Other A proxy to fix HTTPS issues on old versions of OS X

[RobK88]

1. Yes, I have rebooted a couple of times. No difference.
2. When I switch to an admin account in Lion, squid is running as an Active Process in Activity Monitor. But when I logout and log into a non-admin account, squid is no longer running as an active process. Very strange.

Here is some more info:

When logged into an admin account, the output of the following shows squid listening:

sudo lsof -i tcp -stcp:listen | grep squid

But the minute I log out and log into a non-admin account, squid appears to stop and disappear. When I open a Terminal and "su" into an admin account, the output of the following is nothing!

sudo lsof -i tcp -stcp:listen | grep squid

Just more confirmation that squid is not running and listening when one switches to a non-admin account in Lion.

Any ideas? Perhaps there is a problem with the ACL's in the squid config file?

 

[Wowfunhappy]

1. Yes, I have rebooted a couple of times. No difference.
2. When I switch to an admin account in Lion, squid is running as an Active Process in Activity Monitor. But when I logout and log into a non-admin account, squid is no longer running as an active process. Very strange.

Here is some more info:

When logged into an admin account, the output of the following shows squid listening:

sudo lsof -i tcp -stcp:listen | grep squid

But the minute I log out and log into a non-admin account, squid appears to stop and disappear. When I open a Terminal and "su" into an admin account, the output of the following is nothing!

sudo lsof -i tcp -stcp:listen | grep squid

Just more confirmation that squid is not running and listening when one switches to a non-admin account in Lion.

Any ideas? Perhaps there is a problem with the ACL's in the squid config file?

Thanks, I'll need to take a look myself when I have a free moment, possibly not until next week. I'm pretty sure I know what's happening, but it's odd it would happen in Lion and not Mavericks...

 

[Wowfunhappy]

The issue reported by RobK88 regarding using Squid with multiple user accounts has been fixed. Please redownload from the link in the first post; it should install cleanly over the previous version, provided you delete and re-add the Squid certificate from Keychain Access.

Technical details are in the spoiler below for anyone who is curious:

Spoiler: Technical Details

If squid is unable to write to one of its log files, it will kindly exit, because that definitely makes more sense than just not logging. Separately, I've configured Squid to run as the currently logged-in user (rather than, say, as root), because that seemed like a good idea from a security perspective.

So if you're logged into your Mac as Bob the first time you run Squid, Squid will create its log files as Bob, and consequently those files will be owned by Bob.

If Bob logs out of the Mac and Sally logs in, Squid will start up again, but this time running as Sally. It will attempt to write to its log file, but it won't be able to, because the file already exists and is owned by Bob, and Sally does not have permission to change it.

At least for now, the simplest solution was to just disable logging. Logs are great, but not when they break stuff, and this isn't the first time they've caused problems.

 

[RobK88]

Sure thing! (Wow, that didn't take long.) So, basically, you need to do two things:

1. Tell the Dictionary app to load ProxyFix.dylib when it launches.
2. Remove the code signature from the Dictionary binary, so the system won't kill it when you do #1.

The first part is easy. Copy ProxyFix.dylib (in attached) to Dictionary.app/Contents/Frameworks, then run in Terminal:

defaults write /Applications/Dictionary.app/Contents/Info LSEnvironment -dict DYLD_INSERT_LIBRARIES @executable_path/../Frameworks/ProxyFix.dylib

To remove the code signature, copy the binary file Dictionary.app/Contents/MacOS/Dictionary to another Mac running OS X 10.9 (Mavericks) or newer, and download optool (in attached). Then, run in Terminal:

/path/to/optool strip --target /path/to/copied/Dictionary

Lastly, copy your modified Dictionary binary back to your older Mac, replacing the original copy.

Once all of that is in place, the Dictionary should launch correctly and use the system proxy, fixing Wikipedia if Squid has also been set up.

I have not actually run through these instructions on a clean machine to check for gaps, but that's the general process. Definitely make a Time Machine backup, and let me know if you run into problems.

