Stories of the abduction of women and their enforced marriage have persisted for an extraordinary length of time. One of the most popular, and still much-loved, musicals is Seven Brides for Seven Brothers, a successful movie in 1954, and as late as 1982-83 it was remade for television. It tells of seven ‘shotgun’ marriages, and was based on a short story The Sobbin’ Women, which in turn was a parody of the story of the rape of the Sabine women in about 750 BCE.

As popular in classical Greek and Roman times was an equally disturbing myth concerning Hypermnestra and her sisters the Danaïds, which was largely forgotten after the Middle Ages, only to be revived around the start of the twentieth century. It was told by Hyginus, Apollodorus, Aeschylus, and Horace, and referred to by many others.

Danaus and Aegyptus were twin brothers who lived in North Africa. Aegyptus was a mythical king of Egypt who had fifty sons, and his brother had fifty daughters, from their polygamous relationships. When Aegyptus decided that his sons would marry his brother’s daughters, Danaus fled with those daughters to Argos, in Greece, where the reigning king generously handed over his throne to him.

Aegyptus and his sons were not to be put off so easily, joined Danaus and his daughters in Argos, and pressed ahead with the plans for the weddings. The couples were assigned by lot, apart from two matches between Hypermnestra and Lynceus, and Gorgophone and Proteus, deemed necessary because of the rank of their mothers, who were princesses.

On the day of their weddings, Danaus equipped his daughters with swords, and told them to murder their husbands in bed that night. Once those drunken grooms had fallen asleep, the daughters each followed their father’s instructions, except for Hypermnestra: by the morning, of the fifty brothers only Lynceus survived.

This story was told in the fourteenth of Giovanni Boccaccio’s De Mulieribus Claris (Concerning Famous Women), published in 1374, and illustrated as Hypermnestra, Lynceus and the Danaïdes (1473) in this hand coloured woodcut from the translation by Heinrich Steinhöwel. Four of the brothers are seen, their throats cut in bed, but the helpfully labelled figures of Hypermnestra and ‘Linus’ are still in a loving embrace.

Robinet Testard shows a similar scene in The Danaides Kill Their Husbands (c 1510), his miniature for Octavien de Saint-Gelais’ translation of Ovid’s Heroides. Hypermnestra’s sisters have each dutifully cut the throats of their new husbands, and sit holding their swords. At the left, though, Hypermnestra and Lynceus sit together on their marriage bed, unharmed.

Danaus was furious with the disobedience of Hypermnestra, who was dragged to a dungeon by her hair to await her fate. It’s at this point that Ovid set his fictional letter from Hypermnestra to Lynceus, the fourteenth letter in his Heroines.

Ovid’s Hypermnestra makes it clear from the outset that she has been charged with the crime of faithfulness, which should surely be praised, not condemned. She reveals the quandary that she found herself in, as she held her father’s sword at the neck of Lynceus and agonised over whether she should kill him or not. Three times she raised the sword in preparation for his murder, and three times her love for Lynceus overpowered her, and spared his life.

Hypermnestra was not summarily executed by her father, but brought before a court, which acquitted her of any wrongdoing. Lynceus (sometimes erroneously named Linus) then killed Danaus, and succeeded him as the King of Argos with Hypermnestra as his queen.

This maiolica plate painted by Francesco Xanto Avelli in 1537 shows the later scene of Hypermnestra Watching Lynceus Take Her Father’s Crown. Lynceus (labelled here as ‘Lino’) has taken Danaus’ crown, and is about to put him to the sword. Hypermnestra stands at a window, most probably not that of a dungeon. Below its lintel is a Cupid bearing the famous saying omnia vincit amor – love conquers all – which actually comes from Virgil’s last Eclogue and is unrelated.

In the end, while Lynceus and Hypermnestra lived happily ever after, the other forty-nine sisters were punished in Hades for the sin of murder. They were given an impossible task, of filling a large container with water; as that container had holes in its bottom, they now spend the rest of eternity carrying water to the container and pouring it in.

Unlike the hapless Sisyphus, who was condemned to push a hefty rock up a steep hill in his Sisyphean task, the Danaïds haven’t been commemorated in figurative language, but have appeared in a surprising number of paintings.

The murderous sisters don’t seem to have had much of a showing in art until Martin Johann Schmidt painted The Labour of the Danaides (1785) on copper. He makes the allusion to Danaïds also being known as water-nymphs, like Naiads, by placing a river god at the left.

John William Waterhouse revived them for two paintings, of which this, The Danaides, was the first, and completed in 1903. He made a second slightly more complex composition in 1906, now hanging in Aberdeen Art Gallery in Scotland. Rather than a battered and leaky barrel, Waterhouse has the Danaïds filling an ornamental cauldron.

I have been unable to find a date for Walter Crane’s version, The Danaides, which was probably for a triptych painted between 1890-1915 and shows a remarkably similar cauldron.

Towards the end of his life, John Singer Sargent painted this vast canvas to show The Danaïdes (c 1922-25), now decorating the entrance to the Library of the Museum of Fine Arts in Boston.

Of all the accounts of this unusual myth, yet again only Ovid looks deep into the relationships involved. He explores the situation of a woman who didn’t commit a crime at her father’s behest, but stayed true to her morals and to her love for Lynceus: a real heroine whose virtue was, for once, rewarded.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: Used by courting birds with a haven for video and audio to replace the others.

2: 506 Romans can handle analogue and digital to display.

3: With CTA-861, 19 pins and five connectors, it’ll carry all your media, even HDCP.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

In the days before Mac OS X, Apple didn’t provide a serious backup utility, and by the time we were starting to move up from Classic Mac OS the standard choice was normally Dantz Development’s Retrospect, first released in 1989 and still available today in version 19.

Time Machine wasn’t the first utility in Mac OS to back up local storage. In 2004, Apple’s first cloud subscription service .Mac included a Backup app that backed up local files to iDisk in the cloud, something that still isn’t supported today with iCloud.

In the following years, AirPort Wi-Fi systems flourished, and Apple decided to launch a consumer NAS incorporating an AirPort Extreme Base Station with a 500 GB or 1 TB hard disk. Software to support that was dubbed Time Machine, and was released in Mac OS X 10.5 Leopard on 26 October 2007, 17 years ago. The first Time Capsule was announced in January 2008, and shipped a month later.

Time Machine’s pane in System Preferences changed little until Ventura’s System Settings replaced it.

The application’s restore interface featured a single Finder-like window, much like today’s. Internally, Time Machine scheduled its backups using a system timer and launchd, making backups every hour regardless of what else the Mac might have been doing at the time.

The initial version of Time Machine was both praised and slated. Unlike Mike Bombich’s rival Carbon Copy Cloner, it couldn’t create bootable backups, and there were problems with FileVault encryption, which at that time could only encrypt Home folders, rather than whole volumes. Despite those, its introduction transformed the way that many used their Macs, and made it more usual for users to have backups.

From its release, Time Machine was dependent on features of the HFS+ file system to create its Finder illusion. Every hour the backup service examined the record of changes made to the file system since the last backup was made, using its FSEvents database. It thus worked out what had changed and needed to be copied into the backup. During the backup phase itself, it only copied across those files that had been created or changed since the last backup was made.

It did this by using hard links in the backup, and Apple added a new feature to its HFS+ file system to support this, directory hard links. Where an entire folder had remained unchanged since the last backup, Time Machine simply created a hard link to the existing folder in that backup. Where an existing file had been changed, though, the new file was written to the backup inside a changed folder, which in turn could contain hard links to its unchanged contents.

This preserved the illusion that each backup consisted of the complete contents of the source, while only requiring the copying of changed files, and creation of a great many hard links to files and folders. It was also completely dependent on the backup volume using the HFS+ file system, to support those directory hard links.

Without directory hard links, backups would quickly have become overwhelmed by hard links to files. If you had a million files and folders on the backup source volume, every hourly backup would have had to create a total of a million copied files or hard links. Directory hard links thus enabled the efficiency needed for this novel scheme to work.

Apple later introduced what it termed Mobile Time Machine, intended for notebooks that could be away from their normal backup destination for some time. In around 10,000 lines of code, Mac OS X came to create something like a primitive snapshot, only on HFS+.

When macOS introduced its new DAS-CTS scheduling and dispatch system for background activities, in (about) Sierra, Time Machine’s backups were added to that. That proved unfortunate at the time because of a bug in that system, which failed on Macs left running continuously for several days, when backups could become infrequent and irregular.

When Apple released the first version of APFS on Mac OS X in High Sierra, its new snapshot feature was immediately incorporated into Time Machine to replace the earlier Mobile variant. Initially, APFS snapshots were also used instead of the FSEvents database to determine what should be backed up. Since then, making each backup of an APFS volume has involved creating a snapshot that’s stored locally on the APFS volume being backed up. In High Sierra and Mojave, the structure of backups themselves didn’t change, so they still required an HFS+ volume and relied on directory hard links.

Catalina introduced a more complicated scheme to replace snapshots as the usual means for determining what to back up. This was presumably because computing a snapshot delta had proved slow. As the backup destination remained in HFS+ format that could’t use snapshots, it continued to rely on directory hard links.

Big Sur and its successors with Signed System Volumes (SSVs) retained the option to continue backing up to HFS+ volumes, but added the ability to back up APFS volumes to APFS backup storage at last.

When backing up to APFS, Time Machine reverses the design used in High Sierra: instead of using snapshots to determine what needed to be backed up before creating a backup using traditional hard links, most of the time Time Machine determines what has changed using the original method with FSEvents, then creates each backup as a synthetic snapshot on the backup store. Unlike earlier versions, in Big Sur and later Time Machine can’t back up the System volume.

Once Time Machine has made a detailed assessment of the items to be backed up, it forecasts the total size to be copied. The local snapshot is copied to an .inprogress folder on the backup volume, and backup copying proceeds. Where possible, only changed blocks of files are copied, rather than having to copy the whole of every file’s data, an option termed delta-copying that can result in significant savings. Old backups are removed both according to age, and to maintain sufficient free space on the backup volume, in what Time Machine refers to as age-based and space-based thinning.

Data copied to assemble the backup on the backup volume is formed into a synthetic snapshot used to present the contents of that backup both in the Time Machine app and the Finder. Those snapshots are presented in /Volumes/.timemachine/ although they’re still stored on the backup volume.

Although modern Time Machine backups to APFS are both quicker and more space-efficient, the structure of backup storage poses problems. Copying backup stores on HFS+ was never easy, but there are currently no tools that can transfer those on APFS to another disk.

Behind the familiar interfaces of its app and settings, Time Machine has come a long way over the last few years, from building an illusion using huge numbers of hard links to creating synthetic snapshots.

The early years of Harriet Backer’s career saw her progress from early Salon-ready realism to the more painterly and colourful style of her personal interpretation of Impressionism. Her landscapes captured the intensity of the Norwegian summer, and she had been exploring the play of light indoors in interiors. By 1890, her career was established, her art recognised and increasingly appreciated, and she had started teaching. She now turned her attention from the play of natural light to that of lamplight.

Syende kvinne ved lampelys (By Lamplight) (1890) reverses the lighting of her previous interiors. Now the view through the window is the blackness of night, and the interior is lit by a kerosene lamp on the table inside. The play of light is changed into the play of shadow, with the woman’s shadow magnified on the wall behind her.

Her Aften, interiør (Evening, Interior) (Reading) (1890) takes this further, and shows the influence of Japonisme, particularly in the scarlet lampshade at the right. Backer shows how the harsh directional light casts strange shadows with the effect of altering our reading of facial features, the folds in clothing, and magnifying the shadow on the wall. Although the light doesn’t create the woman and the objects around her, by determining how we see her, it transforms our perceptions and interpretation.

Kone som syr (Woman Sewing) (1890) takes us back to more familiar daytime lighting, as a woman (a wife in the Norwegian title) sits at her sewing. This appears to have been a quick oil sketch, with its gestural depictions of potted plants, table, and chair, going beyond Impressionism.

In her Pike ved vinduet (Girl by the window) (1891), the girl looks out from the sunlit interior to a world we cannot discern, beyond the miniature internal world of chair, stove, and potted plants.

Inngangskoner (Churching) (1892) shows a traditional ceremony in which a woman who has just completed the confinement following the birth of her child is received back at church, where she gives thanks for the survival of her baby and herself, and prays for their continuing health. This is believed to show the sacristy to the left of the altar in Tanum Kirke, in Bærum, Norway. Backer marks this important moment in a mother’s life with the light of hope, as emergence from the suffuse light of the nursery.

The next event in the life of mother and baby is shown in her Barnedåp i Tanum Kirke (Christening in Tanum Church) (1892), one of Backer’s most sophisticated paintings. Again she places the viewer inside, looking now both outward and inward.

The left of the canvas takes the eye deep through the church door to the outside world, where a mother is bringing her child in for infant baptism. The rich green light of that outside world colours the heavy church door, and its inner wood panelling, and the floorboards and perspective projection bring the baptismal party in.

At the right, two women are sat in an enclosed stall waiting for the arrival of the baptismal party. One has turned and partly opened the door to their stall in her effort to look out and see the party enter church. Backer controls the level of detail and looseness to brilliant effect, ensuring we always see just what she wants us to, enough to bring the image to life, but never so much that our attention becomes lost in the irrelevant.

This painting of the ages of woman is believed to have been influenced by Wilhelm Leibl’s (1844-1900) Three Women in Church (1882), which Backer had seen when studying in Munich. She considered this to be her greatest painting, and it was favourably received when exhibited at the World’s Fair in Chicago in 1893.

Gamlestua på Kolbotn (Old Living Room at Kolbotn) (1896) is an intimate view of the living room of a farm in Østerdalen, Norway. Friends of the artist Hulda and Arne Garborg are seen sat at the table, Arne holding his fiddle. Behind them are paintings, among them two landscapes painted by Backer’s friend Kitty Kielland. Kielland, Backer and the Garborgs had first met in Paris in 1885.

Backer hadn’t abandoned landscapes, but they too had moved on from regular Impressionism. Einundfjell (1897) shows her skills in capturing the more subtle light and colour of twilight. The bright surface of the distant lake separates the dark hills behind from the more colourful meadows of the foreground.

Thorvald Boecks bibliotek (Thorvald Boeck’s Library) (1902) is one of Backer’s few interiors devoid of people, here replaced by books from floor to ceiling. The intricate detail of their many spines, furniture, and other decorations contrasts markedly with the bare floorboards in the foreground.

In 1907, Backer had her first solo exhibition in Oslo. During that first decade of the twentieth century, her interiors switched away from the intimacy of the rural home, to those of Norway’s country churches.

Of the many wonderful later paintings that she made of church interiors, the finest must be Uvdal Stave Church (1909).

Stave churches were once numerous throughout Europe, but are now only common in rural Norway. Their construction is based on high internal posts (staves) which give them a characteristic tall, peaked appearance. Uvdal is a particularly good example, dating from around 1168. As with many old churches, its interior has been extensively painted and decorated, and this has been allowed to remain, unlike many painted churches in Britain which suffered removal of all such decoration.

