Last year Apple forced the industry to only accept TLS certificates with validity up to maximum of 398 days. This is documented in HT211025 article. However there is a note explicitly excluding the certificate issued by an internal CA:
This change will not affect certificates issued from user-added or administrator-added Root CAs.
Because of this I assumed I could get away with 3 year validity for a certificate issues by our new internal CA. Turns out I was wrong.
Safari 14.1.1 refuses to connect to a site with freshly issued 3-year TLS certificate. So does Chrome 91 but it is more informative about it and presents an error message: NET::ERR_CERT_VALIDITY_TOO_LONG.
Previous change of TLS certificate requirements from 2019 described in article HT210176 article limits the certificate validity to 825 days. There aren’t any exception listed in this articles. Would Safari and Chrome trust certificate with 2-year validity?
Yes. Both Safari (14.1.1) and Chrome (91) in macOS 11.4 accept the 2-year certificate signed by internal CA as secure.
InstallApplications Swiftly (IAS) intends to be a replacement for InstallApplications (IA) tool. Code is not yet ready for public release. I still need to finish some parts and do the final refactoring not to mention proper testing. Expect alpha version in three to four weeks.
This blog post outlines the development goals, implementation decisions and differences between IA and IAS.
Main goals
Swift code using Apple frameworks whenever possible. Minimum external dependencies.
Smallest footprint possible. Less than 10 files with the total size under 1 MB.
Speed. Files downlod in parallel on multiple threads. Option to mark the item to be executed in parallel with other items.
Compatibility with InstallApplications JSON control file format.
LaunchDaemon (iasd) + LaunchAgent (iasagent) model stays but with differences. IAS logic is implemented solely in the iasd. Userscript execution is delegated to iasagent using the XPC remote object calls.
No argument parsing. Configuration is provided via Plist.
Logging exclusively to the system unified log with Logger.
Target is macOS 11.0 or newer.
Advantages over IA
IAS download and install should be much quicker. Current Python.framework (IA 2.1 Alpha 1) has 6000+ files and is 40+ MB in size (compressed). Size of IAS binaries is currently less than 1 MB.
Workflow should complete faster since it’s no longer linear cycle download -> execute -> download -> execute.
More secure file permission model bacause iasagent only needs to read and execute userscript files.
Code signing and notarization should be easier compared to Python framework with many executable files.
Disadvantages over IA
If you run Python scripts as part of IA run you will have to package your own Python.framework and deploy as one of the first items in the IAS workflow.
Swift standard library does not have argument parser. I did not want to use any Swift package for this so I decided do configure iasd solely via plist (Either passed as first argument or known filename in the same directory).
I am not aiming for backward compatibility. macOS 11.0 or newer is currently the target.
Other new features
Multiple preflight scripts
Ability to run multiple preflight rootscript items if desired. Preflight script are always executed in parallel. If either one of them exists with non zero exit code IAS proceeds to the SetupAssistant phase.
Hash validation modes
Ability to control SHA-256 validation. There are three options set in the configuration Plist:
Fail: Abort run if computed hash does not match after multiple redownloads (IA behavior, default)
Warning: Proceed with the execution if the hash of the two subsequent file downloads is the same. Issue a warning to the system log.
None: Do not check the SHA-256 hash at all.
Item failure responses
Ability to configure response to item failure. There is a new option applicable for every SetupAssistant and Userland phase items:
Failable: If download fails item execution is skipped with an error message in the log.
FailableExecution: Download failure aborts the IAS run. Item execution finishing with non-zero exit code does not end the IAS run (IA behavior, default).
FailureIsNotAnOption: If either download fails or execution returns non-zero exit code IAS run is aborted.
Possible future features
Support configuration via the configuration profiles (NSUserDefaults).
Reintroduce the option to automatically write some of the status messages to DEP notify control file.
(Danger zone) Use private frameworks to get list of package receipts (PKInstallHistory) and start package installs (unkown if possible).