(And if anyone knows of a Lion-compatible way to strip code signatures, please let me know so I can add it to the installer and make this whole thing automatic.)

I tried to create the Dictionary app on Lion using your instructions above, but the resulting Dictionary app crashed.

FYI -- Here are my steps:
1. I had to create the directory Frameworks manually under Dictionary.app/Contents since it did not exist.
2. I copied ProxyFix.dylib into the new directory.
3. Ran the long "defaults write" command in Terminal without any problems.
4. Copied the revised Dictionary.app to my Mac running High Sierra and used the optool. The optool ran without any issues. I saw a message stating that the signature was removed!
5. Copied the revised Dictionary.app back to my Mac running Lion and tried to run it. It crashed.

Here is part of the crash log:

Process:         Dictionary [2225]
Path:            /Users/USER/Downloads/*/Dictionary.app/Contents/MacOS/Dictionary
Identifier:      com.apple.Dictionary
Version:         2.2.3 (118.5)
Build Info:      DictionaryApplications-118005000000000~7
Code Type:       X86-64 (Native)
Parent Process:  launchd [264]

Date/Time:       2021-02-12 16:39:41.719 -0500
OS Version:      Mac OS X 10.7.5 (11G63)
Report Version:  9

Interval Since Last Report:          2256661 sec
Crashes Since Last Report:           566
Per-App Interval Since Last Report:  47 sec
Per-App Crashes Since Last Report:   16
Anonymous UUID:                      333ACC6A-FE2F-4613-B7CD-033326BB6210

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000009f0e000

VM Regions Near 0x9f0e000:
-->
    __TEXT                 0000000109f0e000-0000000109f49000 [  236K] r-x/rwx SM=COW  /Users/USER/Downloads/*/Dictionary.app/Contents/MacOS/Dictionary

Application Specific Information:
objc[2225]: garbage collection is OFF
/Users/grinch/Downloads/HTTPS Proxy - Fixing HTTPS issues on old versions of OS X/Fixing Broken Dictionary App Manually/Fixed Broken Dictionary App on Lion/Really fixed/Dictionary.app/Contents/MacOS/Dictionary

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libobjc.A.dylib                   0x00007fff8ab1bbb2 _mapStrHash + 28
1   libobjc.A.dylib                   0x00007fff8ab1bad5 NXMapGet + 42
2   libobjc.A.dylib                   0x00007fff8ab1ba7e addNamedClass(class_t*, char const*) + 28
3   libobjc.A.dylib                   0x00007fff8ab1a4fb _read_images + 1116
4   libobjc.A.dylib                   0x00007fff8ab18b31 map_images_nolock + 1195
5   libobjc.A.dylib                   0x00007fff8ab18622 map_images + 115
6   dyld                              0x00007fff69b133dd _ZN4dyldL18notifyBatchPartialE17dyld_image_statesbPFPKcS0_jPK15dyld_image_infoE + 964
7   dyld                              0x00007fff69b1350b dyld::registerImageStateBatchChangeHandler(dyld_image_states, char const* (*)(dyld_image_states, unsigned int, dyld_image_info const*)) + 180
8   libdyld.dylib                     0x00007fff84be4acc dyld_register_image_state_change_handler + 81
9   libobjc.A.dylib                   0x00007fff8ab1703a _objc_init + 58
10  dyld                              0x00007fff69b1dda6 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 218
11  dyld                              0x00007fff69b1daf2 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 46
12  dyld                              0x00007fff69b1b2e4 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 260
13  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
14  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
15  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
16  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
17  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
18  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
19  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
20  dyld                              0x00007fff69b1c0b7 ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 59
21  dyld                              0x00007fff69b114dd dyld::initializeMainExecutable() + 206
22  dyld                              0x00007fff69b1560b dyld::_main(macho_header const*, unsigned long, int, char const**, char const**, char const**) + 1852
23  dyld                              0x00007fff69b0f059 _dyld_start + 49

 

[RobK88]

@Wowfunhappy -- I can confirm that your updated https proxy package for old Macs works just fine now on Lion. It works in both admin and non-admin accounts. Many thanks for fixing it!