Backer’s richly-coloured view of the interior of the church is lit from windows behind its pulpit, throwing the brightest light on the altar. The walls and ceiling are covered with images and decorations, which she sketches in, again manipulating the level of detail to control their distraction. Slightly to the left of centre the main stave is decorated with rich blues, divides the canvas, but affords us the view up to the brightly lit altar. To the left of the stave a woman, dressed in her Sunday finest, sits reading outside the stalls.

This is an expression of Backer’s own deep religious beliefs, her career-long exploration of lit interiors, and her profound love of her native country and its people.

In 1912, the year that she retired from teaching, she was awarded the gold King’s Medal of Merit, and in 1921 was made the State Laureate in Painting (Statens kunstnerlønn), an appointment previously held by Henrik Ibsen and Edvard Grieg. She was the first woman to be so appointed. She is known to have completed about 180 paintings in all before she died in Oslo on 25 March 1932, and the grand old age of 87.

References

Wikipedia (English), Wikipedia (Norwegian).
Many of her best paintings are in Nasjonalmuseet, Oslo, where they’re viewable online.

Every autumn/fall, the current version of macOS changes, and with it there are changes great and small that can affect the apps we run. If you use any of the free apps that I provide here, now is the time to check that you’re running the correct version to support both your current macOS, and any that you might aspire to in the coming months.

SilentKnight

Although most of my apps have auto-update mechanisms that inform you when their updates are available, there are some notable pitfalls that can lull you into a sense of false security. Most importantly, SilentKnight was upgraded to version 2 two years ago to ensure its compatibility with Catalina and later. Every few days I come across someone who is still using version 1 with a newer release of macOS and seeing incorrect results. If you use SilentKnight in any version of macOS from Catalina onwards, then please ensure that it’s updated to the current version 2.10:
SilentKnight 2.10 (Universal App for Catalina to Sequoia)

This is particularly important if you intend upgrading to Sequoia, because of the changes it brings in how XProtect is updated. If you’re still running 2.9 or earlier, then SilentKnight will give you incorrect versions for XProtect, and at worst could report a version of 0 (zero) as it might not be able to find XProtect at all.

Skint and SystHist

For the same reason, Skint should be updated to version 1.08:
Skint 1.08 (Universal App for Monterey, Ventura, Sonoma and Sequoia only)

SystHist lists full system and security update installation history, a task that invariably requires an annual update to cope with the quirks of the new version of macOS. If you’re aiming for Sequoia at some stage, ensure that you have updated it to version 1.20:
SystHist 1.20 (Universal App for High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)

Writing Tools

Although Apple isn’t intending to release any of its new AI features in the initial version of Sequoia, 15.0, but is delaying them for 15.1, you might like to prepare for that by updating my rich text editor and PDF viewer in advance. Their latest versions should prove fully compatible with Writing Tools when they’re released.

DelightEd is a Rich Text (RTF) editor with special Dark Mode features and support for interlinear text, and version 2.3 should work fully with Writing Tools:
DelightEd 2.3 (Universal App for High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)

Podofyllin is a lightweight PDF viewer (without any editing capability, so it can’t alter original PDF files) and shows source code and more. Version 1.3 should work fully with Writing Tools:
Podofyllin 1.3 (Universal App for High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)

XProCheck, Nalaprop, Precize

Other recent updates you might have missed include the following.

XProCheck to check on XProtect Remediator scans completed and reported in the log:
XProCheck 1.6 (Universal App for Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)

Nalaprop for multilingual natural language parsing, now compatible with Writing Tools:
Nalaprop 1.3 (Universal App for Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)

Precize, which looks deep into files, bundles and folders to show their full size including extended attributes, provides macOS Bookmarks and volfs paths as enduring file references, and detailed information contained in Bookmarks and Aliases:
Precize 1.15 (Universal App for High Sierra, Mojave, Catalina, Big Sur, Monterey, Ventura, Sonoma and Sequoia)

Key points

• For Catalina or later, particularly Sequoia, use SilentKnight 2.10.
• For Sequoia in particular, use Skint 1.08.
• For Sequoia in particular, use SystHist 1.20.
• Older versions of those apps will give incorrect results when run in more recent versions of macOS.

The climax of the year in arable farming is the harvest, when the sustained labour of the previous year pays off. For the farmer, this is the return on that investment, and for the labourers it’s when they hope to get paid their bonus. It’s the one time of the year when everyone turns to and works from before dawn until well after dusk in a united effort to harvest the ripe crop, before the weather breaks and it might be ruined.

The harvest depends on the crop being grown; as cereals, particularly wheat, were the most important across much of Europe, I’ll here concentrate on the processes required to turn them from ripe plants to grain ready for the miller to grind into flour. This article looks at the first step in that, cutting the crop, bundling it into sheaves and stacking those in stooks.

Current accounts of the grain harvest distinguish several tools used to cut the crop:

• handheld sickle, lightweight and normally with a serrated blade,
• handheld reaping hook, lightweight and with a smooth blade,
• handheld bagging or fagging hook, heavier and with a smooth blade, used in conjunction with a hooked stick or metal pick thank,
• long-handled scythe, heavy and held with both hands, with a smooth blade.

Some claim that reaping using a handheld sickle or hook was used for wheat and rye, but that barley and oats were more usually mown with a larger scythe. Although that doesn’t appear to be accurate, it’s clear that the use of scythes was considerably more efficient. While it took about 4 worker-days to cut an acre of grain using a sickle or hook, using a scythe typically took only 2 worker-days per acre. Scythes appear to have been used almost exclusively by men, while sickles and hooks were used by both men and women.

The tool used also determined the length of straw stalk cut with the head of grain, thus the height of the stubble left on the field. Sickles and hooks were often used when less straw was required, leaving high stubble that might be mown with a scythe later. Low reaping or bagging, or mowing with a scythe, created longer straw that was suitable for thatching.

Pieter Brueghel the Elder’s Harvesters from 1565 shows men cutting a crop of wheat close to the base of the stem using scythes, leaving short stubble. This ensures the best yield of straw as well as grain.

Behind these workers eating bread baked from flour ground from cereal grown in the same fields, cut cereal is tied first into sheaves before they’re gathered into stooks.

Anne Vallayer-Coster’s Garden Still Life, with Implements, Vegetables, Dead Game, and a Bust of Ceres (The Attributes of Hunting and Gardening) from 1774 shows at its left edge a long-handled scythe, and at the right a sickle or reaping hook. Scythes were also used extensively for mowing hay and weeds.

In about 1833, when Samuel Palmer painted his wonderful Harvest Moon near Shoreham in Kent, harvesting went on well into the night. These are mostly women wielding sickles or reaping hooks to cut a small field of wheat. The cut stalks are then formed into stooks and piled onto the oxcart for transport to nearby farm buildings.

Palmer’s mentor John Linnell painted The Harvest Cradle twenty-five years later, in 1859. The harvesters have their backs to the viewer, but appear to be using scythes to cut this wheat crop. Bundles of cut grain are tied as sheaves, then assembled into stooks in the foreground.

Jean-François Millet’s Ceres (The Summer) from about 1864-65 is unusual in that the goddess is shown holding a sickle with a serrated edge, and is surrounded by sheaves of wheat.

Léon Augustin Lhermitte’s famous Harvesters’ Pay from 1882 shows four harvesters, bearing their heavy-duty scythes, as they await payment by the farmer’s factor, who holds a bag of coins for the purpose. In the right foreground are two tied sheaves of cut wheat, with a lightweight sickle resting on them.

During the nineteenth century some attached cradles to the blade, to make sheaving easier. This is shown in Laurits Andersen Ring’s painting of Harvest. The crop being cut here may well be rye rather than wheat. The artist got his brother to model for this “monument to the Danish peasant” during the summer of 1885, while working on his farm near Fakse, on Sjælland (Zealand), Denmark.

Volodymyr Orlovsky’s Harvest in Ukraine from 1880 shows wheat being cut on the steppe, with the worker in the foreground carrying a scythe, but those cutting in the middle distance bent over as if using hooks instead.

The young woman in Mykola Pymonenko’s portrait of a Reaper from 1889 has been cutting what could be rye or wheat using a heavier bagging hook, although she isn’t using the hooked stick normally required for the technique, so could be using it as a regular reaping hook. The woman behind her demonstrates that these harvesters are cutting low to keep a good length of straw on the harvested crop.

Anna Ancher, wife of Danish painter Michael Ancher, caught this procession of Harvesters on their way to their work in 1905, near her home in Skagen on the north tip of Jylland (Jutland). The leader carries his scythe high as they pass through ripe wheat.

Finally, conventional corn stooks were by no means universal across Europe.

By tradition on Norwegian farms, cut corn (cereal) wasn’t left to dry in low stooks, as in most of Europe and America, but built onto poles. In a series of paintings and prints, Nikolai Astrup developed these Corn Stooks (1920) into ghostly armies standing on parade in the fields, the rugged hills behind only enhancing the feeling of strangeness.

These paintings suggest that, between 1550 and 1890, wheat was generally cut using scythes when suitable men were available. Otherwise, it would be cut using a hook, most likely for reaping rather than bagging. Wheat was normally cut low to preserve the stalk as straw suitable for thatching, then tied into sheaves before being stacked into stooks.

That left the fields ready for gleaning.

With macOS Sequoia fast approaching from the horizon comes the question as to how to upgrade and update, whether to Sequoia or one of its recent predecessors. If you’re happy to go with what Software Update offers, then that’s usually simplest and most efficient. This article considers what you should do if you want something different, from updating to any previous version, to using a single installer to update several different Macs.

Procedures given here should work with all versions of macOS from Monterey onwards. They may work too with Big Sur, but its installers weren’t always as reliable, so you should there be well-prepared to have to migrate from a backup in case the installation creates a fresh, empty Data volume instead of firmlinking up to your existing one.

Which installer?

As Apple discontinued standalone updater packages when it introduced Big Sur, the choice now is between downloading the full Installer app, and performing the process in Recovery mode. The latter severely limits your choice to what it’s prepared to offer, so you’re almost certainly going to need to obtain the full Installer for the version of macOS you want. Rather than use the Installer app provided in the App Store, download the Installer package from the links given by Mr. Macintosh. Those provide a package that’s easier to store and move around, unlike the Installer app itself. It will typically be a little over 13.5 GB, and works on both Intel and Apple silicon Macs.

Standard procedure

As with any update or upgrade, first ensure you have a full recent backup before starting. If anything does go wrong during the procedure you’ll then be able to perform a fresh install and migrate from that backup.

Unless you want to install everything afresh and migrate from your backup, don’t try erasing either your System or Data volume. You’d have to do that in Recovery mode anyway, limiting your options as to which version of macOS you can install unless you create a bootable installer first.

Double-click the installer package to launch it in the Installer utility. The default is to save the Installer app to your current Applications folder, which should work fine as long as you remember to delete it once you’ve finished. Once complete, launch that Installer app and follow its instructions.

When macOS restarts at the end of the process, check the version now running, confirm that your Data volume has survived intact, and run SilentKnight to ensure that all security data files are up-to-date.

Recovery

Intel Macs have a slight advantage when it comes to installing macOS in Recovery mode, as depending on the keys held during startup, you should be able to coax a choice of versions out of an Intel system. Unless you simply want to install or update to the current version, though, you’ll probably want to avoid doing so in Recovery.

There’s another good reason for not using Recovery, in that delivery of installers to Macs running in Recovery can be painfully slow, and you may well be in for a longer wait than if you downloaded the Installer direct.

However, if you want to erase the current boot volume group on your Mac’s internal storage so you can install a fresh copy of macOS and restore the contents of its Data volume from backups, Recovery is normally the best place to do that. Apple works through the process for Intel Macs, and Apple silicon models. The key step is to select the Macintosh HD boot volume group and click on the Erase tool to perform Erase Volume Group.

When the SSV was first introduced in Big Sur, there were many problems resulting from erasing just one volume in the boot volume group. If that happened to be the System volume, when macOS was installed it created a new firmlinked Data volume, leaving the existing Data volume as an orphan. That was usually done in a misguided attempt to have a fresh install of the System volume and SSV while keeping the existing contents of the Data volume, but doesn’t do that. Every installation of the SSV in any given version of macOS since Big Sur is identical, so it isn’t necessary to erase it, but simply to install or update macOS.

Bootable installer disk

Another traditional way to install macOS is using a bootable installer disk, normally a USB ‘thumb’ drive, although you can also create a small HFS+ volume for the purpose on an external SSD. Apple provides detailed instructions for doing this using a range of versions of macOS.

In many cases, installing a version of macOS older than the one that’s currently running requires this, as old Installers usually fail to run in newer macOS. Unfortunately, on Apple silicon Macs, this isn’t the powerful tool that it once was, as the Mac doesn’t boot fully from the external disk, and as a result it has no role in dealing with problems with internal storage.

Virtual Machines on Apple silicon

Installer apps and Recovery installs both work fine in virtual machines running on Apple silicon hosts. However, there’s one special circumstance you need to beware of. One of the major new features in virtualisation in Sequoia is support for iCloud and some other services dependent on Apple ID. If you want to use those, then the VM must be created new in Sequoia, using a Sequoia IPSW image. You can’t update or upgrade an existing VM from a previous version of macOS and use iCloud services in it.

Summary

• If you can, use Software Update to update or upgrade macOS, as it minimises download size and is simplest.
• If you want to perform a different update, or run one installer on several Macs, download and use the appropriate Installer package.
• If you want to erase the existing system including all your data, use Recovery mode to erase the whole volume group, then install macOS and migrate from your backup.
• Never erase only your Mac’s System volume, as that will orphan its current Data volume.
• If you want to downgrade to an older version of macOS, you’ll probably need to do so from a bootable installer disk.
• If you want a VM to use iCloud, then create a fresh VM using a Sequoia IPSW, as an upgraded VM can’t access iCloud.

As lawyers rose to prominence in life during the nineteenth century, two artists in particular targeted them with their scathing satire: Honoré Daumier and Jean-Louis Forain.

For the satirical eye of Honoré Daumier, Three Lawyers (1855-57) meeting was the gathering of an elite who were out to help themselves, rather than the unfortunate people they purported to represent. Their heads tipped back and clutching thick bundles of papers, Daumier had less respect of them than they had for themselves.

In his undated Two Lawyers Conversing, you can be sure that they’re up to no good, except for themselves.

Jean-Louis Forain was a successful painter, caricaturist and political satirist in the late nineteenth century, who had long admired Daumier’s work. When Forain turned his attention to justice and the law after about 1902, he went beyond Daumier’s biting images of lawyers by entering the courtroom itself.

Forain’s The Court from about 1902-03 is one of the first of his series of courtroom views, and most neutral in its approach. In the foreground, a lawyer discusses the case with a woman, who is bent forward to hear his whispering. In the distance the court appears detached, perhaps disinterested, the judges sat behind large piles of papers, under a large painting of the crucifixion. The artist sold this work to Edgar Degas.

By the time that Forain painted this Trial Scene from 1904, his satire had come to the surface. The court here is so completely disinterested in the case before it that its judge is incapable of remaining awake, and the jurors at the left are hardly attentive either.

A young woman stands out in Forain’s Scene at the Tribunal (1906), as a lawyer turns and scowls disapprovingly at her.

Two women are shown in his Scene of the Tribunal from 1910, a lawyer talking to them as the court appears oblivious to their presence.

