Bug 3046 - No configuration is shipped with macOS client
Summary: No configuration is shipped with macOS client
Status: REOPENED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client platforms (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Henrik Andersson
URL:
Keywords: derfian_tester, relnotes
Depends on:
Blocks:
 
Reported: 2009-03-17 14:39 CET by Peter Åstrand
Modified: 2019-08-20 16:51 CEST (History)
2 users (show)

See Also:
Acceptance Criteria:


Attachments

Description Peter Åstrand cendio 2009-03-17 14:39:53 CET
The OS X client ISO does not contain a tlclient.conf.
Comment 1 Karl Mikaelsson cendio 2014-01-15 13:20:51 CET
It doesn't contain a ssh_known_hosts file either - there's not even a etc/ directory somewhere in the bundle.
Comment 2 Henrik Andersson cendio 2015-09-18 11:02:39 CEST
tlclient have __APPLE__ specific implementation that sets tlclient_prefix to application_bundle_path/Contents which means that we just need to ship a config file under as application_bundle/Contents/etc/tlclient.conf.
Comment 4 Henrik Andersson cendio 2015-09-18 13:20:21 CEST
How is signing of the bundle affecting this. If the configuration file is signed a  administrator can't modified the config for a custom application bundle. Can the file be excluded from signing ?
Comment 6 Peter Åstrand cendio 2015-09-18 14:06:44 CEST
(In reply to comment #4)
> How is signing of the bundle affecting this. If the configuration file is
> signed a  administrator can't modified the config for a custom application
> bundle. Can the file be excluded from signing ?

If I remember correctly, you cannot exclude files from signing. So if you customize the app, the signature will be invalid. I'd say that this is expected. Customers could potentially re-sign with their own certificate if they want. However, in this case, it might be necessary to remove the old signature. Here's some information about that:

http://stackoverflow.com/questions/7500381/bug-in-codesign-remove-signature-feature
Comment 7 Henrik Andersson cendio 2015-09-18 15:39:26 CEST
(In reply to comment #4)
> How is signing of the bundle affecting this. If the configuration file is
> signed a  administrator can't modified the config for a custom application
> bundle. Can the file be excluded from signing ?

To make the exception permanent for just the download ThinLinc bundle application, which disables sign verification, one would right click and choose open on context menu and select open anyways.

This way the quarantine attribute on the bundle is changed from
0002:XX:UUID to 0042:XX:UUID which means the exception lives with the bundle.
Comment 8 Henrik Andersson cendio 2015-09-21 09:03:57 CEST
Redo and cleanup special cases MacOSX to fix BINDIR / SYSCONFIR and PREFIX for a cleaner consistent Makefile.
Comment 13 Henrik Andersson cendio 2015-09-22 11:07:40 CEST
Check if we should document this changes in TAG.
Comment 14 Henrik Andersson cendio 2015-09-22 11:16:57 CEST
(In reply to comment #13)
> Check if we should document this changes in TAG.

There is no information in tag about Mac OS X client configurations and we do have bug 4852 to add this.
Comment 18 Karl Mikaelsson cendio 2015-09-28 11:21:20 CEST
 ✓ tlclient reads tlclient.conf from app bundle
 ✓ documentation is now fine
Comment 19 Henrik Andersson cendio 2015-09-30 08:27:01 CEST
Bug is reopened due to the whole point of doing this work is to support preconfiguration of the ThinLinc client. As noted one can't change the bundled config file without breaking the signature and there is no supported way of removing a signature.

The correct way is to install configuration files in the "Application Support", see bug 5659 for more information, folder which introduces a problem were we don't uses a package installer which can create this file.

"If you used custom resource rules because your installation process relies on  changing the bundle, your app will be rejected by Gatekeeper on first launch. These modifications are not permitted. Using an installation package instead of a drag-install will get you through Gatekeeper."

refs: https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG401
Comment 20 Henrik Andersson cendio 2015-09-30 08:27:01 CEST
Bug is reopened due to the whole point of doing this work is to support preconfiguration of the ThinLinc client. As noted one can't change the bundled config file without breaking the signature and there is no supported way of removing a signature.

The correct way is to install configuration files in the "Application Support", see bug 5659 for more information, folder which introduces a problem were we don't uses a package installer which can create this file.

"If you used custom resource rules because your installation process relies on  changing the bundle, your app will be rejected by Gatekeeper on first launch. These modifications are not permitted. Using an installation package instead of a drag-install will get you through Gatekeeper."

refs: https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG401
Comment 21 Henrik Andersson cendio 2015-09-30 08:33:48 CEST
(In reply to comment #20)
> Bug is reopened due to the whole point of doing this work is to support
> preconfiguration of the ThinLinc client. As noted one can't change the bundled
> config file without breaking the signature and there is no supported way of
> removing a signature.
> 

If we implements bug 5659 for supporting preconfigured thinlinc client we have only one problem: We can't distribute the configuration file with the application bundle. However, and administrator could:

 - Distribute ThinLinc application bundle with a configfile and instruction
   where this config file should be stored.

 - Build a package installer using pkgbuild with the ThinLinc application bundle  
   and preconfigured file.
Comment 24 Pierre Ossman cendio 2015-09-30 17:05:33 CEST
Building a package file actually seems doable from the build system. pkg files are just xar archives with a special structure. The only magical thing in them is a binary file that store file metadata for the things that are to be installed. But there is an open source project to generate these files:

http://hogliux.github.io/bomutils/index.html

They even have a complete tutorial on how to make a pkg file here:

http://hogliux.github.io/bomutils/tutorial.html
Comment 25 Pierre Ossman cendio 2019-08-20 16:51:19 CEST
Also see this page for signing packages:

http://users.wfu.edu/cottrell/productsign/productsign_linux.html

Note You need to log in before you can comment on or make changes to this bug.