But you forgot a key step! One must reboot after installing your https proxy package and installing (or reinstalling) the certificate accoding to your instructions. If you do not reboot, you will get strange certificate warning messages!

And please note, your updated https proxy package still still tried to install the hacked Dictionary.app on my Mac running Lion. I had to deselect it in the installer before proceeding since I know from experience that the hacked Dictionary app does not work on my Mac running Lion. In fact, it somehow messes up the Dictionary app so much that not even your uninstall script restores the original Dictionary app. (Previously, I had to restore the Dictionary app from the Lion 10.7.5 disk image using Pacifist).

 

[RobK88]

I tried to create the Dictionary app on Lion using your instructions above, but the resulting Dictionary app crashed.

FYI -- Here are my steps:
1. I had to create the directory Frameworks manually under Dictionary.app/Contents since it did not exist.
2. I copied ProxyFix.dylib into the new directory.
3. Ran the long "defaults write" command in Terminal without any problems.
4. Copied the revised Dictionary.app to my Mac running High Sierra and used the optool. The optool ran without any issues. I saw a message stating that the signature was removed!
5. Copied the revised Dictionary.app back to my Mac running Lion and tried to run it. It crashed.

Here is part of the crash log:

Process:         Dictionary [2225]
Path:            /Users/USER/Downloads/*/Dictionary.app/Contents/MacOS/Dictionary
Identifier:      com.apple.Dictionary
Version:         2.2.3 (118.5)
Build Info:      DictionaryApplications-118005000000000~7
Code Type:       X86-64 (Native)
Parent Process:  launchd [264]

Date/Time:       2021-02-12 16:39:41.719 -0500
OS Version:      Mac OS X 10.7.5 (11G63)
Report Version:  9

Interval Since Last Report:          2256661 sec
Crashes Since Last Report:           566
Per-App Interval Since Last Report:  47 sec
Per-App Crashes Since Last Report:   16
Anonymous UUID:                      333ACC6A-FE2F-4613-B7CD-033326BB6210

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000009f0e000

VM Regions Near 0x9f0e000:
-->
    __TEXT                 0000000109f0e000-0000000109f49000 [  236K] r-x/rwx SM=COW  /Users/USER/Downloads/*/Dictionary.app/Contents/MacOS/Dictionary

Application Specific Information:
objc[2225]: garbage collection is OFF
/Users/grinch/Downloads/HTTPS Proxy - Fixing HTTPS issues on old versions of OS X/Fixing Broken Dictionary App Manually/Fixed Broken Dictionary App on Lion/Really fixed/Dictionary.app/Contents/MacOS/Dictionary

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   libobjc.A.dylib                   0x00007fff8ab1bbb2 _mapStrHash + 28
1   libobjc.A.dylib                   0x00007fff8ab1bad5 NXMapGet + 42
2   libobjc.A.dylib                   0x00007fff8ab1ba7e addNamedClass(class_t*, char const*) + 28
3   libobjc.A.dylib                   0x00007fff8ab1a4fb _read_images + 1116
4   libobjc.A.dylib                   0x00007fff8ab18b31 map_images_nolock + 1195
5   libobjc.A.dylib                   0x00007fff8ab18622 map_images + 115
6   dyld                              0x00007fff69b133dd _ZN4dyldL18notifyBatchPartialE17dyld_image_statesbPFPKcS0_jPK15dyld_image_infoE + 964
7   dyld                              0x00007fff69b1350b dyld::registerImageStateBatchChangeHandler(dyld_image_states, char const* (*)(dyld_image_states, unsigned int, dyld_image_info const*)) + 180
8   libdyld.dylib                     0x00007fff84be4acc dyld_register_image_state_change_handler + 81
9   libobjc.A.dylib                   0x00007fff8ab1703a _objc_init + 58
10  dyld                              0x00007fff69b1dda6 ImageLoaderMachO::doModInitFunctions(ImageLoader::LinkContext const&) + 218
11  dyld                              0x00007fff69b1daf2 ImageLoaderMachO::doInitialization(ImageLoader::LinkContext const&) + 46
12  dyld                              0x00007fff69b1b2e4 ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 260
13  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
14  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
15  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
16  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
17  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
18  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
19  dyld                              0x00007fff69b1b27d ImageLoader::recursiveInitialization(ImageLoader::LinkContext const&, unsigned int, ImageLoader::InitializerTimingList&) + 157
20  dyld                              0x00007fff69b1c0b7 ImageLoader::runInitializers(ImageLoader::LinkContext const&, ImageLoader::InitializerTimingList&) + 59
21  dyld                              0x00007fff69b114dd dyld::initializeMainExecutable() + 206
22  dyld                              0x00007fff69b1560b dyld::_main(macho_header const*, unsigned long, int, char const**, char const**, char const**) + 1852
23  dyld                              0x00007fff69b0f059 _dyld_start + 49

