml SPiBridgeDataType -nospawn)"
<<< – is an über cool “here string”
PlistBuddy is great at parsing data defaults might balk at, it can also take /dev/stdin!
If you have downloaded Install macOS High Sierra.app on a non-macOS 10.8 machine then copy said installer to a 10.8 Mac, the installer will be unusable. Why? HFS Compression. It seems Install macOS High Sierra.app uses HFS compression on numerous files and it seems 10.8 has issues with that and will not “see” those files.
To quickly demonstrate which files are compressed, we will use stat and examine the st_flags attribute, 0=no compression, 32=compression (thanks ghost of Mac OS X Hints!)
IFS=$'\n\t'; for file in $(find /Applications/Install\ macOS\ High\ Sierra.app -type f); do echo "$(stat -f %f "$file"): $file)"; done
You’ll see many files with 32 as the flag, these will not be readable in 10.8
The trick is to copy the file and do away with the HFS compression, we can use ditto for this:
ditto --nopreserveHFSCompression /Applications/Install\ macOS\ High\ Sierra.app [destination folder]
This will produce an installer compatible with 10.8… sure you could have downloaded it via the Mac App Store by now on a 10.8 machine, but now you know.
The brunerd blog has been a whole lot of nothing lately, so let’s commemorate and celebrate with an entry featuring the premiere of the bash tag and category… hmm, which one is more useful? We’ll find out. Now as for nothing, there’s a legit command, special built-in to do nothing in bash!
: [arguments]
No effect; the command does nothing beyond expanding arguments and performing any specified redirections. A zero exit code is returned.
Isn’t that lovely? When you need to do nothing, you can call :
Perhaps you are writing a script and aren’t sure what you’ll do for that if statement —
if [ "${this}" == "that" ]; then
#actually not sure what to do here, let's do nothing
:
else
echo "This else, I'll do"
fi
I made a gist here and I think I’ll keep making more. I’ll feature them here with the bash tag, if only as an auxillary backup of my brain and to add to the collective patchwork quilt of code we all use to get our ideas off the ground, when our reach is just a hare shy of grasp and we need a little help.
Also in the gist was a snippet of a novel use by kbeck at Extensis in his UTC removal script to use : to redirect a here document into itself and server as a comment block that doesn’t need # on every line to be treated as a comment —
: <<COMMENTBLOCK
[ ] 2016-0324: enclose me; love me. i am a block of comments
COMMENTBLOCK
Spiffy!
So perhaps you saw my previous post: Java 8 without the Adware (aka Java8Unjunker)?
Good stuff eh? There was something in there that got me thinking: If they didn’t sign the package, is the app doing any integrity checks on the package inside either? Hmmm let’s see…
Voice over: We’ve secretly replaced the JavaAppletPlugin.pkg package with QuickTime 7 let’s see if it can tell the difference!
Here we go!
Sure let me authenticate right when you run before any confirmation of action – why not!? (Ugh, bad form already.)
Oh OK, “safe and easy” – I love it! But just to clarify…
By “easy” you mean: Checking lots of trust boxes and clicking “Run” buttons a lot to get a Java apps working (plus crossing your fingers)?
By “safe” you mean: a steady stream of high scored CVEs with low complexity? Or even running in Unsafe Mode when needed?
OK what’s next?
Oh dear God no! No Ask.com. Uncheck. Next.
Oh, right, away we go, I gave you my password at the door. Installing Java are we?
OK I’ve successfully installed Java then if you say so… I guess I that’s proof alright!
It then takes you to the Verify Java page — but who cares about that!
What does /var/log/install.log say about what was installed?
Yep it installed the QuickTime7 package we put in there and Java Updater 40.app was none the wiser.
So in conclusion… That’s a really nifty “Ask Toolbar installer” with arbitrary package installer Oracle. It’s also a great delivery vehicle for malware by nefarious folks. Heck, bundle Java along with your Trojan and the “Verify Java” page would open too! Sheesh. Is the Ask contract that lucrative? Oracle made $38 billion in revenue last year, IAC the parent of Ask.com pulled in $3 billion. I guess IAC have got money to spend and Oracle will take it (but not invest in more secure installers?)
Notes: The first attempt used a QuickTimePlayer7.6.6_SnowLeopard.pkg with an expired certificate, that halted the install. The 2nd attempt I stripped out the expired certificate. It worked. The 3rd time I downloaded a newly signed version from Apple, that too worked.
Parting note for Oracle:
Sign your critical packages! If you insist on using your glorified “Ask Toolbar installer app” to do this, then require that it verify the package integrity in some way, Orable! (heh, that was a typo but I like it: Orable, ha!)