Legal Assistance (c 1900-12) shows an ordinary family man, cradling his young child in his arms as he presents a paper to a barrister or judge (wearing his short cylindrical hat). This painting was bought by Henri Rouart, an industrialist who was a good patron of the arts, as well as a fine amateur painter himself.

Sadly only available in this monochrome image, Forain’s undated painting of Recess of the Court is his most scathing. The judge leans back, fast asleep, as chaos takes hold in the court. Laywers are talking among themselves, and furniture is being moved around. Where is justice?

It wasn’t until the nineteenth century that a growing interest in contemporary courts, and well-publicised trials, made them more popular in paintings. As few people ever see the inside of a courtroom, one of the first tasks of artists was to reveal what they looked like.

Thomas Rowlandson and Augustus Pugin’s painting of The Old Bailey, Known Also as the Central Criminal Court from 1808, here seen in an aquatint, is a good topographic view of this most famous English court. The presiding judge sits under a Damoclean sword of justice at the left, and the twelve men of the jury are to the right of centre. At the far right stands the accused, in front of whom is a large collection of witnesses ready to testify.

That was, and remains, an exceptional court. More typical of the type of court that ordinary citizens might encounter is Adolph Tidemand’s Scene before a Magistrate in the Country (before 1858), seen here in a lithograph. Set somewhere in rural Norway, the bench of magistrates sits at the right in more cramped and modest surroundings. Its justice may have been rougher, but the experience was far less daunting, and less overwhelmed by lawyers.

Ferdinand Brütt’s Before the Judges from 1903 shows the end of an era in the courtroom, as an official lights the candles in its chandelier, and its three judges sit hearing the case being put to them.

My previous explanation of how recent versions of macOS merge their System and Data volumes into what appears to be a single volume, omitted a third component, including Safari. Look in the System/Applications folder where all the bundled apps are stored on the SSV, and there’s no Safari to be seen, yet it appears in the top-level Applications folder. This article explains how that now works using cryptexes, and how they differ between Intel and Apple silicon Macs.

Finding Safari

As the modern boot volume group evolved through Catalina to Big Sur, Safari and its supporting frameworks were stored in the Data volume. That stopped with the arrival of Ventura, and they’re now stored in the third components that complete the modern boot volume group. You can see when files are stored on a different volume using my free app Precize to reveal their full paths. Use that to examine three apps from the merged Applications folder, and you’ll understand what I mean:

• Chess.app has a path of /System/Applications/Chess.app demonstrating that it’s one of the apps bundled in the SSV, where almost all of the System folder is stored.
• Cirrus.app, like any other app you have installed, has a path of /Applications/Cirrus.app, making it clear that it’s stored on the writable Data volume.
• Safari.app has the weird path of /System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app that demands further explanation.

Note that the Finder’s Get Info dialogs aren’t as truthful, and don’t tell the full story.

Their volfs paths are also worth noting. On my Intel Mac, they are:

• Chess.app is at /.vol/16777240/1152921500311883667; because all macOS 14.6.1 SSVs are identical, your Chess.app should have the same inode number too.
• Cirrus.app is at /.vol/16777240/461665725
• Safari.app is at /.vol/16777238/993517

The first two follow a familiar pattern you’ll see throughout the System and Data volumes: their volume ID 16777240 is common to both, and that assigned to the merged volumes, but their inode numbers are wildly different. Huge numbers like 1152921500311883667 come from the SSV, while smaller ones like 461665725 are from the Data volume. Then there’s a slightly lower volume ID of 16777238 and a small inode number of 993517 for Safari, demonstrating that it’s somewhere altogether different: that’s a cryptex, a cryptographically protected disk image with an interesting history.

Why a cryptex?

When the modern boot volume group was being designed and developed, it took into account Safari’s special needs by making it the only bundled app to be stored in the Data volume. This enables it to be updated without having to go through the whole process of building a new SSV, allowing Apple to deliver urgent security patches to Safari and its underlying WebKit and other frameworks. There could also have been political considerations in separating Apple’s bundled browser from the other apps included in macOS.

This changed in Ventura in the autumn/fall of 2022, when Apple applied technology it had originally developed for its customised iPhone, the Security Research Device, dubbed the cryptex, a name formed as a portmanteau for CRYPTographically sealed EXtension. This offers two advantages:

• Safari, its supporting frameworks, and other components of macOS that Apple prefers not to build into the SSV, can be delivered in cryptexes. As I’ll explain later, this also enables tailoring of macOS to platform.
• Some urgent security patches could be delivered in cryptexes, making them faster to release and simpler to install in a Rapid Security Response (RSR).

Since then, RSRs seem to have had their day, and appear to have fallen from favour. But, as a means of delivering Safari and other more changeable components of macOS, cryptexes have proved their worth.

How a cryptex works

Although a cryptex is at heart a read-only disk image that is mounted during the boot process, it has two properties of particular importance:

• Its contents are cryptographically verified, in much the same way that the contents of the SSV are, using hashes of its entire contents.
• Its internal file system is grafted into the root file system when it’s mounted, rather than being mounted as a separate volume.

Mounting a cryptex starts with validation of the payload and its manifest. It then undergoes a sequence of processes similar to the mounting of an APFS volume, with a checkpoint search to establish stable checkpoint indices, and a check to discover whether there’s anything to recover, which seems unlikely. The graft is then performed in a series of opaque steps, with root hash authentication and validation. The object ID is found, and the graft completed.

Once this has been completed for each of the standard cryptexes and any installed RSRs, the contents of those are effectively part of the system, as a hybrid of the SSV and cryptexes. In the case of the Safari app, this process effectively places it in the main Applications folder, even though the original app is actually located in the System/Applications folder of the App cryptex in /System/Volumes/Preboot/Cryptexes.

As with the current boot System and Data volumes, grafted cryptexes aren’t unmounted or ungrafted until shutdown.

There are currently three main cryptexes in use, App containing Safari, its frameworks and other supporting files, and OS, with a range of other system items including additional frameworks, and several large dyld shared caches. You’ll also see an Incoming cryptex in /System/Volumes/Preboot/Cryptexes. As they’re outside the SSV, new and replacement cryptexes are installed without rebuilding the SSV, and in some cases don’t even need a soft restart of macOS.

Architecture-specific cryptexes

In addition to providing Safari and its related components, cryptexes also provide useful economy in shared caches, and explain why macOS updates for Apple silicon Macs are invariably larger than those for Intel models.

While the contents of the SSV appear to be identical on both Intel and Apple silicon, thus have a single signature, the two architectures differ in their cryptexes. Those for Apple silicon Macs contain dyld shared caches for both architectures, and a set of aot shared caches, presumably to support Rosetta 2, and amounting to 5.24 GB in total size; those for Intel Macs only contain Intel dyld shared caches of 1.68 GB total size.

Given their sizes, that’s a valuable efficiency both for updates and in storage required, and is the major reason for updates for Apple silicon Macs always being larger than those for Intel. Thankfully, because those shared caches are supplied compressed, the difference in update sizes is much smaller than the 3.56 GB difference when they’re decompressed and installed.

Apple has just released an update to XProtect Remediator security software for Catalina or later, bringing it to version 145. The previous version was 142.

Apple doesn’t release information about what security issues this update might add or change. There are no changes in the number or names of its scanning modules, and Bastion rules also remain unchanged.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac has not yet installed these updates, you can force them using SilentKnight, LockRattler, or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPayloads_10_15-145.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Sonoma on this page, Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

Depictions of courts of law aren’t common, and fall into five main groups: those showing cases and events from legend and history, modern documentary records of trials, others purely fictional, some satirical accounts, and a few general views without narrative. This article covers the first three, leaving satire and general views to come tomorrow.

The first is an account of a corrupt judge in the Achaemenid Empire around 525 BCE, and the extreme penalty he paid.

The story given by Herodotus about the corruption of Sisamnes, known as the Judgement of Cambyses, is today obscure. However, in 1489 it formed the basis for two paintings by Gerard David now viewed as forming a diptych. Sisamnes was a notoriously corrupt judge under the rule of King Cambyses II of Persia, and accepted a bribe in return for delivering an unjust verdict.

In the left panel, Sisamnes is being arrested by the king and his men, as the judge sits in his official chair. Hand gestures indicate the bribery that had been at the root of Sisamnes’ crime.

King Cambyses sentences Sisamnes to be flayed alive, as shown in the foreground of the right panel. In the upper right, David uses multiplex narrative to show the judge’s skin then covering the official chair, as a reminder to all who sit in judgement of the fate that awaits them should they ever become corrupt or unfair.

David’s gruesome pair of paintings were a pointed reminder to the authorities in Bruges of the importance of an independent judiciary, and the penalty for any judge who was tempted by bribery or any other form of influence, cautions with contemporary value even now.

Jean-Léon Gérôme’s Phryne before the Areopagus from 1861 harks back to a classical legend of an unusual court case in Athens. Phryne had been a highly successful and very rich courtesan (hetaira) in ancient Greece, who was brought to trial for the serious crime of impiety. When it seemed inevitable that she would be found guilty, one of her lovers, the orator Hypereides, took on her defence. A key part of that was to unveil her naked in front of the court, in an attempt to surprise its members, impress them with the beauty of her body, and arouse a sense of pity. The legend claims that this ploy worked perfectly.

Gérôme shows a whole textbook of responses to surprise among the members of the court, although Phryne herself is covering not her body, but her eyes; each of the men in the court, of course, is looking straight at her. At the time that Gérôme painted this, France was well into its Second Empire, when Napoleon III had removed the gag from the French press, and was moving from his early authoritarian regime towards the more liberal. The legend of Phryne was a convenient vehicle for Gérôme to express his political opinion, and her nakedness suggests her role is that of Truth.

The other much better-known story of judgement is that of King Solomon, told in the Old Testament, and in a succession of marvellous paintings since the Renaissance. Two women each claimed to be the mother of the same healthy baby, alleging that the other was the mother of a dead child. Solomon’s wise judgement was to threaten to cut the living baby in two, which elicited the correct protective response from the real mother of that child.

Nicolas Poussin’s famous painting of 1649 uses a classical composition, the two disputing women and their actions preventing it from becoming too symmetrical. Timed slightly before the raising of the sword, the master of painted narrative depicts the body language with great clarity. Solomon’s hands indicate his role as the arbiter, in showing a fair balance between the two sides.

The true mother, on the left, holds her left hand up to tell the soldier to stop following the King’s instructions and spare the infant. Her right hand is extended towards the false mother, indicating that she has asked for the baby to go to her rather than die. The false mother points accusingly at the child, her expression full of hatred. Hands are also raised in the group at the right, perhaps indicating their reactions to Solomon’s judgement.

Coverage of prominent court cases came to dominate reporting in the press throughout Europe and North America. Several cases became so popular that they moved artists to depict them, and one, the Dreyfus Affair in France, had lasting influence on that nation’s history.

Frederick Sargent’s painting of The Tichborne Trial (1873-1899) shows one of the most prominent cases in England. In 1854, Roger Tichborne, heir to a title and family riches, was presumed to have died in a shipwreck. The following year, an Australian butcher came forward with the claim that he was that heir, which was tested in a civil court case, heard between 1871-72.

The outcome of that rejected the claim, and the Australian butcher then underwent criminal prosecution for perjury, in one of the longest criminal cases heard in an English court, during 188 days between 1872-73. Sargent’s painting shows that case in progress, with the accused sitting just below the centre and looking straight ahead of him. Standing to the right of him is his barrister, Edward Kenealy, with ‘mutton chop’ whiskers.

The Australian butcher was convicted, sentenced to fourteen years in prison, and eventually died destitute in 1898. His barrister’s career was also finished, and he was subsequently disbarred. He went on to be elected as a Member of Parliament for his own political party in 1875, but died shortly after losing that seat in 1880.

Courts in some jurisdictions have long been reticent about allowing parties, judges, or juries to be drawn, painted or photographed. Although American practice has long allowed artists as reporters, in 1925 Britain made it illegal to draw inside a courtroom during a trial. The thirst for images for publication has since been satisfied by artists who work entirely from memory.

Arnold Mesches’ Courtroom sketch of the US Navy’s court of inquiry about USS Pueblo’s capture by North Korea from 1969 is perhaps more of an illustrative record of a court in session, sketched from a square and conventional position. But other artists and cases are quite different.

Robert Clark Templeton’s Drawing for CBS Evening News of Bobby G. Seale and others (1971) shows the head and shoulders of the accused, who co-founded the Black Panther Party for Self-Defense and was here on trial in New Haven, CT, for the murder of Alex Rackley. The jury was unable to reach a verdict and the case was declared a mistrial.

Another fine example of courtroom art is Elizabeth Williams’ portrait of Faisal Shahzad, The “Times Square Bomber” Sentencing, Manhattan Federal Court: October 5, 2010 (2010). Shahzad had pleaded guilty to five counts of federal terrorism-related crimes committed when he planted a car bomb in Times Square, New York, on 5 May 2010, for which he was sentenced to life imprisonment without parole.

There have also been a few paintings of fictional trials.

Abraham Solomon’s wonderful pair of paintings is set immediately outside a court. In the first, the father and family of the accused are seen Waiting for the Verdict (1859) at the end of a trial. The court appears in cameo up to the right, in that strange state of suspended animation as it awaits the decision.

Solomon’s pendant shows the elation when the verdict of Not Guilty (1859) is returned. The man, now freed from the dock, is embraced by his wife, who is kneeling in supplication, as their young child reaches out to touch father’s face. His father, eyes damp with tears of relief, is thanking their barrister earnestly.

In place of the view of the distant court, which is being symbolically dismissed as the barrister closes a door at the right edge, the left side of the painting now leads out to the warm light of the early dusk in the outside world, indicating freedom.

The melodrama of legal process is shown in William Frederick Yeames’ ‘problem picture’ Defendant and Counsel from 1895. An affluent married woman wearing an expensive fur coat sits with a popular newspaper open in front of her, as a team of three barristers and their clerk look at her intensely, presumably waiting for her to speak. As we’re told that she is the defendant, the viewer is encouraged to speculate what she is defending: a divorce claim, or a criminal charge?

Over a series of three articles last week, I pored over thousands of log entries to examine how macOS Sonoma 14.6.1 checks applications it’s launching, under normal full security settings, with reduced security, and for known malware. This article draws together my conclusions from those tests run in virtual machines on an Apple silicon Mac.

Layered security

Like other security functions in macOS, app launch security is built in layers, including checks of

• code-signing certificates (multiple times);
• CDHashes, including their consistency, and against Apple’s database for notarized apps, and their revocation;
• quarantine extended attributes, which normally trigger a user consent dialog, and may result in app translocation;
• previous launch, in the LaunchServices database;
• matches with Yara rules in XProtect’s data;
• user consent to a first launch prompt dialog;
• launch and other constraints.

Additional data may also be collected and stored in the provenance database that first appeared in Ventura.

