Signed restic beta for darwin?

My restic deployment is getting more and more off track with 0.96. The beta has so many useful features I can’t help it.

Is there a way to get a signed macos binary of the beta? Or is there going to be 0.97 soon?

Sorry if I’m being ignorant here but, is the 0.9.6 released signed any more than the beta “releases” are? In what way? AFAIK the restic binary releases aren’t signed macOS apps, they’re just binaries.

The next version of restic will be 0.10.0 and it will be released soonish. When it’s done :wink:

I’m not sure. I didn’t have any issues running the official restic binary but had issues running the beta. I’ll have to dig into a bit more. I just assumed because of my troubles there was a difference.

I’ll report back when I figure out how to tell if a binary is actually signed or not.

So there are no symptoms suggesting that your problems have to do with signing?

Since you don’t explain the symptoms of your problem it’s hard to speculate what the problem is. But it’s most likely not about signing.

Perhaps you simply have the old binary allowed in full disk access and the new one isn’t.

He’s probably talking about Gatekeeper. It’s especially cumbersome when using the beta releases. To allow it the GUI way, you have to try to run it after doing sudo chmod 755 /path/to/restic, and then it will tell you it’s from an “unidentified developer” and you should move it to the Trash. Then if you open up the Security preference pane, there’s an “open anyway” button. If you do that, and run restic again, it will ask once more if you’re sure and allow you to open it.

To skip all the GUI shuffling, you can just run this:

sudo chmod 755 /path/to/restic
sudo spctl --add /path/to/restic

An alternative is to temporarily disable Gatekeeper, then renable it afterward. This will still cause the secondary prompt to allow it, but will bypass the one that forces you to “move to trash / cancel”.

sudo chmod 755 /path/to/restic
sudo spctl --master-disable
restic version (and use the GUI prompt to allow it)
sudo spctl --master-enable

This is because restic comes from an “unidentified developer”. I think devs have to pay the Apple Tax :tm: in order to become “identified”. :roll_eyes:

If you use Homebrew to install restic, I think it bypasses all this nonsense. I don’t think the final releases are “signed” - you likely just used Homebrew and it took care of this for you behind the scenes. But if you use Homebrew, then you don’t get to play with the latest betas. :cry:

TL;DR If you install restic on a Mac outside of Homebrew, after the sudo chmod 755 /path/to/restic, also do a sudo spctl --add /path/to/restic and you’ll be good to go. :+1:

Also as rawtaz mentioned, it’s a good idea to give restic Full Disk Access in Settings > Security & Privacy > Privacy > Full Disk Access.

1 Like

Oh man. That was one of the reasons that made me switch to Linux full time nearly two years ago… maybe all that is nice for a novice but if you know what you’re doing, I find it very annoying.

I think this particular issue is probably solved through the recent release of v0.10.

In general terms, two GitHub features are appealing from a community perspective:

  1. Pre-releases, which ideally use the same build chain as stable releases and make beta releases more transparent (compared to the current practice).
  2. Milestones, which would give the community an idea on where we are towards the next release.

Maybe these are worth a thought with Restic?

Care to elaborate on in which way this would be more transparent?

Just based on several questions such as this thread where people are struggling to either locate the binaries, to understand what fixes they contain, are unsure whether they can be trusted, etc. With a pre-release on GitHub this all would be solved: they are easy to find, they’d ideally have some release notes with links to the issues they solve (and even without release notes there’d be the list of commits to refer to), it’s clear who built them and by using the same build process these pre-release binaries could benefit from the same “treats” such as signatures and what not.

Don’t get me wrong, I’m not trying to suggest more work for the dev team. I think the opposite could be true, saving you guys from answering for the same questions for the 30th time, especially on how to build/download binaries that contain certain fixes.

Doesn’t happen very often, luckily. Most of the time we just refer people to use the latest beta release and that’s it. We should perhaps make that more available/official though, so people can try it all they want :slight_smile:

There is already hosted together with the restic website. The folder names there contain the git commit id.

Regarding the “unidentified developer” warning: There seems to be some tracking of the origin of a file. When you download a restic build with a webbrowser then it’s identified as external and that attribute seems to be quite sticky. cat restic-binary > restic-binary2 ; chmod +x restic-binary2 works to get rid of that. (but spctl is probably the cleaner solution)

I think you explained it! I spent some time poking at it but not enough to get this answer. Thank you. I did have restic installed with brew! I didn’t know brew did these additional things.

That would be nice. I had a hard time finding the beta site.