Why does pycharm uses lax security on macOS?

When looking at entitlements on pycharm CE for macOS, it shows many serious security exceptions. Here are its entitlements:

<dict>         <key>com.apple.security.cs.allow-jit</key>         <true/>         <key>com.apple.security.cs.allow-unsigned-executable-memory</key>         <true/>         <key>com.apple.security.cs.allow-dyld-environment-variables</key>         <true/>         <key>com.apple.security.cs.disable-library-validation</key>         <true/>         <key>com.apple.security.cs.disable-executable-page-protection</key>         <true/> </dict> 

Why does pycharm uses such lax security? Is it necessary?

I tried to look into pycharm’s source code, and I saw this commit:

Add macOS notarization script

GitOrigin-RevId: e8779699a5c41df82848b335a3aed82b7550c7eb

VladRassokhin authored and intellij-monorepo-bot committed on Jun 5, 2019 commit 631c91b

c1a579488452da099b957305502cda2f4

But I couldn’t find a clear reason why pycharm would need these security gaps. Can anyone with knowledge of pycharm’s code can shed light on this?

Prevent an application from making any network access on macOS

I want to run an application on macOS, but preventing it from making any type of network access, or any type of internet access.

I have seen the following possibilities:

  • Use the built-in firewall. Unfortunately, this blocks only inbound connections, not outbound.

  • I have seen Little Snitch. However, it feels uncomfortable from a security standpoint to install a closed-source software on my system that has so deep an access to everything I do.

Ideally, I would like to do that myself. Is it possible to restrict an app’s access to network ressources on macOS ? Maybe start it in a sandbox mode somehow?

Thanks!

password manager for macOS

I can see a few options for open source macOS password manager:

macpass

keepassX

keepassXC

Is any of these 3 more secure than the others?

I tried to browse for a while, but I couldn’t find anything meaningful on this subject. Does anyone technically competent have an opinion on this subject?

Thanks!

Is reading from /dev/urandom on macOS Catalina a safe way to produce cryptographically secure data?

I’m reading a lot about entropy of macOS…

I know it doesn’t use Yarrow anymore but as per this FIPS 140-02 doc a NIST compliant DRBG.

I read a lot:

https://github.com/briansmith/ring/pull/398 How can I measure (and increase) entropy on Mac OS X? https://stackoverflow.com/questions/5832941/how-good-is-secrandomcopybytes http://serverascode.com/2014/03/04/yarrow.html https://stackoverflow.com/questions/3170500/random-number-generator-dev-random https://stackoverflow.com/questions/42197958/secrandomcopybytes-provider-sha1prng-or-nativeprng-type-in-objc

Even mailed Craig F: https://apple.stackexchange.com/questions/362531/does-macos-still-use-yarrow-as-its-cryptographically-secure-pseudorandom-number

I see that SecRandomCopyBytes is now effectively using:

https://opensource.apple.com/source/xnu/xnu-4570.41.2/osfmk/corecrypto/ccdbrg/src/ccdrbg_nisthmac.c.auto.html

While /dev/urandom uses:

https://opensource.apple.com/source/xnu/xnu-4570.41.2/osfmk/prng/random.c.auto.html

I have much old code using /dev/urandom, on Catalina is it still valid to use `/dev/urandom/ for key material, is it cryptographically secure?

I don’t want to port everything to a macOS specific lib.

Even libsodium seems to use /dev/random, so I guess it’s ok?

Info about gpg setup on MacOS

On Mac OS Mojave:

▶ gpg --list-keys Warning: Failed to set locale category LC_NUMERIC to en_GR. Warning: Failed to set locale category LC_TIME to en_GR. Warning: Failed to set locale category LC_COLLATE to en_GR. Warning: Failed to set locale category LC_MONETARY to en_GR. Warning: Failed to set locale category LC_MESSAGES to en_GR. /Users/pkaramol/.gnupg/pubring.kbx ---------------------------------------------- pub   rsa2048 2019-07-04 [SC] [expires: 2021-07-03]       1DA2A2434A38D1192A3EA4523FEF5E3944A2F025 uid           [ultimate] pkaramol <pkaramol@gmail.com> sub   rsa2048 2019-07-04 [E] [expires: 2021-07-03]   ~/Desktop ▶ ls ~/.gnupg openpgp-revocs.d  private-keys-v1.d pubring.kbx       pubring.kbx~      trustdb.gpg  

From what I understand, the public key is : /Users/pkaramol/.gnupg/pubring.kbx

How can I find out what is the corresponding private key?

Proxychains 4 usage macOS?

I am trying to port scan a .onion website using nmap. I ran the following command:

proxychains4 nmap -Pn -sT -v example.onion

But I got the following error:

[proxychains] config file found: /usr/local/etc/proxychains.conf [proxychains] preloading /usr/local/Cellar/proxychains-ng/4.14/lib/libproxychains4.dylib dyld: could not load inserted library ‘/usr/local/Cellar/proxychains-ng/4.14/lib/libproxychains4.dylib’ because no suitable image found. Did find: /usr/local/Cellar/proxychains-ng/4.14/lib/libproxychains4.dylib: mach-o, but wrong architecture /usr/local/Cellar/proxychains-ng/4.14/lib/libproxychains4.dylib: stat() failed with errno=1

Why is it doing this, and how can I fix it?

FIDO U2F – MacOS TouchBar

I understand how FIDO works with yubikey: Yubikey device has a symmetric key and it uses appId, nonce and symmetric key to generate key pair for a website. And the device gives back public key and keyHandle (which can used to generate private key) to the RP.

But U2F works on chrome in Mac with Touchbar without yubikey. Does it mean MAC OS implemented U2F protocol? (But U2F doesn’t work on safari!!!)

Who is generating and verifying the keyhandle in case of MAC?

IPhone connect issue on VmWare (Ubuntu Host, MacOS Guest)

I need to have macos as a guest OS on vmware workstation player and it installed and everything works great except my iphone that the guest cannot recognize it correctly, according to following image the OS has identified it on USB2 but iTunes doesn’t recognize it as iphone device connected!

as a matter of fact there is no issue if i use windows as host instead ubuntu but i prefer ubuntu over windows and looking for a solution.

macos identify the device

Regards.