Not all checks are performed on every launch of an app. At a minimum, for a notarized app that has been run only recently, these might consist of only local checks against CDHashes and with the app’s existing entry in the LaunchServices database. Checks are also modified by reducing security settings:

• Disabling Gatekeeper checks doesn’t stop those checks from taking place, but apparently ignores some results, notably those obtained by XProtect. It doesn’t affect checks of CDHashes against Apple’s database.
• Disabling SIP has more pervasive effects in largely disabling the com.apple.syspolicy sub-system, affecting several layers, although checks of CDHashes against Apple’s database are unaffected.

com.apple.syspolicy

In full security conditions, one sub-system dominates log entries concerning app launch security, com.apple.syspolicy. This is clearest in Gatekeeper and XProtect checks. Although the log entries that follow may appear bewildering, they are the best illustration of this point.

When launching a notarized app that hasn’t previously been run on that Mac and has a quarantine xattr, Gatekeeper and XProtect scans are reported in the following sequence of entries:
com.apple.syspolicy.exec GK process assessment: <private> <-- (<private>, <private>)
com.apple.syspolicy.exec Gatekeeper assessment rooted at: <private>
com.apple.syspolicy.exec Skipping TCC check due to process: 692, 0, 692
com.apple.syspolicy.exec queueing up scan for code: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: (null)), (id: (null)), (bundle_id: (null))
com.apple.syspolicy.exec starting work for scan for code: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: (null)), (id: (null)), (bundle_id: (null))
com.apple.syspolicy.exec allowUI is YES, creating codeEval object: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: (null)), (id: (null)), (bundle_id: (null))
com.apple.syspolicy.exec Adding default exception for team: <private>
com.apple.syspolicy.exec Registered app bundle for protection: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: (null)), (bundle_id: (null))
com.apple.syspolicy.exec GK performScan: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: (null)), (bundle_id: (null))
com.apple.xprotect XProtectScan beginAnalysisWithResultsHandler continueOnError is set to 0
com.apple.xprotect XPAssessment performAnalysisOnFileImpl continueOnError set to 0
com.apple.xprotect Xprotect is performing a direct malware and dylib scan: <private>

Those checks later complete in entries such as:
com.apple.syspolicy.exec GK Xprotect results: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: (null)), (bundle_id: (null)), XPScan: 0,-7676743164328624005,2024-08-26 08:19:01 +0000,(null)
com.apple.syspolicy.exec GK scan complete: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: (null)), (bundle_id: (null)), 4, 4, 0
com.apple.syspolicy.exec scan finished, waking up any waiters: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: co.eclecticlight.SystHist), (bundle_id: co.eclecticlight.SystHist)
com.apple.syspolicy.exec App gets first launch prompt because responsibility: <private>, <private>
com.apple.syspolicy.exec GK evaluateScanResult: 0, PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: co.eclecticlight.SystHist), (bundle_id: co.eclecticlight.SystHist), 1, 0, 1, 0, 4, 4, 0
com.apple.syspolicy.exec GK eval - was allowed: 1, show prompt: 1
com.apple.syspolicy.exec Skipping TCC check due to process: 692, 0, 692
com.apple.syspolicy Found console users: <private>
com.apple.syspolicy.exec Prompt shown (5, 0), waiting for response: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: co.eclecticlight.SystHist), (bundle_id: co.eclecticlight.SystHist)

When SIP has been disabled, there are precious few entries from com.apple.syspolicy or com.apple.syspolicy.exec. Instead, XProtect appears to be left to its own devices, and doesn’t fare well:
com.apple.xprotect XPAssessment performAnalysisOnFileImpl continueOnError set to 0
com.apple.xprotect XprotectService Calling SecAssessmentCreate with URL <private>, context <private>
XprotectService SecTrustEvaluateIfNecessary
com.apple.xprotect XprotectService Bundle is not apple signed
com.apple.xprotect XprotectService Bundle size result: 18388222 (YES)
com.apple.xprotect XprotectService Always scan: YES
com.apple.xprotect XprotectService Starting malware scan for: <private>
kernel XprotectService [697] crossed memory high watermark (15 MB); EXC_RESOURCE
kernel Full corpse enqueued for XprotectService
com.apple.xnu memorystatus kernel kernel EXC_RESOURCE -> XprotectService[697] exceeded mem limit: ActiveSoft 15 MB (non-fatal)
ReportCrash event condition bump 0 -> 1
ReportCrash post-exception thread qos drop 21 -> 17
ReportCrash PID 697 exceeded the memory high watermark; Invoking ReportMemoryException with corpse.

There are no other entries referring to Gatekeeper or those checks. The effects of disabling SIP appear extensive and pervasive throughout several of the layers of app launch security.

CDHashes are central

With the adoption of notarization, apps run in macOS should now fall into one of five categories:

• signed by Apple, either its own apps or those delivered through its App Store;
• notarized by Apple, with its CDHashes added to Apple’s database;
• signed (either with a Developer certificate, or ad hoc) locally, and not distributed over the internet, with its own unique CDHashes;
• unwanted or malicious, with revoked CDHashes,
• unrecognised, and potentially malicious.

These emphasise the importance of the online ‘notarization’ checks of CDHashes performed in all circumstances where macOS doesn’t have previous records of saved CDHashes for that code. Their primary purpose isn’t to validate notarization, but to identify code as known good, known bad, or unknown. When Apple’s security engineers identify new malware, its CDHashes can quickly be added to the database as being revoked, so ensuring that all subsequent checks of the same CDHash will be classified as revoked, for malicious code. This is a rapid response that should have no false positives, in which benign code is mistakenly identified as being malicious.

Typically, the checking sequence is reported in the log with:
com.apple.syspolicy looking up ticket: <private>, 2, 1
com.apple.syspolicy cloudkit record fetch: <private>, <private>
com.apple.syspolicy cloudkit request cache info: <private>, max-age=300
com.apple.syspolicy CKTicketStore network reachability: 1, Mon Aug 26 09:15:45 2024
com.apple.syspolicy Inserting ticket: <private>
com.apple.syspolicy completing lookup: <private>, 0
[and so on with further lookups]
and those are among the only entries from com.apple.syspolicy seen when SIP is disabled.

When full security is enabled, those are completed with
com.apple.syspolicy.exec GK evaluateScanResult: 0, PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: co.eclecticlight.SystHist), (bundle_id: co.eclecticlight.SystHist), 1, 0, 1, 0, 4, 4, 0
But when SIP is disabled, those don’t appear, and seem to be substituted by application of Security rule 11 instead.

The downside of CDHash checks is that their false negative rate can be alarmingly high. Change a single bit in the code being hashed, and the hash will amplify that change, and is completely different. Hence the importance of notarization to establish which CDHashes definitely aren’t from malicious code.

One threat to this system occurs when a user mistakenly blocks their Mac from connecting to Apple’s database using CloudKit, for example using a misconfigured software firewall. Without a suitable vulnerability, malicious software shouldn’t be able to use this approach to block a payload from being checked.

I don’t know whether any third-party security products use a similar checking mechanism with their own local or remote CDHash databases, but this appears to be a great advantage to the protection built into macOS.

Performance

Two of the checks performed with full security enabled are dependent on the size of the app being checked. Fully validating an app’s CDHashes against those in its signature or notarization ticket should benefit from hardware acceleration, particularly on Apple silicon, and can be tackled hierarchically. It appears unlikely to result in significant delays to launching an app.

XProtect scans are more likely to be responsible for observable delays in app launch times, though. With the recent growth in the number of Yara rules, and their length, scans performed after an app’s first launch are the most probable cause of large and complex app bundles requiring several seconds before the app can be run.

Summary

I have updated the flow chart I first proposed as a result of observations made of app launches in Sonoma 14.4.1:

This is also available as a tear-out PDF here: launchsonomaapp2

I welcome any evidence that will refine and improve that, please.

Previous articles

Launching apps in Sonoma 14.6.1: Full security
Launching apps in Sonoma 14.6.1: Reduced security
Launching apps in Sonoma 14.6.1: Known malware
How does Sonoma check an app before launch? (Sonoma 14.4.1)

Ovid ends Book 7 of his Metamorphoses with one of his best stories. It’s told by Cephalus, the envoy from Athens, to the sons of King Aeacus on the island of Aegina, following the king’s account of the Myrmidons.

Having told Cephalus of the plague and the Myrmidons that followed it, King Aeacus falls asleep, so his son Phocus takes Cephalus and his companions to their accommodation. There Phocus notices the unusual javelin carried by Cephalus, with its gold tip on a shaft of wood that he cannot identify. This leads Cephalus to tell him that the javelin killed his wife, and so to explain the circumstances.

Within two months of his marriage to the beautiful Procris, when he was laying nets to catch a deer at dawn, Aurora saw Cephalus and tried to abduct him (she has a track record of affairs with humans). Cephalus protested and told Aurora of his love for his wife, so she let him go, warning him that if she saw him again, he would regret ever marrying Procris.

Nicolas Poussin’s Cephalus and Aurora (1630) shows the dawn scene of Cephalus trying to avoid the obviously amorous intentions of the goddess Aurora, who is seated and nearly naked. Behind Cephalus is the winged horse drawing the chariot of the dawn. A winged putto is holding up an image for him to view, presumably showing Procris, to help his resolve. At the left is a river god. Beyond the horse is another deity bearing a coronet: although difficult to see, that might be Diana, given her association with hunting and her role in this myth.

Peter Paul Rubens’ oil sketch of Aurora Abducting Cephalus was probably made in 1636-37, late in Rubens’ life, for his workshop to complete as a painting for King Philip IV of Spain’s hunting lodge at Torre de la Parada, near Madrid. In addition to showing the willing Aurora trying to persuade the reluctant Cephalus to join her in her chariot, it includes some details at odds with Ovid’s story: Diana’s hunting dog and javelin, which Procris gave to her husband after their reconciliation, later in the story. Here they may be intended as attributes to confirm his identity.

Over the following couple of centuries, there was a steady stream of paintings showing the abduction of Cephalus, but to my eye the next major work using this theme was Pierre-Narcisse Guérin’s romantic Aurora and Cephalus (1810). Instead of a substantial chariot, the seductive figure of Aurora is bearing a sleeping Cephalus aloft on a bed of cloud, as dawn breaks over the mountains below.

Forty years later, Pierre Claude François Delorme uses a similar motif recomposed into his Cephalus Carried off by Aurora (c 1851). This features ingeniously interlocking arms and embraces: Aurora cradles Cephalus’ shoulder and chest, Cephalus reaches out to Cupid, and Cupid back to Cephalus.

As he went back to his wife, Cephalus started to worry whether his wife had been unfaithful to him. He became aware that Aurora had changed his appearance, and entered the city of Athens unrecognised. When he got home, his household and wife didn’t recognise him either, so Cephalus put Procris to the test: with his wife still thinking him a stranger, he offered her great riches to spend a night with him, and managed to get her to waver with uncertainty.

He then revealed himself to be her husband, and accused her of being unfaithful. She said not a word, but fled to the mountains, where she joined the followers of Diana.

Cephalus yearned for his wife, so begged her forgiveness, and admitted that he too would have given way when made such an irresistible offer. Procris returned to him, and the couple lived happily again together. She brought back with her gifts from Diana: a hunting dog who outran all other dogs, and that unusual javelin.

Then the city of Thebes was once again put into difficulty, after Oedipus had broken the siege imposed by the Sphinx. This time the problem took the form of a wild beast that ate all its livestock. All the younger men, including Cephalus, went to hunt the beast, but it eluded them and their dogs. Cephalus then unleashed Diana’s hound to chase the beast. The dog caught it, but it broke free again. Cephalus prepared to throw his javelin, then noticed that his dog and the beast had suddenly been transformed into marble statues.

Cephalus returned to his now blissfully happy marriage with Procris. He went hunting alone at dawn, always feeling safe with his javelin. As the heat of the day came on, he would call on an imaginary zephyr of the cool breeze, talking to it as if it was a real nymph. One day he must have been overheard, and word was taken back to Procris that he was meeting a woman when he was supposed to be hunting. His wife was shocked, but refused to accept the story without herself witnessing her husband’s deceit.

The following morning, Cephalus was out hunting at dawn again, and when he grew hot, he rested and spoke to his imaginary zephyr as usual. He thought that he heard a sound nearby, which he suspected was an animal. He turned and threw his javelin at that noise.

He next heard his wife’s voice, rushed towards it, and found her mortally wounded, with his javelin buried deep in her chest. He took her up into his arms and tried in vain to stop blood from pouring from the wound. Knowing that she was dying, Procris implored him not to take the zephyr as his wife. He then realised the fatal misunderstanding, that Procris believed that he had been unfaithful. As Procris died in his arms, Cephalus tried to explain to her that the zephyr was only imaginary, and that seemed to bring her some comfort in her last moments.

In the foreground of Paolo Veronese’s account from about 1580, Procris has fallen, the javelin embedded in her upper abdomen, and her life is fading fast. Cephalus isn’t embracing her, though, merely holding her hand as he tries to plead his innocence. Veronese leaves us with two small puzzles too. The first is the large hunting hound behind Cephalus’ right shoulder, remembering that Diana’s dog was turned into stone while hunting the beast of Thebes. More puzzling is another figure, and a second dog, in the distance, at the left edge of the painting. These might represent the first part of the scene, before Cephalus throws his javelin, in multiplex narrative.

Peter Paul Rubens offers another oil sketch, of Cephalus and Procris (1636-37), showing the couple just before Cephalus throws the fateful javelin, which rests at his side.

There is another painting that has been claimed to show The Death of Procris, but which is more accurately titled A Satyr Mourning over a Nymph, made by Piero di Cosimo in about 1495.

A brilliant painting, it uses the full width of a panoramic panel to show a satyr with his goat legs and distinctive ears, ministering to a dying or dead nymph, who has a severe wound in her throat. At her feet is a hunting dog, with another three in the distance. But there’s no reason to show Cephalus as a satyr; Procris was impaled in the chest by the javelin; Procris was behind cover, where she was spying on Cephalus, not out in the open; and Cephalus had only one hound, a gift from Diana, which had in any case already been turned to marble. It’s a superb painting of a different story.

Ovid ends the book with Cephalus and his audience in tears, as Aeacus arrives with his other two sons and the army which they have been raising to counter the forces of Minos, setting the scene for the start of the next book.

I hope that you enjoyed Saturday’s Mac Riddles, episode 271. Here are my solutions to them.

1: Table of chapters as the top-level directory.

2: Real estate inventory, personal possessions or XML.

3: Reserves that could be human, such as strings and images.

The common factor

I look forward to your putting alternative cases.

Perhaps you just tried to save a document, only to be told you don’t have sufficient permissions to do so, or attempted to make another change to what’s on your Mac’s internal storage, with similar results. You then select the Macintosh HD disk in the Finder and Get Info. No wonder that didn’t work, as you only have read-only access to that disk. But if you unlock it and try to make any changes to permissions, you see

What’s going on?

Between macOS Mojave, with its single system volume, and Big Sur, the structure of the Mac system or boot volume has changed, with Catalina as an intermediate. Instead of Macintosh HD (or whatever you might have renamed it to) being one volume on your boot disk, it’s now two intertwined and joined together. What you see now as Macintosh HD isn’t even a regular APFS volume, but a read-only snapshot containing the current macOS. No wonder you can’t change it.

Root

Select the boot disk Macintosh HD in the Finder, and it appears to have four visible folders, Applications, Library, System and Users, just like it always did. Press Command-Shift-. to reveal hidden folders and all the usual suspects like bin, opt and usr are still where they should be. That’s the root of the combined System and Data volumes, and what’s shown there is a combination of folders on both volumes, with the top level or root on the Sealed System Volume (SSV).