I did some more testing. I can confirm that the ProxyFix.dylib library is found in /Contents/Frameworks in the revised Dictionary.app. I was also able to confirm that LSEnvironment was set properly by using the "defaults read {path to revised Dictionary.app}/Contents/Info LSEnvironment" command.

Maybe the ProxyFix.dylib is not not loading properly when the revised Dicyionary.app is launched on my Mac running Lion 10.7.5.

Does one have to set the file permissions a certain way for ProxyFix.dylib to load properly? (As you can see I am grasping at straws now! )

 

[maverick28]

The permissions are 0744, the owner is "system", the group is "Admin". Also, what files do you have in the "MacOS" folder? Is there a "Dictionary" binary that shows its creation date as June 2012 and modification date as April 2019?

 

[RobK88]

The permissions are 0744, the owner is "system", the group is "Admin". Also, what files do you have in the "MacOS" folder? Is there a "Dictionary" binary that shows its creation date as June 2012 and modification date as April 2019?

The permissions for ProxyFix.dylib on m Mac are -rwxrwxrwx and the owner is "grinch" (my username) and the group is "staff".

The dictionary binary inside Dictionary.app was created on May 31, 2012 and the mod date is today.

If you do a Get Info on Dictionary.app, it shows the version as 2.2.3 and a creation date of May 31, 2012.

A few days ago, I redownloaded the Lion 10.7.5 installer directly from the Apple app store and extracted the Dictionary.app using Pacifist. So this version of the Dictionary.app is the most recent I coud get before I attempted the ProxyFix hack.

 

[Wowfunhappy]

And please note, your updated https proxy package still still tried to install the hacked Dictionary.app on my Mac running Lion. I had to deselect it in the installer before proceeding since I know from experience that the hacked Dictionary app does not work on my Mac running Lion.

That’s expected. Had you left it checked, it would simply have had no effect. I tried to make this clear in the description in the installer.

In fact, it somehow messes up the Dictionary app so much that not even your uninstall script restores the original Dictionary app. (Previously, I had to restore the Dictionary app from the Lion 10.7.5 disk image using Pacifist).

I know. That's why I removed it from the installer, even though it worked for some people.

But you forgot a key step! One must reboot after installing your https proxy package and installing (or reinstalling) the certificate accoding to your instructions. If you do not reboot, you will get strange certificate warning messages!

This is because you were installing over a previous version.

 

[RobK88]

The permissions for ProxyFix.dylib on m Mac are -rwxrwxrwx and the owner is "grinch" (my username) and the group is "staff".

The dictionary binary inside Dictionary.app was created on May 31, 2012 and the mod date is today.

If you do a Get Info on Dictionary.app, it shows the version as 2.2.3 and a creation date of May 31, 2012.

A few days ago, I redownloaded the Lion 10.7.5 installer directly from the Apple app store and extracted the Dictionary.app using Pacifist. So this version of the Dictionary.app is the most recent I coud get before I attempted the ProxyFix hack.

