The Grumpy Troll

Ramblings of a grumpy troll.

MacOS X: changing argv -- the troll erred

My so-called “solution” in MacOS X: changing argv for launched apps has a serious problem.

Changing CFBundleExecutable causes code signing to fail. Once code-signing fails (silently!), access to items in the Keychain is impeded.

This led to problems using x509 client certificates for https, with a mis-leading error message coming out of Chrome.

So, don’t do that. Just … run the command manually from the command-line, if you want to enable flags. Is there seriously no way to enable features via the cmdline for apps on MacOS X without breaking things? Really, is it a sign that argv parsing is just so retro Unix and not what the cool kids are doing, real apps don’t do that any more? All configuration in-app?

For the time being, the troll will survive without WebGL access.

broken% codesign --verbose -v /Applications/Google\
/Applications/Google code object is not signed

working% codesign --verbose -v /Applications/Google\ 
/Applications/Google a sealed resource is missing or invalid
/Applications/Google resource added

Many thanks to Ryan Sleevi, of the Chromium team, who debugged this problem caused by Weird Ways Evil People Abuse Their Poor Code.

-The Grumpy Troll, being sheepish, rather than eating sheep


Phil P

For Chrome in particular, this is all historical. Nowadays, you can just go to chrome://flags/ and turn these features on and off.

More generically …

The method described at that link should break code-signing – again, you’re changing the contents of the .app directory, and what you’re doing is indistinguishable from what a trojan would do.

One approach might be to use the dev-tools to sign the package as yourself, so that it’s once more signed, and see if you can re-grant the app permission to access the keychain (since presumably you’re a new identity when attested to by someone else).

Note that code still runs when unsigned, it’s only certain sensitive actions that get blocked, such as Keychain (seahorse on steroids) access, and apps don’t always report failures here sanely.


Does this method break code signing ? Since you aren’t changing ‘internals’…

I don’t like that either. But after reading your posts on this there doesn’t look to be a way to get a custom command line of $foo to launch from an icon.

I’m a current Linux user and have no such issues of course (i.e. my default chrome argv has socks proxy config). I’m thinking of making the jump to a Mac and trying to do some preemptive strikes on my pet peeves/tweaks.


Categories: x509 MacOSX Keychain client certs argv WebGL Chrome debugging GUI Chromium