The contents of those folders are also the result of both volumes being merged together using what Apple terms firmlinks:

• Applications contains apps installed in your own Applications folder on the Data volume, and those bundled in macOS on the SSV. You can see just the latter in the path System/Applications, where they appear to be duplicated, but aren’t really.
• Library comes only from the Data volume, and all its contents are on that volume. But inside it, in the path Library/Apple/System/Library are some components that should appear in the main System/Library.
• System comes only from the SSV, although it has some contents merged into it using firmlinks, such as those folders in Library.
• Users also comes only from the Data volume, and includes all Home folders for users.

So while the root of Macintosh HD might be in the SSV, much of its contents are on the Data volume, and can be written to, even though the root is a read-only snapshot, thanks to those firmlinks.

Data volume

There are two places that mounted volumes are listed in the Finder: the hidden top-level folder Volumes, where Macintosh HD is just a link back to the root complete with its merged volumes, and in System/Volumes, where what’s shown as Macintosh HD is in fact not the merged volumes, but only the Data volume. You can confirm that by looking at what’s in System/Volumes/Macintosh HD/System, where you only see the parts of the System folder that are stored on the Data volume, and not those stored on the SSV.

What is more confusing there is that System/Volumes/Macintosh HD/Applications is the same merged folder containing both user and bundled apps as in the top-level Applications folder. That’s an artefact resulting from the way that its firmlink works.

But if you open the Get Info dialog on System/Volumes/Macintosh HD, you’ll see the same as with the root Macintosh HD disk, information about the root and not the Data volume.

Mounted in System/Volumes are several other volumes like VM and Preboot, and (depending on whether this is an Intel or Apple silicon Mac) folders such as Recovery and xarts, that you really don’t want to mess with.

Permissions problems

Tackling problems that appear to be the result of incorrect permissions is best done at the lowest folder level. If you’re trying to save a document to the Documents folder inside your Home folder, select that and Get Info on it. Chances are that you are the owner and have both Read & Write permissions as you should. In that case, the problem most likely rests with privacy protection as in Privacy & Security settings. You then suffer Catch-22, as you can only effect changes to those by closing and opening the app, and as you can’t save your document before closing the app, you’re at risk of losing its contents. You may have better luck trying a different folder, creating a new one inside your Home folder, or using the Save As… command instead (which may be revealed by holding the Option key when opening the File menu).

Full layout

In case you’re wondering exactly which folders are merged into the hybrid Macintosh HD ‘volume’, those are shown below in increasing levels of detail, starting with the broad layout.

Then to a simplified version of the full layout.

Finally, in complete detail.

Happy navigating!

In the first of these two articles, I showed paintings illustrating school life from the early seventeenth century to the middle of the nineteenth, a period of more than two centuries when few artists painted the inside of the classroom. This changed from 1850, although the theme still failed to attract the best-known painters.

Albert Anker, father of Swiss painting and known for his large output of ‘genre scenes’, probably painted more classrooms than any other. He painted The Village School in 1848 nearly half a century afterwards, in 1896, presumably from his own recollection of his final year at school in Neuchâtel. Compared to earlier paintings, this classroom is packed, relatively orderly, and well-equipped with benches and desks, even though the children are shabbily dressed, indicating their poverty.

Anker’s earlier painting of The School Exam from 1862 shows a more contemporary scene. It’s not clear whether the pupils are undergoing examination, or the school is. Three of them seen standing out at the front are so poor that they cannot afford shoes at all, but effort is at last being put into their education.

Winslow Homer is perhaps the most famous painter to have made more than one work showing The Country School, believed to be of a country schoolroom in the Catskills, New England. This painting, dated 1871, is the first of a series of three or more showing the same largely empty classroom, with its impossibly wide age range. Two of the boys reading to the teacher are too poor for shoes, although the girls on the right look much better-dressed.

Following the collapse of the Second Empire during the Franco-Prussian War of 1870-71, the Third Republic targeted education for special development. Schools in France had earlier been largely run by the Catholic Church, but from 1833 communes had been required to provide schools for boys but not girls. The anti-clerical Minister for Public Instruction, Jules Ferry, introduced laws in 1881 to establish free education throughout the country, even for girls, and progressively replaced existing Catholic schools with the modern Republican School through the 1880s.

François Bonvin’s The Scholar of 1874 is one of a few paintings showing individual pupils in the classroom. This boy has been granted the privilege of his own desk, at the front of the class, and is working on after the end of the school day. The teacher’s hat and coat are draped over his desk, ready for when this pupil completes his extra work.

Jean-Baptiste Jules Trayer’s wonderful watercolour of A Breton Infants School from 1882 predates any celebration of the Republican policy: the crucifix high on the wall at the right shows that this is one of the older Catholic schools. It shows a teacher helping one of her students with writing, in a class entirely wearing traditional Breton costume. There’s clearly room for improvement, though, as one girl is sleeping on her book, doubtless exhausted from her early morning work on the family farm.

Rising standards of schooling were also reaching out to some of the more remote communities in Nordic countries. Oscar Björck’s painting of Madam Henriksen’s School for Girls in Skagen from 1884 shows a tiny and personal class in this small, isolated community at the northern tip of Jylland (Jutland), home to a major artists’ colony and birthplace of Danish Impressionism.

Then, in the mid 1880s, something remarkable happens to paintings of the schoolroom in France: they become strikingly photographic in their reality, with the advent of Naturalism.

Within two years of the early death of Jules Bastien-Lepage, Paul Louis Martin des Amoignes’ In the Classroom (1886) looks as if it may have been painted from photographs. One boy, staring intently at the teacher in front of the class, is caught crisply, pencil poised in his hand. Beyond him the crowd of heads becomes more blurred.

Jean Geoffroy’s Primary School Class from 1889 doesn’t give us the same depth of field effect, but shows one of the Republic’s new lay teachers working diligently in the classroom with her pupils. They’re still a bit of a shower, with the younger ones at the back working on traditional slates, but this is the public face of the modern Republican School.

In Geoffroy’s In School from about 1900, another lay teacher in a modern Republican infants class is caring for the French men and women of the future.

Of course France wasn’t the only country to be improving its educational system at this time. Nikolay Bogdanov-Belsky’s Mental Arithmetic. In Public School of S. A. Rachinsky from 1895 shows a class of poor students in the village of Tatev in Smolensk province, at the western edge of the Russian Empire in central eastern Europe. They were fortunate enough to have a pioneering educator as their local teacher.

Sergey Rachinsky had been a professor of botany in Moscow until 1867, when he abandoned academic life to run the village school in Tatev. The elderly professor is seen with his students working on a challenging mental arithmetic problem. The teacher died in 1902.

My final painting, by the Ukrainian artist Max Silbert, shows a Singing Lesson in a School in Holland in 1907, and is a fascinating chance discovery. Although its realism isn’t as detailed or photographic as the French paintings from the 1880s above, it shows a similar photographic depth of field effect. The pupils closest to the artist are shown in sharp focus, and those in the further distance are markedly blurred. It’s impossible to tell whether this results from Silbert painting this work from photographs with the same blurring, or it was a deliberate effect introduced by the artist to give it a photographic look.

If XProtect Remediator came of age in macOS Ventura, then it has been XProtect’s turn in Sonoma. Starting from version 2171 with 216 rules in under 3,000 lines in its Yara definitions, it emerged a year later in version 5272 with 347 rules in over 13,000 lines, although mercifully not after 3,100 versions.

I had always assumed that those Yara rules were compiled straightaway into something more tractable for checking executable code, but it seems that each time XProtect performs one of its ‘direct malware and dylib scans’, it first looks for a non-existent Yara file, then uses the rules in the XProtect.bundle, as it reports in the log:
com.apple.xprotect Xprotect is performing a direct malware and dylib scan: <private>
com.apple.xprotect Rule path is not accessible: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect2.yara
com.apple.xprotect Using XProtect rules location: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara

Apparently, to cope with this explosive growth, and potentially support more frequent tweaks to its growing horde of Yara rules, macOS Sequoia is changing the way that XProtect’s data is updated and managed. A chance find by @L0Psec revealed how this has moved beyond those updates delivered by softwareupdate, and a new command tool xprotect handles this separately in CloudKit.

Last week’s update to XProtect’s Yara file was an experience those beta-testing Sequoia 15.0 or 15.1 must have found profoundly confusing, and I quickly became aware of reports that were changing by the minute.

When XProtect 5272 was first made available through softwareupdate, Sonoma and earlier systems found and installed it as usual, as did some running Sequoia betas. That updated the visible XProtect.bundle in CoreServices, but didn’t update XProtect according to its new xprotect command tool, which still reported the local version of XProtect as 5271. Without knowing how XProtect has changed, the user would most likely see this as a bug.

A little later, I saw reports of Sequoia installations apparently updating spontaneously via CloudKit, using its new mechanism, which did change the version reported by xprotect version.

At this stage, I had a 15.0 virtual machine that had updated ‘correctly’ via CloudKit, and its host 15.1 system that had updated its bundle via softwareupdate, but still wasn’t apparently running the new version afterwards. Those of us who didn’t experience a spontaneous CloudKit update were left in limbo. I had originally changed the version databases used by SilentKnight and Skint to show a correct version of 5272 for Sequoia, and hurriedly had to revert that to 5271 before I became inundated with complaints from those whose Macs hadn’t been able to update.

It then occurred to me to try using the xprotect command to force a CloudKit update on my 15.1 system. I first entered
sudo xprotect check
only to be told that the version available was still 5271. But when I ran
sudo xprotect update
a miracle happened, with the response
Update succeeded: Activated update LocalUpdate[5272]

That command had convinced macOS to ‘activate’ the updated bundle in /Library/Apple/System/Library/CoreServices rather than waiting for it to become available from CloudKit, a feature not mentioned in its man page or usage info. I returned to my version databases to change them a third time, back to 5272.

Previous XProtect updates such as 5271 that were obtained through CloudKit are now identified by SystHist as XProtectCloudKitUpdate, while those obtained by softwareupdate and activated using the xprotect command appear as standard XProtectPlistConfigData, as they do in Sonoma and earlier.

With the release of Sequoia due later this month, the xprotect command tool and XProtect’s new CloudKit updates have already encountered troubled water. If Apple stays true to form and doesn’t mention a word about this change, or its effect on XProtect updates, many of the millions of new Sequoia users could end up falling behind. But as we’re not supposed to know what the latest version is, nor which is currently active on our Macs without taking to Terminal’s command line, maybe most won’t be allowed to notice.

I’d like to think that Apple will explain these changes to users, document its new command tool properly, and ensure that users know the current version of XProtect data, and can check whether their Mac is up to date without having to resort to Terminal or third-party products, perhaps in System Information. Will I be disappointed?

As the calendar passes into September, it’s time for the summer holidays to end and for children and older students to return to their schools and colleges. This weekend I mark that with depictions of what has really been going on in our educational establishments. Although this hasn’t been a theme for more major artists, these paintings appear disarmingly honest, and should reassure you of the great improvements achieved in recent times.

Isaac van Ostade lived only briefly between 1621–1649, so I suspect this painting of a Village School from his circle was probably made by about 1650, possibly earlier. Although it has seen better days, it shows a schoolmaster at the right supervising a group with a wide age range, all in various levels of poverty, and in primitive stages of education. The classroom itself is almost bare of furniture, with most of the children sitting or squatting on the floor.

Later in the seventeenth century, Jan Steen’s The Village School (c 1665) shows one reason for the apparent unpopularity of school as a motif: physical punishment. The child at the right holds out a hand for teacher to strike it with a wooden spoon, presumably in return for the screwed-up piece of paper on the floor. The children here are better-dressed, and the room better-furnished. One boy at the far right is writing intently, and another, his face almost covered by the brim of his hat, is reading a book.

A few years later, Steen painted a scene in a larger and more chaotic classroom, in The Village School from about 1670. Although there are two staff sat at the teachers’ desk, the man is distracted, perhaps in cutting himself a fresh quill. The woman teacher sat next to him is engaged in explaining something to a pupil.

Around them, all hell is breaking loose. In the distance, a boy is stood on one of the trestle tables. Older children are teaching younger ones, and a small group at a table at the right are trying to write while others get up to mischief. One younger child in the middle of the foreground has fallen asleep against a hat.

In those early schools, boys and girls were not segregated, but enjoyed equally derelict schooling. By the middle of the eighteenth century, in larger schools at least, it became more common for the genders to be taught in separate classes or even different schools.

Boys’ School is a copy of an original painting by Jan Josef Horemans the Younger from the middle of the eighteenth century. Its schoolmaster looks to be the only figure sat at a desk, and is engaged with a couple of the older boys, while the rest of the class catches up with their social lives. A few writing tablets are visible, as are scraps of paper, but the only real books seem to be those well out of reach, above the schoolmaster’s head.

Its sister painting showing a Girls’ School is more peaceful and purposeful, but seems intended to trap young women in their narrow social role. Although one girl is reading, others are engaged in fibrecraft or dressmaking, or apparently learning how to make a brush from a bundle of twigs. More academic learning was only really possible in richer homes, under exceptional private tutors.

Francisco Goya’s With Pain Comes Gain. School Scene from 1780-85 is small and quite Hogarthian in its depiction of corporal punishment in a school. The teacher raises a whip to strike the bare buttocks of one of a succession of pupils, as the more studious continue at their work seemingly disinterested in the suffering of their comrades. Goya is one of the few masters to have painted series of children at play.

In towns and cities, there was greater economic drive for children to work throughout the year, and to obtain a better education. These seem to have taken some schools, at least, to operate well into the evening, as George Gillis Haanen shows in his beautifully lit Night School from 1835. The schoolmaster, ensconced at his elevated desk, does at least look more academic, and there are slates for writing and children reading books.

The nineteenth century also brought the concept of self-improvement, and a growing desire among many of the working and middle classes to better themselves by education, to improve their income and family prospects, also among a growing minority of girls.

Changes remained slower in the country, as seen in this undated painting by one of Eduard Ritter’s circle, of Brave Girls, Bad Boys, School Class in Tyrol, probably from between 1835-1849, the reign of Emperor Ferdinand I of Austria shown in one of its portraits. The children are enjoying a rich range of fruit, and there’s no shortage of paper, even if some of it is being used to make hats rather than for writing. Its elderly schoolmaster looks delightfully benign, and the stem on his smoking pipe is the longest I have seen.

Schools in Europe had arisen to meet the need for clergy and to support the church; those in other cultures were no different, as shown in John Frederick Lewis’s undated watercolour of an Arab School, probably from around 1850. This is what is more properly known as a maktab, providing general schooling between the ages of 6-14, following which children specialise more in their subjects prior to going on to higher education at a madrasah.

Thomas Faed’s paintings have faded from view since it was claimed that he did for Scottish painting what Robert Burns did for Scottish song. His Visit to the Village School from 1852 shows an elderly couple listening to some young children reading, as the schoolmaster is trying to impress his visitors. Older children, though, are not being quite so obliging, and stood against the wall at the far left is a pupil wearing a dunce’s hat in shame.