I checked the Lion Security Updates. None contain a newer version of the Dictionary.app
It is a mystery to me that your creation date is June 2012.

By the way, according to Apple System Information, my system version is Mac OS X 10.7.5 (11G63) which I believe is the latest system version for Lion.

 

[RobK88]

Making some progress.

I can make the Dictionary.app run with the ProxyFix.dylib but I must launch it manually:

DYLD_INSERT_LIBRARIES=/path/to/ProxyFix.dylib /Applications/Dictionary.app/Contents/MacOS/Dictionary

So I now know ProxyFix.dylib will run properly on my Mac running Lion!

But I am still perplexed that the revised Dictionary.app will not launch when the ProxyFix.dylib is installed inside the Dictionary.app in /Contents/Frameworks and when the LSEnvironment is set properly. Perhaps, wheh running optool on High Sierra somehow damaged the Dictionary.app when removing the digital signature.

 

[maverick28]

Try changing the permissions to the ones I posted and restart.

 

[maverick28]

If nothing helps, I can zip and send you my copy of Dictionary.

 

[RobK88]

Try changing the permissions to the ones I posted and restart.

Tried that. Still no luck. Perhaps there is something else going on with my Mac. I might just create my own app using Platypus.

 

[RobK88]

I created an new Proxied Dictionary app using Platypus. If you want to do it yourself, here are the details:

1. Download and install the free Platypus app from https://sveinbjorn.org/platypus. On Lion, you will need version 4.9.

2. Create the following shell script and save it (e.g. DictionaryFix.sh)

#!/bin/bash
DYLD_INSERT_LIBRARIES=./ProxyFix.dylib ./Dictionary.app/Contents/MacOS/Dictionary

P.S. A revised and better Bash shell script appears at the bottom of this post!

3. Make sure the script is executable. e.g. chmod +x {path to shell script}
4. Run Platypus
5. Give the new app a name (e.g. Dictionary Proxied)
6. Select the shell script you created
7. Change Output to NONE
8. Add ProxyFix.dylib and the original Apple Dictionary.app to the Resources folder in Platypus
9. Make sure you deselect or uncheck "Remain running after initial execution"
10. Make sure you select or check "Run in Background"
11. Click Create.
12. Select where you want to save the new app
13. In Terminal, make sure that the new Dictionary binary is executable for everyone. (e.g.
sudo chmod +x {path to new Dictionary.app}/Contents/MacOS/Dictionary\ Proxied
14. (Optional) You can copy and paste the icon from the Dictionary app to the new Proxied Dictionary app using Finder and Get Info. You can also do this when you create the Proxied Dictionary app using Platypus.

Presto you have a new Proxied Dictionary app!

Note: There is a small downside with running the app in the background. The Window for the app will be hidden until you click on the app icon on the Dock.

Alternatively, you can uncheck "Run in Background" when you create the Proxied Dictionary app using Platypus. The resulting new and improved Dictionary.app will show its window when run but you will also see two icons on the Dock! Too confusing!

UPDATE: If you call an applescript at the end of the bash script, one can create a Proxied Dictionary app that appears when run (i.e. the window is not hidden and is on top of all the other windows on your Mac) and only one icon appears on the Dock.

Here is the revised Bash Script that you can use when building the Proxied Dictionary app using Platypus:

#!/bin/bash
DYLD_INSERT_LIBRARIES=./ProxyFix.dylib ./Dictionary.app/Contents/MacOS/Dictionary &
sleep 0.5
osascript << EOF
tell application "Dictionary"
activate
end tell
EOF

The "sleep 0.5" delay in the bash script is needed to give time for the Proxied Dictionary app to run before you bring its window to the front! If the window does not appear on top of the others on your Mac, try increasing the time in the "sleep" bash command.