Update: Oracle is now signing the package within and the installer can no longer be duped into running an arbitrary package. The version when this article was written was 1.8.40.25, it is now 1.8.40.27.
So you’ve heard the Ask toolbar is now bundled with Java 8 Update 40 for the Mac?
Yep, apparently it is.
Fortunately there’s a simple workaround! Let’s take control of our Macs and do a little spelunking into this new installer app.
Right or Control-Click the Java 8 Update xx.app and choose Show Package Contents
Navigate into Contents then Resources folder
Eureka we’ve found it: JavaAppletPlugin.pkg
Let’s run it!
Aw snap. It seems the package isn’t signed and Gatekeeper is not happy about that. I’m flabbergasted that they’d sign the installer app but not the package inside? (Update: I’m really flabbergasted!)
Control or right-click on JavaAppletPlugin.pkg and choose Open
Click Open
Here we are. Your unsigned Java installer awaits.
A script I just made to do the same thing plus some other nice things like: name the package and un-quarantine it. Of course being a script it’s not signable! Gatekeeper will balk if it’s on. You’ll need to right-click and choose Open as before.
Drag in your Java 8 Updater xx.app
Press Enter.
Voilà! A folder with your package ready to double-click and go.
Enjoy.
#!/bin/bash
#Java 8 Unjunker - Joel Bruner
#Simply moves the JavaAppletPlugin.pkg package out of the installer app (which installs the Ask Toolbar) to the Desktop, renames and Un-Quarantines it
#touch file for debugging
[ -f /tmp/debug ] && set -x
#take command line argument too
sourceApp="$1"
#check to see if path provided is present and valid
#otherwise get the path
while [ -z "$sourceApp" -o ! -d "$sourceApp" ]; do
echo -n "Drag in Java 8 Update xx.app and press enter: "
read sourceApp
done
#get the version from the app
sourcePKGVersion=$(defaults read "$sourceApp"/Contents/Info CFBundleVersion)
#make Desktop folder and copy pkg to it, renamed
echo "Creating Directory ~/Desktop/Java $sourcePKGVersion"
mkdir ~/Desktop/"Java $sourcePKGVersion"
echo "Copying JavaAppletPlugin.pkg to ~/Desktop/Java $sourcePKGVersion/JavaAppletPlugin_${sourcePKGVersion}.pkg"
cp "$sourceApp"/Contents/Resources/JavaAppletPlugin.pkg ~/Desktop/"Java $sourcePKGVersion"/JavaAppletPlugin_${sourcePKGVersion}.pkg
#since Oracle doesn't sign the pkg just the .app we need to strip the quarantine xa off to suppress the warning
xattr -d com.apple.quarantine ~/Desktop/"Java $sourcePKGVersion"/JavaAppletPlugin_${sourcePKGVersion}.pkg
echo "Java Unjunked. Opening Folder."
open ~/Desktop/"Java $sourcePKGVersion"
** Update: Recovery HD updaters packages for 10.11 will only work when run in OS X 10.11, previous packages could run in different OSesnot so for 10.11
Updated April 6, 2015: createRecoveryHDUpdater 15.4.6.command – built PKG now is targetable to volumes other than /
Released Feb 28, 2015: createRecoveryHDUpdater 15.2.28.command
Building off the previous work the updated script will now create a nicely named dmg
Containing both an interactive script for updating disks and a new script to create a .pkg!
The fruits of RecoveryHD PKG Maker.command:
Custom Bundle ID is interactively provided, the PackageVersion is matched to the OS release. Signing identity is asked for in the script but not tested (my cert might be broken, YMMV). The target of the package is always / – an exercise for the reader to change the postinstall script to use Installer’s variables to affect the target The exercise to make the .pkg targetable has been exercised by me… Enjoy!
Some exercises in handling parameters in a script:
#!/bin/bash
#debugging output
[ -f /tmp/debug ] && set -x
#Loop Though the arguments provided
#BASH places arguments in reverse order in BASH_ARGV array
#Start at end of array (ARGC – 1)
for (( i=$(( $BASH_ARGC – 1 )); i>=0; i– )); do
item=”${BASH_ARGV[$i]}”
echo “\$$(( $BASH_ARGC – $i )): $item”
done
#!/bin/bash
[ -f /tmp/debug ] && set -x
##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC - 1 )); i>=0; i--, loopNumber++ )); do
#do something special for first and last
if [ $i -eq $(( $BASH_ARGC - 1 )) ]; then
conditionalString="(I am the first one!)"
