Invalid Certificate after Security Update 2015-004 in Mavericks

After recently installing Security Update 2015-004, I found that I could no longer browse to any website using the root certificate “VeriSign Class 3 Public Primary Certification Authority – G5” without a security warning (“invalid certificate”). This included sites such as Twitter and Apple, and it also meant that applications such as Software Update would no longer function.

After digging into it (see here, here, here and here) I found the cause was a chain of events that while a bit convoluted, were fairly prevalent among users.

First off, 2015-004 updated the list of trusted root CAs which by itself isn’t an issue. The problem was when I then logged into Amazon S3 using an older version of Cyberduck (< 4.7). That version of Cyberduck was adding the certificate chain retrieved from Amazon to my login keychain which also by itself isn't an issue. The problem was that the intermediate certs Amazon was using were outdated and signed with 1024bits. This caused a mismatch between the certs installed by 2015-004 and the ones being saved to the keychain by Cyberduck. Like I said, convoluted.

Luckily everyone seems to have implemented fixes – Cyberduck no longer writes the intermediate certs to the keychain (as of version 4.7) and Amazon has updated their intermediate certs to 2048bit signatures.

If you run into this issue, you probably still have the invalid certs sitting in your keychain. Simply open up Keychain Access and delete the bogus entries in the login keychain so that the system entries are used instead (select login, then Certificates, you should see them at the bottom of the list – "VeriSign Class 3 Public Primary Certification Authority – G5").

MacPorts, Mavericks & MySQL 5.6 with Memcached

If you’ve upgraded to Mavericks you’ve probably realized that MacPorts MySQL 5.6 would not build due to some issues with MySQL itself.

That issue has now been fixed with MySQL version 5.6.15 and this changeset which is now live in the port index. Simply install like usual:

sudo port install mysql56-server

One thing the portfile doesn’t contain is the flag to enable the new 5.6 InnoDB Memcached Plugin. If you’d like to enable it, you’ll need to create a local portfile with the following changes:

# change
name                mysql56
# to
name                mysql56-custom

# change
# to

If you’ve never worked with local portfiles before, here’s a quick tutorial…

# the following assumes a typical MacPorts install to /opt/local
# create a directory to hold local ports
sudo mkdir /opt/custom
# edit /opt/local/etc/macports/sources.conf and add the following line before rsync://
# file:///opt/custom
# create the directories to hold the port file
sudo mkdir -p /opt/custom/databases/mysql56/files/
# grab the original portfile and save it to /opt/custom/databases/mysql56/Portfile
# also grab the 5 supporting files and save them in /opt/custom/databases/mysql56/files/
# update the Portfile with the following changes:
# Line 6:
# OLD: name mysql56
# NEW: name mysql56-custom
# Line 97:
# NEW: -DWITH_SSL:STRING=bundled \
# index the new port
cd /opt/custom
sudo portindex
# verify the port was added
port search mysql56-custom
# you should see:
# mysql56-custom @5.6.15 (databases)
# mysql56-custom-server @5.6.15
# install
sudo port install mysql56-custom-server

view raw

hosted with ❤ by GitHub

Mavericks, MacPorts, PostgreSQL 9, Tomcat 6 and PostgreSQL Studio

Now that Amazon Web Services is supporting PostgreSQL I figured it’s about time I got around to getting it setup locally.

First step was to install PostgreSQL via MacPorts:

# install and select
sudo port install postgresql93-server
sudo port select –set postgresql postgresql93
# load at startup
sudo port load postgresql93-server
# create the default database
sudo mkdir -p /opt/local/var/db/postgresql93/defaultdb
sudo chown postgres:postgres /opt/local/var/db/postgresql93/defaultdb
sudo su postgres -c '/opt/local/lib/postgresql93/bin/initdb -D /opt/local/var/db/postgresql93/defaultdb'
# create a new user (or you can simply use the default user postgres which does not require a password)
createuser –superuser your_username -U postgres -P
# create a new database
createdb database_name

view raw

hosted with ❤ by GitHub

You should now be able to connect to your database using pgAdmin or a similar tool. If you’re having trouble, a quick reboot of your machine should get it working (assuming you set PostgreSQL to load at startup).