UPDATE 2 - ALTERNATE APPROACH:

If you prefer Applescript over bash, you can build the Proxied Dictionary app using the instructions above but substituting the bash script with the following Applescript. (P.S. Make sure Applescript is selected as the script type in Platypus before building your App!):

do shell script "DYLD_INSERT_LIBRARIES=./ProxyFix.dylib ./Dictionary.app/Contents/MacOS/Dictionary" & " &> /dev/null & echo $!"
delay 1
tell application "Dictionary"
    activate
end tell

 

[RobK88]

Tried that. Still no luck. Perhaps there is something else going on with my Mac. I might just create my own app using Platypus.

@Wowfunhappy and @maverick28
I figured out why I was not able to create the revised Dictionary.app that is able to use the https proxy.

The problem is with optool.

I tried to just strip the digital signatures from the original Apple Dictionary.app (version 2.2.3) that ships with Lion 10.7.5 (without modifying the Dictionary.app beforehand by adding ProxyFix.dylib etc) using optool on a Mac running High Sierra.

optool runs fine and reports that the digital signatures have been stripped. But when I try to run the resulting Dictionary.app on Lion, it crashes!

Somehow optool is damaging the Dictionary.app.

P.S. Macports offers optool but it fails to build on Lion. I have filed a bug report with Macports.
(see https://trac.macports.org/ticket/62276)
I am hoping that if I can build optool on Lion, it will solve the problem.

 

[Wowfunhappy]

Huh, I suppose it's possible optool doesn't work properly in High Sierra. If so, you might try in a Mavericks VM, since I know for sure it works there. You could also try recompiling it on High Sierra, or installing it from MacPorts on High Sierra.

Interesting that MacPorts seems to have an optool build for Mountain Lion (Darwin 12), so I can probably add back the Dictionary fix there at least. http://packages.macports.org/optool/

 

[RobK88]

Huh, I suppose it's possible optool doesn't work properly in High Sierra. If so, you might try in a Mavericks VM, since I know for sure it works there. You could also try recompiling it on High Sierra, or installing it from MacPorts on High Sierra.

Interesting that MacPorts seems to have an optool build for Mountain Lion (Darwin 12), so I can probably add back the Dictionary fix there at least. http://packages.macports.org/optool/

@Wowfunhappy -- Problem solved!!! I found a reliable way to strip the digital signatures from the Dictionary.app in Lion!

Please note that there are many ways to strip digital code signatures (or code signing) from Mac binaries but only a few work on Lion:

Option 1 - "codesign" -- codesign comes with Lion. (I believe it first appeared in Snow Leopard). There is an undocumented flag called "--remove-signature" which will, as the name suggests, remove code signatures. Unfortunately, it did not work on the Dictonary.app in Lion

codesign --remove-signature /Users/grinch/Desktop/TEST/Dictionary.app
/Users/grinch/Desktop/TEST/Dictionary.app: unsupported type or version of signature

P.S. One can use the "codesign" tool built-in to Mac OS to display or verify a binary's digital code signature. I use it to see if the code signature was actually removed! (e.g. codesign --display --verbose {path to binary}. Note you can get even more info using -- codesign --display --verbose=4 {path to binary} ).

Option 2 - "optool" -- As you know "optool" will remove digital code signatures from binaries but it does NOT run or even compile on Lion.

Note: "optool" is NOT reliable. Sometimes it corrupts the binary whose digital code signature has been stripped. In my case, running "optool" on High Sierra corrupted the Dictionary.app binary from Lion. I also noticed that even when it did not corrupt the binary, "optool" really did not strip the digital signature fully. Here is the output from "codesign --display" on mavericks28's modified Lion Dictionary.app after optool's stripped the digital signature:

codesign --display --verbose /Applications/Dictionary\ Proxied.app /Applications/Dictionary Proxied.app: invalid signature (code or signature have been modified)

It is interesting to note that maericks28's modified Dictionary.app still runs just fine on Lion and uses the squid https proxy even though the digital signature appears to be invalid!