Scotland, for all the difficulties posed by its far-flung rural and island populations, was in the vanguard of introducing free public schooling: in 1561 the Church of Scotland declared that every parish church should have its own teacher, and that education should be provided free to the poor; an act of the Scottish Parliament raised taxes for that purpose in 1633.

Thomas Brooks didn’t have the benefit of a Scottish education, and his painting of The New Pupil from 1854 clearly shows the more disorderly rabble in an English country school, as a mother introduces her reluctant son to his new class. Brooks’ eye for fine detail and the modern lightness in this work are leading up to what would later be termed Naturalism.

Charles Hunt’s Visit to the Schoolroom from 1859 returns to more traditional style, as a well-dressed mother appears taken aback by the antics going on behind the teacher, and extra-curricular activities include a girl who is about to snip a lock from a boy’s head. At the far right another dunce stands on a chair wearing the trademark conical hat.

Here are this weekend’s Mac riddles to entertain you through family time, shopping and recreation.

1: Table of chapters as the top-level directory.

2: Real estate inventory, personal possessions or XML.

3: Reserves that could be human, such as strings and images.

To help you cross-check your solutions, or confuse you further, there’s a common factor between them.

I’ll post my solutions first thing on Monday morning.

Please don’t post your solutions as comments here: it spoils it for others.

There aren’t many mythical animals in operating systems, and the most famous of those is probably Tux the penguin who appeared in Linux around 1996. The Mac’s first mythical animal predates that by more than a decade, and is the distinctive dogcow named Clarus, who appeared in every version of Mac OS until Mac OS X.

When Annette Wagner was designing the Page Setup dialog for Classic Mac OS, she needed a figure to place on the page to show the user its orientation and other options. She was working with an early symbolic font Cairo, created by Susan Kare who was also the designer of Chicago, the first Mac system font, and modified its z character of a dog to make it work better in the dialog. The result was a creature that looked like a hybrid between a dog and a cow.

In 1987, Scott ‘Zz’ Zimmerman coined the term dogcow for this curious beast, which by now was featured in every Page Setup dialog on every Mac, and was becoming quite a celebrity. A little later, Mark ‘The Red’ Harlan gave the dogcow the name of Clarus, a variation on the name of Claris, Apple’s software subsidiary that had been formed in 1987.

As Apple’s campus at 1 Infinite Loop, Cupertino, developed, Clarus was one of several large plastic figures forming the Icon Garden in front of the offices.

The dogcow lived on in Page Setup dialogs until Mac OS X was released, and early in the 2000s she was put out to grass in favour of a stylised icon of a human figure. Those who pined for the reappearance of the dogcow in OS X remained disappointed until macOS Ventura, when she finally returned, although now in full vector graphics glory.

By this time, there was another reference to Clarus tucked away as an Easter Egg in the Emoji & Symbols viewer: type the letters of her name into its search box, and you’ll see the two emoji characters of a dog and a cow, although neither of them resembles Clarus in appearance.

Although not heard in Mac OS, Clarus has been attributed the sound of moof, a portmanteau of moo and woof, of course.

The next time you open the Page Setup dialog, spare a thought for Clarus the dogcow, still doing the same job nearly forty years later.

References

Wikipedia
Macintosh Technical Note 31: The Dogcow, April 1989, written by Mark “The Red” Harlan
History of the Dogcow Part 1, MacTech, by Mark “The Red” Harlan
History of the Dogcow Part 2, MacTech, by Mark “The Red” Harlan

Harriet Backer (1845–1932) is one of Norway’s most famous artists, a pioneering woman painter, and an influential teacher. Despite an internationally successful career, she’s now hardly known outside her native country. This is the first of two articles in which I show a small selection of her finest paintings.

Born into a wealthy family living at Holmestrand on the west bank of Oslofjord, south of Oslo, she showed an early aptitude for drawing. When the family moved to Oslo in 1857 she was originally sent to a school for governesses. She started drawing and painting lessons in Oslo in 1867, and was able to travel in the company of her sister, the concert pianist and composer Agathe Backer-Grøndahl. Her talent was recognised, and in 1874 she went to Munich where she became a pupil of her compatriot Eilif Peterssen.

Avskjeden (The Farewell) (1878) was probably Backer’s first successful painting. It shows a grown daughter, left of centre, bidding farewell to her family as she leaves home. She probably painted this from her own emotional experience, as her father died in 1877, and she had informed her mother that she did not intend returning home, but would pursue her painting career instead.

It also marked the year that she went to Paris, where she was a pupil of Léon Bonnat and Jean-Léon Gérôme, and for a brief time of Jules Bastien-Lepage.

In France, her style started to loosen up: Solitude from about 1880 was another early success, and her first painting accepted for the Salon that year. This was one of her first interiors featuring limited light, whose play was to become a dominant theme in her paintings. Although she remained based in Paris, she returned to Norway each summer, where she seems to have painted mostly landscapes.

Asta Nørregard, another Norwegian painter studying in Paris at the time, modelled for her Blått interiør (Blue Interior) (1883). This develops the theme of the play of light from the window on the person and contents of the interior of the room, its composition complicated by the large mirror at the left. Her brushstrokes are now overtly painterly, and bright colours are starting to bring harmonies and contrasts.

To barn og tregruppe (Two children and a group of trees) (1885) is a good example of Backer’s summer landscapes, which were probably at least started en plein air, if finished in the studio, perhaps. She had learned to paint outdoors in Paris, where it had become generally popular, not just among the Impressionists.

På Bleikeplassen, Jæren (At the Bleaching Place, Jæren) (1886) is a pure plein air oil sketch, in which time didn’t permit the addition of details to the buildings or figures. It shows three women hard at work laying linen garments out to bleach in the sunshine.

På blekevollen (Bleaching Linen) (1886-7) is a more finished painting of similar activity. At this time her style was clearly Impressionist, but expressed in her distinctive manner.

Back in Paris, she continued to explore the play of light in interiors, with Chez Moi from 1887 as an example. She strikes a good balance between fine detail and the more painterly: the piano keys, dress, plant, and reflections on the pictures hanging on the wall, are each shown with precision.

In 1888 she finally returned to Norway and settled in Sandvika, on the outskirts of Oslo. There she continued to concentrate on interiors, including those illuminated by lamplight.

During the summer, she still went out into the rich countryside to paint en plein air and capture the glorious colours of the intense Norwegian summer. Her Landskap fra Ulvin (Landscape from Ulvin) (1889) is a good example; sadly, relatively few of her landscapes seem to have made their way into public collections, remaining in private ownership and inaccessible.

Growing recognition, including the award of a silver medal at the Exposition Internationale of 1889, brought requests for her to take on pupils, and in that year she started teaching in what soon developed into a thriving art school. The final years of the 1800s and the start of the new century marked the peak of her career, with a succession of major paintings in addition to that teaching, as I’ll show in next week’s second and concluding article.

References

Wikipedia (English), Wikipedia (Norwegian).
Many of her best paintings are in Nasjonalmuseet, Oslo, where they’re viewable online.

Although we won’t know for sure until Apple releases the upgrade to macOS Sequoia next month, once again it will probably be presented as an update rather than a macOS upgrade. This means that, instead of Software Update downloading a complete Sequoia installer app, if you do choose to upgrade, it will be run through Software Update the same way that it might have updated from 14.5 to 14.6.

Although this is more efficient, resulting in a smaller update and faster completion, it also opens up the possibility of human error: what if you accidentally opt to upgrade, or click on SilentKnight’s Install all updates button? This article explains how you can stop that upgrade from completing, and how you could upgrade using SilentKnight instead of Software Update.

Updating or upgrading macOS

When SilentKnight has completed checking for updates, if there’s a macOS update or upgrade available you can install it if you wish, from within SilentKnight. Although my personal preference is to hand macOS updates over to Software Update in Settings, SilentKnight should also work fine, up to a point.

To test this, I opened a VM running Sonoma 14.6, with XProtect 5270 and XPR 140. When it had found all three updates available, I clicked on the Install all updates button, just as I have always advised you not to! SilentKnight proceeded to download the macOS 14.6.1 update, but once that was complete it failed to install it. It then proceeded to download the XProtect and XPR updates, which it did successfully install on its own.

There was a vague notification that “Some updates could not be installed”, and the VM was left in 14.6, with XProtect and XPR correctly updated.

At that stage, Software Update stated the 14.6.1 update was available, offering a Restart Now button. When I clicked on that, the VM restarted and installed the 14.6.1 update successfully.

SilentKnight doesn’t provide the handy progress indicator that Software Update does, but just turns its busy spinner until the updates have finished. So you may still prefer to install macOS updates using Software Update. However, the end result should be just the same if you let SilentKnight do it, and finish off the installation using Software Update.

Downloading updates

Using another copy of the same VM running Sonoma 14.6 with outdated XProtect and XPR, I set SilentKnight’s settings to download but not install updates, then clicked the Download all updates button.

This left all the updates uninstalled, but there was no sign of them in the standard /Library/Updates folder as documented for softwareupdate. I looked high and low for those updates, but was unable to find them anywhere. I therefore recommend that you don’t use this option until someone has worked out where those downloaded updates are kept.

Unwanted macOS updates

If you click either the Install all updates or Download all updates button and one of the updates is for macOS, that will leave Software Update poised to complete the installation. If you didn’t want to install that macOS update, there is a way that you can now persuade Software Update to forget that it has been downloaded and is waiting, ready to install. This is most useful if you didn’t intend updating macOS, and now want to undo the process.

Shut your Mac down, then start it up in Safe mode. Leave it there for a minute or so, then restart it back into normal mode. Those uninstalled updates should now have been flushed, and Software Update is back to where it started.

Summary

• You should now be able to install macOS updates using SilentKnight if you wish. When warned that some updates weren’t installed, open Software Update settings and complete the installation there using the Restart Now button.
• Don’t use SilentKnight’s setting to only download but not install updates, as the downloaded updates can’t be found and used.
• If you inadvertently click the Install all updates button and want to reverse that for a macOS update, let the download complete, shut down, start up in Safe mode, wait a minute, then restart in normal mode.
• These apply to Apple silicon Macs, and are untested in Intel Macs, although there’s no reason to believe they should differ there.

For countless generations, since humans first started farming the land, improving the soil and fields has been a constant task. Once the plough has passed, there’s still work to be done in many areas, where there are stones mixed in the soil. This has been the burden of those who have worked the land, and has been featured in occasional paintings.

Hans Andersen Brendekilde’s Worn Out (1889) follows in the Naturalist tradition of Jules Bastien-Lepage. An old man has collapsed when working in the fields. A younger woman, his daughter perhaps, is giving him aid and shouting for all she’s worth to summon assistance. The soil around them is poor, and full of flints; the two were engaged in the toil of the poorest of the poor, picking out the large stones and putting them into piles for collection. It’s backbreaking work for the young, and clearly proved too much for this man.

Once ploughed to a fine tilth and rid of its stones, the soil is ready for the seed of the next crop, accomplished by manual broadcasting, a term in common use long before it came to be applied to radio then TV transmissions.

Sowing is one of the basic tasks in arable farming, and one at the heart of the changes that took place between 1600 and 1900. Broadcasting is tedious, time-consuming and inefficient in use of seed, making it one of the first tasks for attempts to mechanise farming. Although early types of seed drill had been tried before, it’s Jethro Tull, an English gentleman farmer from the early eighteenth century, who has generally been credited with inventing the first successful seed drill, in 1701. Today his name is better-known as that of one of the great rock bands formed in 1967.

Alongside the use of a seed drill was the requirement for a horse hoe, a light and small plough drawn by a single horse, to ensure the seed was well covered by soil. Unfortunately, early drills proved too fragile for general use, and it wasn’t until the early nineteenth century that metal could be turned to manufacture more durable drills, that became widespread across Western Europe during the rest of that century. However, contemporary painting continued to show sowers still broadcasting seed.

The first of these is Jean-François Millet’s The Sower, completed in 1850, shown at the Salon that year and now recognised as his first real masterpiece. It shows an agricultural worker striding across a field, broadcasting seed for the summer’s crop. In the distance to the right, and caught in the sunlight, is another worker harrowing with a pair of oxen. This was being used to ensure the seed sown was covered with soil, and not exposed to the flurry of birds trying to eat any seed left on the surface.

Millet revisited his successful painting of a sower from fifteen years earlier, here with two pastel paintings with the same title, The Sower, from around 1865. That above is now in the Walters, and that below in the Clark. These feature a different background, including the tower of Chailly, harrowing using a pair of horses, and a swirling flock of crows in the sky.

By the late nineteenth century, manual broadcasting was becoming less common as farms turned to seed drills, but the image of the sower continued to appear in paintings.

The title of Hans Thoma’s Säender Bauer (1886) apparently means Sowing Framer (thanks to Gregory for his accurate translation). A sower in Millet’s tradition is at work in the ploughed field in the foreground. Beyond, the heavens have opened in a sudden downpour. Two years later, when he was living in Arles in November 1888, Vincent van Gogh painted his version of The Sower.

Millet’s influence is also manifest in the first of Albin Egger-Lienz’s versions of The Sower, from 1903, a motif which was to recur in his later works. Its earth colours, increasing looseness, and emphasis on simplicity were to set the style for much of the rest of his career.

Laurits Andersen Ring admired Millet’s social realism, and would undoubtedly have seen at least one of Millet’s depictions of this motif. In 1910, Ring painted this, The Sower, in such great detail that you can see every seed frozen in mid-air. This suggests that he may have been influenced by photography, the first means of producing such images.

Ring’s friend and contemporary Hans Andersen Brendekilde responded in 1914 with A Sower on a Sunny Spring Day at Brendekilde Church. This is thought to show Holme-Olstrup Church, near Næstved on the island of Sjælland (Zealand), close to where Brendekilde was born and from where he had taken his name. The sower, walking over poor soil with abundant stones, has been identified as Ole Frederik Jensen (1870-1953).

This motif seems to have long outlasted the practice of broadcasting. By 1900, even gardeners and smallholders were being offered mechanical seed drills. As those used less than a third of the seed than broadcasting, it’s hard to see any farmer in the early twentieth century still preferring traditional methods.

With the young plants growing vigorously, all that remained for the growing season was to keep them free from weeds, another laborious and back-breaking task often assigned to women.

The Weeders (1868) is a smaller variant of a painting of the same name that Jules Breton made in 1860, which was acclaimed when exhibited in the Salon the following year and the Exposition Universelle in 1867. Set in the fields just outside Courrières, the labourers are pulling up thistles and other weeds until the last moment that there is insufficient light for them to work any longer. Breton wrote of their faces encircled by the pink transparency of their violet bonnets, as if worshipping the life-giving star.

Although only peasants, the light transforms these women into classical beauties, an observation made by the critics at the time. This gives rise to a phenomenon repeated across Breton’s panoramas of country work, in which these classical figures appear in thoroughly socially-realist landscapes, showing their sanctity in labour.

Jakub Schikaneder’s Weeder (1887) shows a woman bent double as she pulls weeds from a young crop, and would pass for a social realist work from the likes of Millet or Breton.