I also wanted to try out PostgresSQL Studio which requires Tomcat so that got installed next:

# install
sudo port install tomcat6
# add -Djava.awt.headless=true to /opt/local/share/java/tomcat6/bin/tomcatctl (line 65)
JAVA_OPTS="$JAVA_OPTS -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.awt.headless=true"
# without this you’ll get this error in /opt/local/share/java/tomcat6/logs/catalina.err:
# 2013-11-16 23:39:17.389 jsvc[1698:203] Apple AWT Java VM was loaded on first thread — can't start AWT.
# Nov 16, 2013 11:39:17 PM org.apache.catalina.startup.Bootstrap initClassLoaders
# SEVERE: Class loader creation threw exception
# java.lang.InternalError: Can't start the AWT because Java was started on the first thread. Make sure StartOnFirstThread is not specified in your application's Info.plist or on the command line
# load at startup
sudo port load tomcat6

view raw

hosted with ❤ by GitHub

Installing Tomcat led to a momentary headache as it would not start, throwing the following error – Apple AWT Java VM was loaded on first thread — can’t start AWT. All of the OS X / MacPorts / Tomcat instructions on Google were pretty out of date so it took a bit of digging to figure out what was going on. Luckily the fix was rather simple – just edit tomcatctl with the change shown in the Gist above.

The final step was to download PostgreSQL Studio, unzip the file and drop pgstudio.war into /opt/local/share/java/tomcat6/webapps/.

After a few moments Tomcat will autodeploy the war and you’ll be able to browse the application at http://localhost:8080/pgstudio/.

Sleepy Thunderbolt Display

Ran into another Mavericks upgrade issue today – my Thunderbolt display would no longer wake up (MacBook Pro connected, cover closed, keyboard & mouse attached to the monitor).

Quick fix is to reset the System Management Controller (SMC):

MacPorts & Mavericks OS X 10.9 & Gnutar Errors

UPDATE – The 10.9 Mavericks binary is now available here.

If you try installing or updating MacPorts ports after upgrading OS X to 10.9, you’ll hit an error with gnutar:

mbp:tar-1.27 chriskief$ sudo port upgrade outdated
> Extracting apr
Error: org.macports.extract for port apr returned: command execution failed
Please see the log file for port apr for details:
Error: Unable to upgrade port: 1
To report a bug, follow the instructions in the guide:

view raw

hosted with ❤ by GitHub

:debug:extract Assembled command: 'cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_devel_apr/apr/work" && /usr/bin/bzip2 -dc '/opt/local/var/macports/distfiles/apr/apr-1.4.8.tar.bz2' | /usr/bin/gnutar –no-same-owner -xf -'
:debug:extract Executing command line: cd "/opt/local/var/macports/build/_opt_local_var_macports_sources_rsync.macports.org_release_tarballs_ports_devel_apr/apr/work" && /usr/bin/bzip2 -dc '/opt/local/var/macports/distfiles/apr/apr-1.4.8.tar.bz2' | /usr/bin/gnutar –no-same-owner -xf –
:info:extract sh: /usr/bin/gnutar: No such file or directory

view raw


hosted with ❤ by GitHub

The recommended fix from MacPorts is to reinstall MacPorts and all ports after a major OS upgrade. Unfortunately there is no binary for Mavericks yet and quite a few ports are failing to build right now including MySQL 5.6 and Python 2.7.

The  workaround is to keep your current MacPorts installation and install gnutar from source:

tar xzvf tar-1.27.tar.gz
cd tar-1.27
sudo mv ./src/tar /usr/bin/gnutar

view raw

hosted with ❤ by GitHub

This is definitely not a long term solution and should really just be used for new ports that are must haves. I wouldn’t run port upgrade outdated or try to upgrade any specific ports as you will find that not all ports will build.

Once a Maverick’s binary is out, be sure to remove this gnutar before doing the migration.

Read more discussion of MacPorts on Mavericks.

Note: Be sure to build and install gnutar from source and not just symlink…

OS X Mavericks, Xcode 5.0.1 and the Missing Command Line Tools

So not only was Java gone from my system after the update, the Xcode command line tools disappeared as well. I’m not sure if they disappeared with the Mavericks update or when I upgraded Xcode to 5.0.1, but regardless, they’re gone.

In the past few versions of Xcode you could open the application, head to preferences, and select them under Downloads > Components. Unfortunately they’re no longer there.

In classic Apple fashion they’ve changed the way you get the command line tools without really mentioning it (at least not that I could find). Most likely because there were many folks who wanted the tools without having to install Xcode.

There are now two ways to get them:

1) Download from the Apple Developer Site (you’ll need to login with your account)

2) Or trigger the install to start by running the following command: xcode-select --install

And to be extra clear, Xcode is no longer required in order to install the command line tools as described above.