Option 3 - "stripcodesig" -- This command line tool will also strip digital code signatures from Mac binaries. But it appears to crash on Lion. (For source, see https://github.com/tvi/stripcodesig. For Binaries, see http://www.jackoverfull.com/print.php?news=1489678895-en )

Option 4 - "xattr" -- One can use "xattr" to strip digital code signatures which are part of the binary's extended attributes. (e.g. xattr -c {path to binary file} ). Or you can strip all extended attributes from an application bundle. (e.g. xattr -cr {path to app bundle.app}.

But please note that the process of codesigning a binary often modifies NOT ONLY the extended attributes of a binary BUT ALSO the binary itself! But in many cases, the "xattr" tool will do the trick when trying to get around code signing issues.

After using "xattr" on Lion, the modified Dictionary.app still ran just fine but I was not able to get it to use your squid https proxy. Another failure.

Option 5 - "insert_dylib" - "insert_dylib" is a command line utility for inserting a dylib load command into a Mach-O binary. (See https://github.com/Tyilo/insert_dylib#removing-code-signature ). I really though that this would do the trick! The source compiles on Lion and even runs. But it does not appear to work!

Option 6 - "unsign" -- SUCCESS!!! -- "Unsign" compiles and runs on Lion, and unlike "optool", it appears to really strip the digital signature from Lion Mac binaries!! (see https://github.com/steakknife/unsign for the source which compiles on Lion. If you need the binary, PM me).

grinch$ ./unsign Dictionary.app/Contents/MacOS/Dictionary
reading infile: Dictionary.app/Contents/MacOS/Dictionary
  processing fat architecture 1 of 2
    found LC_CODE_SIGNATURE
  processing fat architecture 2 of 2
    found LC_CODE_SIGNATURE
wrote outfile: Dictionary.app/Contents/MacOS/Dictionary.unsigned

After using unsign, the digital code signature is REALLY removed!

grinch$ codesign --display --verbose /Users/grinch/Desktop/TEST/Dictionary.app
/Users/grinch/Desktop/TEST/Dictionary.app: code object is not signed at all

I was successfully able to create a new and improved Dictionary.app using unsign and your instructions. But please note, one MUST use "unsign" to strip the digital signature AFTER you have inserted ProxyFix.dylib into /Contents/Frameworks and after adding the LSEnvironment key. (I tried using "unsign" first and then adding ProxyFix.dylib etc. The modified Dictionary.app ran just fine but it would not use the squid https proxy! Please do not ask me why!)

Note: the "unsign" tool creates a binary with the following file name extension -- ".unsigned". You will need to rename the resulting binary etc.

So if you want to provide updated Dictionary binaries for Lion users in your https proxy package, you may want to try using "unsign" instead of "optool".

P.S. I have not tested using "unsign" etc on Mountain Lion yet but I suspect it will work just fine.

 

[Wowfunhappy]

Thanks, I'll look at integrating unsign into the installer! I knew about all of the others but not that one.

Btw, insert_dylib is a great tool and it does work even on Snow Leopard, provided it's compiled on a newer OS. But it can't strip code signatures without also inserting a library, and the libraries it inserts have too low a priority to replace DYLD_INSERT_LIBRARIES.

 

[RobK88]

You are welcome! And thanks for the info on dylib_insert. It is too bad no one has written a tool similar to dylib_insert that uses DYLD_INSERT_LIBRARIES instead.

By the way, Apple's "codesign --remove-signature" works much better on later versions of Mac OS X but often one needs to run it multiple times! Or you can use a simple recursive script called "codesign_remove_for_real" found at:

bug? in codesign --remove-signature feature

I would like to remove the digital signature from a Mac app that has been signed with codesign. There is an undocumented option to codesign, --remove-signature, which by it's name seems to be what ...

stackoverflow.com

Neither this recursive script or Apples's "codesign" tool work well on Lion to remove digital code signatures because Apple's "codesign" tool was in its infancy at the time of Lion.