Previous articles in this series described how macOS 14.6.1 security systems check the launch of apps when full security is in force on an Apple silicon Mac, and how those are changed by disabling SIP and Gatekeeper checks. Those have shown how checks are layered in accordance with the Security architecture of macOS, how different layers are invoked according to the status of an app (whether it’s quarantined, notarized, or has been run previously), and how extensive are the effects of disabling SIP. But no account of app security can be complete without examining how it protects against real malware, the aim of this article.

Methods

In these tests, I have again run four variants of the same 14.6.1 VM:

• Full Security, with SIP and Gatekeeper/XProtect enabled;
• Full Security, with Gatekeeper/XProtect disabled;
• Permissive Security, with SIP disabled;
• Permissive Security, with both SIP and Gatekeeper/XProtect disabled.

Samples of malicious software were obtained from the Objective-See Foundation’s collection. Three were chosen:

• Atomic Stealer (AMOS, or Soma)
• Genieo (InstallMac)
• XCSSET

These were downloaded directly to each of the four VMs, when they were running in isolation in ViableS. Each was then unZipped and the contents moved to the Documents folder to try to ensure that their code wouldn’t be subjected to app translocation. Full log extracts were obtained from the Full Security VM for the first 5 seconds after launching Atomic Stealer and XCSSET; as the Genieo sample only installed its payload and didn’t launch its code, no log record was obtained for that. Log records weren’t obtained for the other three VMs, although the results of running the malicious payloads were observed for comparison against those of the Full Security VM.

Atomic Stealer

This was presented in a disk image that hadn’t been signed by a Developer certificate, and encouraged the user to try to bypass full Gatekeeper checks by opening the malicious payload CardGame.app using the Open command in the Finder’s contextual menu, a common strategy adopted by malware developers. This ruse was spotted early as a security exception with the code -67062, indicating that the disk image was unsigned, and that resulted in the app being translocated in its disk
SecTranslocateCreateSecureDirectoryForURL: created /private/var/folders/s0/[…]/CardGame.app
This appears to be a less usual cause of translocation, although strictly within its rules.

AMFI quickly found a code signature issue, as reported by the kernel
AMFI: '/private/var/folders/s0/[…]/CardGame.app/Contents/MacOS/My Go Application.app' has no CMS blob?
AMFI: '/private/var/folders/s0/[…]/CardGame.app/Contents/MacOS/My Go Application.app': Unrecoverable CT signature issue, bailing out.
AMFI: code signature validation failed.

Gatekeeper and XProtect scans followed, and the CDHashes were checked with Apple’s database over CloudKit. This discovered that one of the hashes had been revoked
Notarization daemon found revoked hash: {length = 20, bytes = 0xe430ea6d59a70ac00c1b8552092f4de0bbb80232}
resulting in another security exception, this time of -66992, confirming that this code has been revoked. That check was then repeated with the same result.

Shortly after that, the XProtect scan was completed, finding a match for Atomic Stealer A
GK Xprotect results: PST: (vuid: 11F66D42-5827-3465-A741-F434860C2862), (objid: 20), (team: (null)), (id: (null)), (bundle_id: (null)), XPScan: 11,-7676743164328624005,2024-08-27 07:31:10 +0000,MACOS.SOMA.A
and the decision was made to present the malware warning prompt
present prompt: uid=501, conn=yes, type=Malware, op.ident=2F90B5EF-D483-43C7-BBD1-77E8EABF4D62, info.ident=8D56578B-833F-4629-86F0-4E0A8EDD7D49, info={<private>}
indicating that it’s game over for the CardGame app and its disk image.

This sample of Atomic Stealer was thus detected by two different and independent methods: its CDHash ‘notarization’ check revealing its revocation, and the XProtect scan matching it to the known signature of MACOS.SOMA.A. As the first of those is unaffected by disabling SIP or Gatekeeper, it’s not surprising that the sample was detected and blocked in each of the four VMs.

Genieo

This was presented in an Installer package as an Intel binary. This claimed to install “Apple software” and triggered a request to download and install Rosetta 2 if that wasn’t already available. The installer appeared to complete without eliciting any warnings, and it’s presumed that the malware would either have been detected later when there was an attempt to launch it, or in an XProtect Remediator scan.

All four VMs behaved identically, and there was no sign of recognition that the software installed might be malicious. This raises questions about the security inherent to Installer packages and whether there might be exploits available using Intel binaries in Rosetta 2, given that it resigns translated executable code.

XCSSET

This was presented in a bogus app named Xcode. Attempting to run that resulted in its detection, and the invitation to remove it, in this case without it being positively identified.

As this was presented as an app containing unsigned code, that came under suspicion early during its assessment, and it was translocated even though it had been moved from its original location
SecTranslocateCreateSecureDirectoryForURL: created /private/var/folders/s0/[…]/Xcode.app
That appears to have occurred beyond previous rules for translocation.

Gatekeeper and XProtect scans followed, and it was confirmed that the code was unsigned
Error Domain=NSOSStatusErrorDomain Code=-67062
Unsigned code in: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 81906), (team: (null)), (id: (null)), (bundle_id: (null))

CDHash checks using CloudKit didn’t find a match, and were simply reported as
ticket not available: <private>
Gatekeeper’s scan reported that the app didn’t contain a bundle, but XProtect found no match with current Yara rules. The decision was made to present the malware warning prompt
present prompt: uid=501, conn=yes, type=Malware, op.ident=A66F9ED6-EDE7-48E9-B1F8-74CB77C43C9E, info.ident=39D1FBB5-2620-483B-AD3C-6FC5118A406F, info={<private>}
and the attempt to launch the app was blocked.

As these traits would still be detected with SIP and Gatekeeper disabled, all four VMs blocked the code and displayed the same alert to the user.

Limitations

In reality, it’s common for attacks to consist of the initial download of a small dropper, which in turn downloads the main payload. One of the disadvantages of testing malware samples is that this presentation of the payload can’t be taken into account. Payloads are often downloaded using methods that escape quarantine. Another significant difference is that samples often lack code signatures that may be present in the originals, and may change frequently as Developer certificates are revoked and replaced.

Detection information

There appears to be almost no information on how macOS detects different groups of malicious software. Inevitably, Apple provides none at all, and few in-depth analyses of malware give any details about its presentation, in terms of any signatures used, and whether they or CDHashes have since been revoked by Apple. This is a difficult area, given that many of those who analyse and report on malware work for vendors of security products. There appears to be a valuable role for independent assessment of whether and how detection takes place in macOS, major factors in any risk assessment.

I’d like to express my gratitude to the Objective-See Foundation for collecting and making available its extensive library of malware samples, without which none of these tests would have been possible.

Apple has just released an update to XProtect for all versions of macOS from El Capitan or so, bringing it to version 5272. Apple has now released this for Sequoia betas as well, using their new update mechanism.

Apple doesn’t release information about what security issues this update might add or change. This makes a small amendment in the Yara definitions to the detection signature for MACOS.d98ded3, and adds another rule to those to detect MACOS.DOLITTLE, in MACOS.DOLITTLE.DOFSTRGT.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight, LockRattler and SystHist for El Capitan to Sonoma available from their product page. If your Mac hasn’t yet installed this update, you can force it using SilentKnight, LockRattler, or at the command line.

If you want to install this as a named update in SilentKnight, its label is XProtectPlistConfigData_10_15-5272.

If you’re running a Sequoia beta and are still stuck at 5271, don’t worry if
sudo xprotect check
doesn’t offer you the update to 5272. Ignore it and run
sudo xprotect update
and with any luck it will update your Mac to 5272.

I have updated the reference pages here which are accessed directly from LockRattler 4.2 and later using its Check blog button.

I maintain lists of the current versions of security data files for Sonoma on this page, Ventura on this page, Monterey on this page, Big Sur on this page, Catalina on this page, Mojave on this page, High Sierra on this page, Sierra on this page, and El Capitan on this page.

Updated with details of Sequoia beta update at 1902 GMT 28 August 2024.

In yesterday’s article, I showed examples of apotheoses. Following a couple of even more liberal interpretations, this article moves on to the second and third items in this list:

• Apotheosis, when a pre-christian hero is elevated to the status of god or goddess;
• Catasterisation, when a mortal is changed into a celestial body such as a star or constellation;
• Assumption, when the Virgin Mary was taken up into Heaven;
• Ascension, when Jesus Christ ascended into Heaven, and sometimes available to saints on their martyrdom.

Girodet’s painting of the Apotheosis of the French Heroes Who Died for the Fatherland during the War of Liberation, Ossian receiving the Ghosts of the French Heroes was probably completed in 1802, and is perhaps the most elaborate and complex painting inspired by the bogus Scottish poet Ossian. It’s unclear how those French war heroes became involved with Ossian, but an extraordinary mixture of myths and legends from contrasting cultures.

In Vasily Vereshchagin’s bleak Apotheosis of War (1871), ravens/crows perch on a huge pile of human skulls in a barren landscape outside the ruins of a town.

A few Christian religious paintings came close to being apotheoses.

Alexandre Cabanel’s The Death of Moses (1850) tackles one of the vaguer episodes in the life of this Old Testament prophet. When he was 120 years old, according to the book of Numbers, Moses assembled the tribes of Israel on the banks of the River Jordan, reminded them of the laws under which they must live, sang a song of praise, blessed the people, and passed his authority to Joshua. He then ascended Mount Nebo, looked over the Promised Land, and died. Cabanel shows this as an apotheosis, with God the Father (upper left) welcoming Moses (centre right) with open arms.

Being transformed into a celestial body in catasterisation was an honour accorded those mortals who couldn’t aspire to deity, among them the giant Orion. He arrived at Chios, where he became drunk, and raped Merope, the daughter of Oenopion. As punishment for that, Oenopion blinded Orion and cast him from his land. Orion then went to Lemnos, where Hephaistos took pity on him, and lent him his servant Kedalion to sit astride his shoulders and act as his guide. An oracle advised Orion to proceed east into the rays of the rising sun, so that those rays would restore his sight. So cured, Orion then went to Crete to hunt.

There are differing accounts of Orion’s death. Some involve his love affair with Eos, which was opposed (possibly out of jealousy) by Artemis. In these, Artemis ended up killing Orion with her arrows. Other versions claim he was killed by a giant scorpion. In death, Artemis asked that Zeus catasterised him, together with the scorpion, to form the constellation Scorpio. Once there, Orion pursues the daughters known as the Pleiades, which form a prominent open star cluster nearby.

Poussin’s Landscape with Orion, or Blind Orion Searching for the Rising Sun was painted late in his career, in 1658, at a time when the artist’s hands were suffering a tremor that was starting to disrupt his ability to paint. It is among his finest allegorical landscapes, and one of the most intensely studied works of his career.

Set in one of Poussin’s wonderful idealised landscapes, near the coast, the giant Orion is striding purposefully towards the rising sun. He carries a huge hunting bow, and a quiver taller than a man. Standing on his shoulders is Kedalion, servant to Hephaistos, who is acting as his guide. Above and beyond Orion is a strange formation of backlit cloud, generally interpreted as being storm-cloud. Atop that is the standing figure of Artemis, with her distinctive crescent moon coronet, and an owl perched on her left shoulder. She leans nonchalantly against the cloud, her head propped against her right hand. In the far distance is the sea, with a prominent lighthouse.

There have been few other attempts to tell any part of the story of Orion on canvas. In 1685, Daniel Seiter ( –1705) painted this view of Diana by the Corpse of Orion, following in the brushstrokes of his teacher Johann Carl Loth. This shows Diana (Artemis), with her distinctive crescent moon, looking regretfully at the dead Orion, after she had killed him with her arrows.

Sidney Hall’s etching of Orion, a hand-coloured plate in a set of celestial cards from 1825, is an ingenious lesson in observational astronomy.

The Pleiades were originally the seven daughters of the titan Atlas and the sea-nymph Pleione. When Atlas was made to carry the heavens on his shoulders, Orion started to pursue the Pleiades, so Zeus transformed them first into doves, then into stars. Their name is given to a star cluster, which appears to be chased across the night sky by the constellation of Orion.

Elihu Vedder’s painting of The Pleiades (1885) was made in association with his first illustration for the Rubaiyat of Omar Khayyam, representing Khayyam’s horoscope. Each of the sisters is connected by a thread to their corresponding star, perhaps representing the process of catasterisation.

There are a great many paintings of the Assumption of the Virgin Mary, of which I show here just a tiny sample.

Francesco Botticini’s spectacular example painted in about 1475-76 places unusual emphasis on Paradise, with its triple tiers of figures rising to those of the Virgin Mary kneeling in front of Christ at its summit.

Tintoretto painted several versions of The Assumption of The Virgin, this one for the Cappella di Santa Maria Assunta, in the Gesuiti, Venice. It’s thought that Tintoretto had promised to paint this in the style of Veronese.

Poussin’s Assumption of the Virgin from about 1650 is plainer and more orthodox.

Gaetano Previati’s Divisionist rendering of the Assumption from about 1901-03 shows a group of winged angels raising Mary’s body to Heaven.

In the first of these articles, I examined security aspects of the process of launching various app configurations in macOS Sonoma 14.6.1, on an Apple silicon Mac with full boot security and other security settings. This article moves on to discover how those change when boot security and security settings are reduced. Full details of how this was done are given in the previous article.

To remind you, the apps used were:

• SystHist – notarized, quarantined, moved from its landing folder to avoid app translocation;
• SilentKnight – notarized, not quarantined, previously run;
• Sparsity – notarized, not quarantined, not previously run;
• DelightEd3 – not notarized, signed with a Developer certificate, not quarantined, not previously run;
• DelightEd3resigned – not notarized, ad hoc signed, not quarantined, not previously run.

None of the apps run in an app sandbox, and those notarized use a hardened runtime.

This article covers these three variants of the same 14.6.1 VM:

• Full Security, with Gatekeeper/XProtect disabled;
• Permissive Security, with SIP disabled;
• Permissive Security, with both SIP and Gatekeeper/XProtect disabled.

In each VM, settings were confirmed using SilentKnight, which in turn calls standard system tools to determine current security settings, such as those when both SIP and Gatekeeper were disabled.

Gatekeeper disabled

Surprisingly, with Gatekeeper assessments disabled, com.apple.syspolicy.exec still reported that Gatekeeper assessments were made
GK process assessment: <private> <-- (<private>, <private>)
Gatekeeper assessment rooted at: <private>
and later
queueing up scan for code: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 69229), (team: (null)), (id: (null)), (bundle_id: (null))
GK performScan: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 69229), (team: QWY4LRW926), (id: (null)), (bundle_id: (null))

Following that, XProtect scanned
XPAssessment performAnalysisOnFileImpl continueOnError set to 0
Xprotect is performing a direct malware and dylib scan: <private>
using its standard Yara rules.

CloudKit ticket lookup also proceeded as normal. After a while, though, XProtect announced
Xprotect is skipping executable assessment: <private>

This concluded with
GK scan complete: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 69229), (team: QWY4LRW926), (id: (null)), (bundle_id: (null)), 4, 4, 0
and
GK evaluateScanResult: 0, PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 69229), (team: QWY4LRW926), (id: co.eclecticlight.SystHist), (bundle_id: co.eclecticlight.SystHist), 1, 0, 1, 0, 4, 4, 0
GK eval - was allowed: 1, show prompt: 1

The normal prompt for user consent was displayed, and handled as expected. Following that, launch proceeded normally.