elif [ $i -eq 0 ]; then
conditionalString="(I am the last one!)"
else
unset conditionalString
fi
echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done
#!/bin/bash
[ -f /tmp/debug ] && set -x
##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC – 1 )); i>=0; i–, loopNumber++ )); do
#if not the last don’t restart dock
if [ $i -eq $(( $BASH_ARGC – 1 )) ]; then
unset conditionalString
conditionalString=”(I am the first)”
else
conditionalString=”(I am not the first)”
fi
echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done
#!/bin/bash
[ -f /tmp/debug ] && set -x
##loop through parameters, start with end of BASH_ARGV
for (( loopNumber=1, i=$(( $BASH_ARGC – 1 )); i>=0; i–, loopNumber++ )); do
#if not the last don’t restart dock
if [ ! $i -eq 0 ]; then
conditionalString=”(I am not the last)”
else
unset conditionalString
#conditionalString=”(I am the last)”
fi
echo Arg $loopNumber: ${BASH_ARGV[$i]} $conditionalString
done
(WordPress is bugging the heck out of me with the code tags breaking when their are line breaks… sorry, that’s an exercise for the Googler)
Apple has release Remote Desktop Admin 3.7.1
The release notes are sparse, as usual:
This update improves the overall stability and reliability of the Remote Desktop application. It includes the following specific improvements.
Hmmm, I didn’t see a bullet point titled: “Fixed insane memory and CPU usage issues”
Just installed the update. Fingers crossed.
Update: The answer is no… they didn’t fix runaway memory usage.
So when Safari 6 came out, Apple did away with download links from their Support site.
Why? Who knows. But it’s a real pain when you have børked install or install a Developer preview (which sometimes will not register in Software Updates and need to get up to the latest release.)
I contributed this tip to Apple Discussions in the HT5275 Safari 6 download thread and am reposting here as well since I repeatedly keep going back to get the command I authored! (No I don’t run Apple Software Update server, I have my own distribution methods for work that don’t involve merging software update catalogs and other ridiculous things OS X Server requires you to do if you dare run various OS X versions and don’t run the latest server). I parenthetically digress.
Here’s the Terminal command to spit out some Safari6 URLs (OS X 10.6-10.8):
curl -s $(strings /System/Library/PrivateFrameworks/SoftwareUpdate.framework/SoftwareUpdate | grep http | grep sucatalog) | grep Safari6 | grep pkg
It’ll give you something like this:
<string>http://swcdn.apple.com/content/downloads/18/32/041-6651/147ugedbeiqpz43czixlgawayfoa7tjyjv/Safari6.1MountainLion.pkg</string><string>http://swcdn.apple.com/content/downloads/47/40/041-6648/a9y00qwi8esz3gl5v2gfik1p3rgvn7zftz/Safari6.1Lion.pkg</string>
I know, not pretty right? But what you can do then is copy and paste the URL into Safari’s Address/Search bar and hit Option-Enter which will then download it.
Viola. A Safari 6 package.
Update for 10.9:
Now when you grep SoftwareUpdate there are multiple URLs for the seed programs, the easiest way to deal with this and still be generic is to loop through all the URLs grepping for Safari
for URL in $(strings /System/Library/PrivateFrameworks/SoftwareUpdate.framework/SoftwareUpdate | grep http | grep sucatalog); do curl -s "$URL" | grep Safari | grep pkg; done
Apple, there was a time when your updates had naming conventions for the various platforms there were targeted for. Suffixes like Tiger, Leopard, Snow, etc. made it easy to identify for what platform an update package was intended.
But then something happened. Somewhere after Snow Leopard 2012-002 and the first appearance of the 10.7/10.8 Java updates: form trumped function and all useful naming conventions were removed.
In the case of Java not just the platform name, but even what release number was removed too! Oh sure, someone took the time to change the disk image volume name, thanks, but once it was copied out of there, good luck in keeping things straight! Since these are flat packages now, Finder can’t tell you the version number in column view anymore, either.
How about the latest security updates? They all named the same! What a mess! Note that now even the disk image names are all the same too and the system has to resort to appending numbers on the volume name to avoid naming conflicts.
So Apple, if you are going to keep putting out security updates for older platforms then let’s stop pretending there is only one OS X release out there and start naming updates appropriately! Please? Thanks!
P.S. I’ve submitted a bug and mirrored it at Open Radar, if you are a systems administrator who is also irked by this trend of needless naming minimalism I encourage you to file a bug report and see if we can turn this around!