 

[RobK88]

@Wowfunhappy -- If you do not want to use a third party utility like "unsign" or "optool", you can sometimes strip code signatures by just using the command line utility "zip". When zipping, the "zip" command line utility strips all code signing related xattrs because "zip" only preserves xattr types which are designated for preservation. And Apple failed to designate for preservation its code signing xattrs. (Apple could fix this in a future MacOS releases but Apple still had not done so in Catalina. I do not know about Big Sur).

I tried the following and it worked:

1. Copy ProxyFix.dylib into Dictionary.app/Contents/Frameworks
2. Set the LSEnvironment key (according to your instructions)
e.g. defaults write /Applications/Dictionary.app/Contents/Info LSEnvironment -dict DYLD_INSERT_LIBRARIES @executable_path/../Frameworks/ProxyFix.dylib
3. Extract (i.e. copy) Dictionary.app/Contents/MacOS/Dictionary to another location.
4. Zip the extracted Dictionary unix binary using the zip command line utility
5. Unzip it
6. Replace Dictionary.app/Contents/MacOS/Dictionary executable binary with the extracted Dictionary executable binary.

It worked 3 out of 4 times. The revised Dictionary.app ran and used the https proxy.

Note this zip and unzip method does not completely remove the digital signature.

grinch$ codesign --display --verbose /Users/grinch/Test/Dictionary.app/Contents/MacOS/Dictionary
/Users/grinch/Test/Dictionary.app/Contents/MacOS/Dictionary: invalid signature (code or signature have been modified)

So I still think it is better to use the "unsign" command line utility. It is more reliable and it appears to completely remove the digital code signature on a binary.

 

[Wowfunhappy]

Would there be any interest in Tiger and/or PPC compatibility? (I realize I'm in the wrong section for the latter.) It has come to my attention that I may be able to compile Squid for both...

 

[wicknix]

I'd use it on Leopard if it were available.

 

[RobJos]

No, not unless a "please bypass the proxy" feature is built into the application itself, as it is in Firefox. OS X doesn't offer a way to allow specific apps through the proxy, and Squid has no way to know which app is sending it traffic.

What OS X can do is disable the proxy for specific domains. Open System Preferences > Network > Advanced > Proxies, and look for the field at the bottom which reads "Bypass proxy settings for these Hosts & Domains". But I don't think this will work for your use case.

Edit: It really sounds like Little Snitch is the problem here. I'm disappointed it isn't smarter.

Edit2: I'm actually a little confused as to what's going on with Little Snitch. It's been a little while since I last used it, but I thought it usually sets rules per app? Why can't you set Little Snitch to let Squid make connections to anywhere, and then set up rules for the individual apps?

Or does Little Snitch think those apps are just trying to connect to localhost (the proxy address), rather than their real destination? If so, that's dumb, because it means that Little Snitch is just plain broken with proxies—a feature built into OS X!

First of all: if Little Snitch (LS) really has any limitations, please keep in mind that the last SnL version is 3.3.4, whereas it's already at v. 3.8. something. But it's just as likely that the problems were coming from my limited understanding of how LS actually works and interacts with proxies.

Since last, I've tried lots of head-breaking combinations between LS, Squid and my VPN's proxy. After realising that — most importantly — Squid connects through Tunnelblick (OpenVPN interface) and — with the help of a browser that doesn't have its own proxy settings (Chromium) — that the resulting DNS is, correctly, that supplied by my VPN's, it took a long while before figuring out that to avoid all kinds of erratic calls in LS, I had to disable Network > SOCKS Proxy and only have Secure Web Proxy enabled. Possibly, also allowing Squid in LS to connect to the VPN's SOCKS proxy has had an effect:

​

I also was reminded that the reason for using SOCKS Proxy, when it had been suggested by the VPN provider, was to reduce exposure to captchas. Not something, I believe, that one has to worry about outside of browsing activity, and therefore not a problem for those applications that connect through Squid.

Maybe all of this is obvious to those in the know, but if any of it points to something I'm doing not being right in terms of security a/o privacy, or if something can be fine-tuned better, I'd appreciate hearing about it.

 

[Macbookprodude]

Does this work on Mojave ?