Similar entries appeared in the checks made on all apps that had undergone Gatekeeper and XProtect assessment when full security was in force. There is nothing in the log entries to indicate that disabling Gatekeeper had any effect on the checks that were made, although as none of these apps failed assessment, it’s possible that any failures would have been ignored.

SIP disabled

When SIP was disabled, the structure of pre-launch assessments changed, and appeared disordered in comparison to those performed under full security and with only Gatekeeper disabled. Most notable, perhaps, was the almost complete absence of log entries from the com.apple.syspolicy subsystem, which in full security is so prominent, although its service syspolicyd did appear in entries.

Although quarantine was recognised, no entry reported the start or conclusion of any GK (Gatekeeper) assessment, nor subsequent XProtect scans. Instead, the XProtect service wrote
Bundle is not apple signed
Bundle size result: 18388222 (YES)
Always scan: YES

Normal ticket checks were made via CloudKit, but shortly after those were completed, XProtect tried to use its standard Yara rules, and ran out of memory doing so, with the kernel reporting
process XprotectService [697] crossed memory high watermark (15 MB); EXC_RESOURCE
XProtectService therefore ran into trouble before it had even started to scan the app. While some entries suggested prompting the user for their consent, that doesn’t appear to have happened. Eventually the app launched in spite of the disorder that had preceded.

When launching a notarized app that wasn’t quarantined, neither Gatekeeper nor XProtect appear to have had any involvement in the approval of the launch.

SIP and Gatekeeper disabled

Results were essentially identical to those obtained with SIP alone disabled, even down to XProtectService exceeding its memory high watermark, and the almost complete absence of log entries from the com.apple.syspolicy subsystem.

SIP and Gatekeeper settings

Prior to examining these log records, I thought I had a clear idea as to what these two controls do. In fact, neither of them does what you’d expect.

Disabling Gatekeeper or XProtect checks doesn’t stop them from occurring, although it might result in macOS ignoring any errors they might find. That would be consistent with the statement in the spctl man page: “Operations that would be denied by system policy will be allowed to proceed; assessment APIs always report success.”

On the other hand, disabling SIP almost completely stops the whole com.apple.syspolicy subsystem, which ordinarily plays a major role in pre-launch checking of apps. This effectively kills both Gatekeeper and XProtect, leaving those checks in disarray. When the XProtectService tries to lend a hand, its attempt to ingest the current Yara rules runs it out of memory, and it appears unable to render any useful assistance to the pre-launch checks.

This may explain why disabling SIP has the effect of shortening the time to launch an app, most noticeably with larger and more complex apps. In return for launching in a shorter time, the app probably isn’t checked against XProtect’s Yara definitions, so could still contain malicious code that would pass undetected.

In the next article I’ll show what does happen when this system encounters live malware.

There are three events that have been widely depicted in European art that can readily be confused, and a fourth that doesn’t often appear in paintings. Each involves the elevation of a heroic figure from this earthly world into the heavens:

• Apotheosis, when a pre-christian hero is elevated to the status of god or goddess;
• Catasterisation, when a mortal is changed into a celestial body such as a star or constellation;
• Assumption, when the Virgin Mary was taken up into Heaven;
• Ascension, when Jesus Christ ascended into Heaven, and sometimes available to saints on their martyrdom.

This article considers the first of those, and its sequel tomorrow tackles the second and third. The last has seldom appeared explicitly in paint, except as the final scene in a series depicting the Passion and Crucifixion.

Strictly speaking, apotheosis was only open to demi-gods and -goddesses, one of whose parents were divine and the other mortal. However, it later became open to anyone whose achievements were sufficiently heroic that they merited promotion to deity.

What happened to Hercules at the end of his life, when he threw himself on his pyre, has resulted in confused imagery, such as Tiepolo’s wonderful The Apotheosis of Hercules (c 1765). Because Hercules was the son of Jupiter/Zeus, as his body was burning, Jupiter decreed that only his mortal ‘half’ would be consumed by fire. His divine part was then conveyed in a chariot in an apotheosis to the gods on Olympus, often portrayed as a saintly ascension. Once there, Hercules reconciled previous quarrels with Juno/Hera, and, as a god in his own right, married Hebe (the Roman Juventas), his half-sister, as classical deities were wont to do.

Peter Candid’s Aeneas Taken to Olympus by Venus from around 1600 shows Venus at the right, in her chariot with Cupid, anointing Aeneas, on the left, with nectar and ambrosia. Above them is the pantheon, arrayed in an imposing semicircle, and above them Jupiter himself, clutching his thunderbolts and ready to receive the new god. Aeneas qualified on the grounds that he was the son of Aphrodite/Venus by his mortal father Anchises.

Charles Le Brun painted The Deification of Aeneas in about 1642-44. This is a faithful depiction from Ovid’s Metamorphoses, with the river god Numicus sat in the front, and Venus anointing Aeneas with ambrosia and nectar to make him immortal as the god Jupiter Indiges. At the right is Venus’ mischievous son Cupid, trying on Aeneas’s armour, and the chariot towed by white doves is ready to take the hero up to join the gods.

Tiepolo’s sketch for a fresco ceiling in the Royal Palace in Madrid, The Apotheosis of Aeneas from about 1765, is another impressive account. The artist made this a little more elaborate by combining the apotheosis with the presentation of arms to Aeneas by his mother Venus. Aeneas is to the left of centre, dressed in prominent and earthly red. Above and to the right of him is his mother, Venus, dressed in white, ready to present the arms forged for him by Vulcan, her partner, who is shown below supervising their fabrication. Aeneas’ destination is the Temple of Immortality, glimpsed above and to the left of him, through a break in the divine clouds.

Jean-Baptiste Nattier is perhaps the only artist to have painted the apotheosis of the founder of Rome, in his Romulus being taken up to Olympus by Mars from about 1700. Mars is embracing Romulus, with the standard of Rome being borne at the lower left, and the divine chariot ready to take Romulus up to the upper right corner, where the rest of the gods await him. Romulus qualified by virtue of his father being Mars, while his mortal mother was Rhea Silvia.

In post-classical history and legend, apotheosis was opened up more, and became an opportunity to fill a painting with an array of memorable figures in what’s more of a tribute than an elevation to heaven.

JAD Ingres’ Apotheosis of Homer from 1827 gathers together all those figures for whom Ingres had greatest respect, and were major influences. Although its own narrative is very simple, it invokes and pays tribute to those who Ingres saw as the great masters of narrative.

The group is posed on the steps in front of a classical Greek theatre, in formal symmetric composition. Homer sits at its centre, being crowned with laurels by the winged figure of the Universe.

Among those standing at the left are Dante, Virgil, Raphael, Sappho, Apelles, Euripides, Sophocles (holding a scroll), and the personification of the Iliad (seated, in red); in the lower file are Shakespeare, Tasso, Poussin, and Mozart.

From the right are, among others, Alexander the Great, Aristotle, Michelangelo, Socrates, Plato, Hesiod, Aesop (under the lyre), and the personification of the Odyssey (seated, in green, with an oar); in the lower file are Gluck, Molière, and others less known today.

Henry de Bourbon, King Henry IV of France, was the son of Jeanne III of Navarre and her husband Antoine de Bourbon, King of Navarre, neither of whom had any claim to deity. When Peter Paul Rubens was painting his vast cycle for Marie de’ Medici, he started its second half with Henry’s apotheosis or assumption, following the king’s assassination on the day after Marie’s coronation ceremony.

This is shown more clearly in this oil study (above) now in the Alte Pinakothek in Munich. Below is the finished painting now in the Louvre’s dedicated gallery.

As in the rest of the cycle, Rubens doesn’t depict a real scene from history, but shows it in allegorical terms, using figures from classical mythology mixed with those from real history. Instead of painting a scene of Henry’s assassination, he made The Apotheosis of Henry IV and Homage to Marie de’ Medici, one of three landscape-format canvases in the series.

The left side of the painting shows the assassinated king being welcomed into heaven as a victor by the gods Jupiter and Saturn. Jupiter, as king of the Olympian gods, is Henry’s divine counterpart; Saturn, holding a sickle in his right hand, marks the end of Henry’s earthly existence. Below them is Bellona, an ancient Roman goddess of war, who is stripped of her armour and appears tormented.

On the right side, Marie is seated on her throne as Regent, wearing black widow’s weeds, as the personification of France kneels in homage and presents her with an orb of office. Behind the Regent, at the far right, is Minerva bearing her Aegis, the shield emblazoned with the image of Medusa’s head. Also present are Prudence and Divine Providence, and her court are paying tribute from below.

This is the first of a series of three articles that look in detail at the launch process of apps in macOS Sonoma 14.6.1, with the emphasis on security checks. This follows my earlier look in 14.4.1, and covers a wider range of situations, including the effects of disabling SIP and Gatekeeper, and how known malicious software is handled.

Methods

All tests were performed in a series of Sonoma 14.6.1 virtual machines (VMs) running on a Mac Studio M1 Max host, also running 14.6.1. VMs are preferred as they enable a consistent environment and easy control of boot security and security settings, together with relatively low rates of log entries. Log extracts were obtained using Ulbow and analysed in their entirety for the first 5-7 seconds after launching apps in the Finder.

Apps used were:

• SystHist – notarized, quarantined, moved from its landing folder to avoid app translocation;
• SilentKnight – notarized, not quarantined, previously run;
• Sparsity – notarized, not quarantined, not previously run;
• DelightEd3 – not notarized, signed with a Developer certificate, not quarantined, not previously run;
• DelightEd3resigned – not notarized, ad hoc signed, not quarantined, not previously run.

None of the apps run in an app sandbox, and those notarized use a hardened runtime.

Four variants of the same 14.6.1 VM were run:

• Full Security, with SIP and Gatekeeper/XProtect enabled;
• Full Security, with Gatekeeper/XProtect disabled;
• Permissive Security, with SIP disabled;
• Permissive Security, with both SIP and Gatekeeper/XProtect disabled.

All had bridged network access to the network and internet, and shared folders with the host, when running these non-malicious apps.

This article describes what happens in the log in the first of those conditions, full security with both SIP and Gatekeeper/XProtect enabled.

Quarantined notarized app

This underwent the fullest checks of these tests. Once LaunchServices announces that it’s opening the app, the following sequence of events is recorded.

CDHashes from the app are copied, here only those for the Arm architecture. As the app is unknown, it’s next registered with LaunchServices. Gatekeeper assessment is then started just 0.07 seconds after announcement of the launch, in the log entry
GK process assessment: <private> <-- (<private>, <private>)
com.apple.syspolicy.exec then starts work on scanning for code, followed by the first mention by LaunchServices that the app is quarantined.

The Gatekeeper scan is announced in
GK performScan: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: (null)), (bundle_id: (null))
followed by the XProtect scan in
Xprotect is performing a direct malware and dylib scan: <private>
and assignment of the risk category according to its quarantine
QUARANTINE: Setting risk category to LSRiskCategoryUnsafeExecutable
XProtect states the Yara rules it’s using
Using XProtect rules location: /Library/Apple/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara

com.apple.syspolicy next processes the app’s notarization ticket
looking up ticket: <private>, 2, 1
by trying to fetch its record using CloudKit. That’s followed by entries indicating the network access required to connect with iCloud and check the ticket. Success is reported by com.apple.syspolicy in
CKTicketStore network reachability: 1, Mon Aug 26 09:15:45 2024
looking up ticket: <private>, 2, 0
and further lookups.

A little later, Gatekeeper announces the XProtect results
GK Xprotect results: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: (null)), (bundle_id: (null)), XPScan: 0,-7676743164328624005,2024-08-26 08:19:01 +0000,(null)
and its scan is complete
GK scan complete: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: (null)), (bundle_id: (null)), 4, 4, 0

Because this is the first launch of a quarantined app, com.apple.syspolicy.exec decides it gets a first launch or “code-evaluation” prompt “because responsibility”. If the user gives approval, the app is allowed to proceed. Its quarantine flag is updated, and the bundle record registered as trusted. The final step is then to create and save its provenance data
Created provenance data for target: TA(e8217440d9326f59, 2), PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: co.eclecticlight.SystHist), (bundle_id: co.eclecticlight.SystHist)
Handling provenance root: TA(e8217440d9326f59, 2)
Wrote provenance data on target: TA(e8217440d9326f59, 2), PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 62947), (team: QWY4LRW926), (id: co.eclecticlight.SystHist), (bundle_id: co.eclecticlight.SystHist)
Putting executable into provenance with metadata: TA(e8217440d9326f59, 2)
Putting process into provenance tracking with metadata: 692, TA(e8217440d9326f59, 2)
Tracking process with attributes: 692, TA(e8217440d9326f59, 2)

Without quarantine

A notarized app that hasn’t been run previously on that system and isn’t quarantined undergoes a similar sequence, but without the first launch or “code-evaluation” prompt. Its bundle record is registered as trusted, rather than being classified as an Unsafe Executable, but it still gets a full XProtect scan and ticket lookup using CloudKit.

Subsequent launches

The briefest launch process is that for an app that has only recently been run. That appears to skip Gatekeeper and XProtect assessments, and there’s no ticket lookup either. Pre-launch processes can then take less than 0.1 second.

Launching a known app following a cold boot can be as quick, although in this case there is a brief Gatekeeper assessment reported in the log. The key entry here comes from com.apple.syspolicy.exec:
Code already evaluated, using results.
Those are checked by Gatekeeper before launch proceeds, with the kernel reporting
evaluation result: 2, exec, allowed, cache, 1724654056, 4, c0a2e35c20a69dfd, /Applications/SilentKnight.app

Signed with developer certificate

An unquarantined app that isn’t notarized but is correctly signed using a Developer certificate is similar to its notarized equivalent, except that looking up the ticket using CloudKit is of course unsuccessful. Repeated attempts are made to find it, though, before going on to check “the legacy list” and check “legacy policy”. This results in the decision
Match downgraded from DevID to None based on legacy policy for: PST: (vuid: 7C5C43BF-A338-4228-B61E-5038F1D93EDB), (objid: 60118), (team: QWY4LRW926), (id: (null)), (bundle_id: (null))
but the kernel decides to allow launch to proceed
evaluation result: 6, exec, allowed, cache, 1724660700, 0, 9576bac3e248c07b, /Applications/DelightEd3.app

Ad hoc signature

This is detected early during pre-launch checks by AMFI (Apple Mobile File Integrity), despite the bundle record being registered as trusted. The kernel reports
AMFI: '/Applications/DelightEd3resigned.app/Contents/MacOS/DelightEd' is adhoc signed.
AMFI then records
No certificate chain found
Failure getting cert chain
Basic requirement validation failed, error: Error Domain=NSOSStatusErrorDomain Code=-67050 UserInfo={SecCSArchitecture=<private>}
and an error code of -423, given as “The file is adhoc signed or signed by an unknown certificate chain”.

Despite that, Gatekeeper assessment continues, with an XProtect scan. Attempts to look up the app’s ticket inevitably fail despite many attempts, and an error code of -67018 “Code did not match any currently allowed policy” is awarded. Launch then proceeds.

In the next article I’ll show how those are affected by disabling SIP and Gatekeeper assessments.