!lheuhImcToQZYTQTuI:nixos.org

Nix on macOS

1082 Members
“There are still many issues with the Darwin platform but most of it is quite usable.” — http://yves.gnu-darwin.org164 Servers

Load older messages

SenderMessageTime
12 Jul 2025
@commiterate:matrix.orgcommiterate you can't run NixOS in a container since systemd needs too many privileges (well, unless you used privileged containers which is a security problem). The official nixos/nix container is just a barebones container with just Nix installed. 05:31:48
@fractivore:cyberia.club@fractivore:cyberia.club left the room.05:32:47
@commiterate:matrix.orgcommiterate

nixos-generators relies on NixOS's make-disk-image which relies on QEMU. It can be a bit slow without KVM.

Building images with systemd-repart is probably preferred and allows for more flexibility: https://nixos.org/manual/nixos/stable/#sec-image-repart

05:44:37
@commiterate:matrix.orgcommiterate * you can't run NixOS in a container since systemd needs too many privileges (well, unless you used privileged containers which is a security problem). The official nixos/nix container is a barebones container with just Nix installed. 05:49:20
@commiterate:matrix.orgcommiterate * you can't run NixOS in a container since systemd needs too many privileges (well, unless you use privileged containers which is a security problem). The official nixos/nix container is a barebones container with just Nix installed. 05:50:30
@rommel.martinez:matrix.orgRommel Martínez changed their profile picture.05:54:43
@rommel.martinez:matrix.orgRommel Martínez changed their profile picture.05:58:44
@commiterate:matrix.orgcommiterate *

nixos-generators relies on NixOS's make-disk-image which relies on QEMU VMs. It can be a bit slow without KVM.

Building images with systemd-repart is probably preferred and allows for more flexibility: https://nixos.org/manual/nixos/stable/#sec-image-repart

06:00:15
@emilazy:matrix.orgemilyyes use repart whenever possible09:35:03
@k900:0upti.meK900OK folks this is not a good situation10:19:56
@k900:0upti.meK900But there was a cppnix change last night that fixed an extremely critical security issue with no due process10:20:16
@k900:0upti.meK900https://github.com/NixOS/nix/pull/1345510:20:17
@k900:0upti.meK900Yes this means all the builds on affected Nix versions run as literal root10:20:28
@emilazy:matrix.orgemilyis it relevant only in the sandbox10:20:40
@emilazy:matrix.orgemilyuh10:20:41
@emilazy:matrix.orgemilyholy fuck10:20:45
@k900:0upti.meK900No, it's relevant only on Darwin10:20:48
@k900:0upti.meK900Where there is normally no sandbox10:20:53
@emilazy:matrix.orgemilythe PR branch said sandbox10:20:59
@emilazy:matrix.orgemilyI'm not going to be at a computer for another few hours but can you like post an advisory to Discourse in the announcements security please10:21:19
@emilazy:matrix.orgemily sigh this is the second time in weeks the Nix team have followed highly questionable vulnerability disclosure practices 10:21:55
@reckenrode:matrix.orgRandy EckenrodeIs Lix affected or only Nix?10:22:15
@emilazy:matrix.orgemilythat was my next question10:22:23
@k900:0upti.meK900 Lix is unaffected 10:22:30
* @raitobezarius:matrix.orgraitobezarius goes on vacation *now*10:30:12
@k900:0upti.meK900The affected Nix versions are 2.30 only, which did not make it into nixpkgs10:30:38
@k900:0upti.meK900So the actual scope of the damage is likely limited10:30:44
@ihar.hrachyshka:matrix.orgIhar Hrachyshka

a new podman-desktop bumped electron 36->37 and now fails on arm with

       >   • copying Electron  source=/private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/electron-dist/Electron.app destination=/private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/dist/mac-arm64/Electron.app
       >   • falling back to ad-hoc signature for macOS application code signing
       >   • signing         file=dist/mac-arm64/Podman Desktop.app platform=darwin type=distribution identityName=- identityHash=none provisioningProfile=none
       >   • Above command failed, retrying 3 more times
       >   • Above command failed, retrying 3 more times
       >   • Above command failed, retrying 3 more times
       >   • Above command failed, retrying 3 more times
       >   ⨯ spawn codesign ENOENT  failedTask=build stackTrace=Error: spawn codesign ENOENT
       >     at Process.ChildProcess._handle.onexit (node:internal/child_process:285:19)
       >     at onErrorNT (node:internal/child_process:483:16)
       >     at processTicksAndRejections (node:internal/process/task_queues:90:21)

even though we set CSC_IDENTITY_AUTO_DISCOVERY = lib.optionals stdenv.hostPlatform.isDarwin "false";

and apparently there was some change in electron-builder lately that attempts to apply some "ad-hoc" signature to arm apps: https://github.com/electron-userland/electron-builder/pull/9007 because they are "damaged" otherwise.

in Console.app I see these messages around the time of signing failure:

error	12:53:11.368210-0400	syspolicyd	os_unix.c:49448: (2) open(/private/var/db/DetachedSignatures) - No such file or directory
error	12:53:11.369669-0400	syspolicyd	os_unix.c:49448: (2) open(/private/var/db/DetachedSignatures) - No such file or directory
...
default	12:53:12.579237-0400	launchservicesd	[0x574044500] activating connection: mach=false listener=false peer=false name=com.apple.CodeSigningHelper
default	12:53:12.579324-0400	com.apple.CodeSigningHelper	[0xb6a0e8000] activating connection: mach=false listener=false peer=true name=com.apple.CodeSigningHelper.peer[663].0xb6a0e8000
default	12:53:12.579683-0400	com.apple.CodeSigningHelper	[0xb6a0e8000] invalidated because the client process (pid 663) either cancelled the connection or exited
default	12:53:12.631917-0400	launchservicesd	[0x574045f00] activating connection: mach=false listener=false peer=false name=com.apple.CodeSigningHelper
default	12:53:12.632026-0400	com.apple.CodeSigningHelper	[0xb6a0e8000] activating connection: mach=false listener=false peer=true name=com.apple.CodeSigningHelper.peer[663].0xb6a0e8000
default	12:53:12.632412-0400	com.apple.CodeSigningHelper	[0xb6a0e8000] invalidated because the client process (pid 663) either cancelled the connection or exited
...
default	12:53:20.149167-0400	kernel	AMFI: '/private/tmp/nix-build-podman-desktop-1.20.0.drv-0/source/node_modules/app-builder-bin/mac/app-builder_arm64': Unrecoverable CT signature issue, bailing out.
default	12:53:20.149169-0400	kernel	AMFI: code signature validation failed.

oh and I see similar messages coming from other apps in the same log (like my git-sync daemons)

default	12:53:28.652167-0400	kernel	AMFI: '/nix/store/4dssl7vf761w4jz4r6nyqfnsnrrajby9-git-sync-0-unstable-2025-06-26/bin/git-sync': Unrecoverable CT signature issue, bailing out.
default	12:53:28.652173-0400	kernel	AMFI: code signature validation failed.

any bells ringing?

17:21:14
@zhaofeng:zhaofeng.liZhaofeng Li The real problem should be codesign missing, the "code signature validation failed" is a red herring I think 17:24:16
@zhaofeng:zhaofeng.liZhaofeng LiIIRC the "error" always occurs for ad-hoc signed executables that the system has not seen before17:24:57

Show newer messages

Back to Room ListRoom Version: 6