Invalid Certificate after Security Update 2015-004 in Mavericks

After recently installing Security Update 2015-004, I found that I could no longer browse to any website using the root certificate “VeriSign Class 3 Public Primary Certification Authority – G5” without a security warning (“invalid certificate”). This included sites such as Twitter and Apple, and it also meant that applications such as Software Update would no longer function.

After digging into it (see here, here, here and here) I found the cause was a chain of events that while a bit convoluted, were fairly prevalent among users.

First off, 2015-004 updated the list of trusted root CAs which by itself isn’t an issue. The problem was when I then logged into Amazon S3 using an older version of Cyberduck (< 4.7). That version of Cyberduck was adding the certificate chain retrieved from Amazon to my login keychain which also by itself isn't an issue. The problem was that the intermediate certs Amazon was using were outdated and signed with 1024bits. This caused a mismatch between the certs installed by 2015-004 and the ones being saved to the keychain by Cyberduck. Like I said, convoluted.

Luckily everyone seems to have implemented fixes – Cyberduck no longer writes the intermediate certs to the keychain (as of version 4.7) and Amazon has updated their intermediate certs to 2048bit signatures.

If you run into this issue, you probably still have the invalid certs sitting in your keychain. Simply open up Keychain Access and delete the bogus entries in the login keychain so that the system entries are used instead (select login, then Certificates, you should see them at the bottom of the list – "VeriSign Class 3 Public Primary Certification Authority – G5").

MacPorts, Mavericks & MySQL 5.6 with Memcached

If you’ve upgraded to Mavericks you’ve probably realized that MacPorts MySQL 5.6 would not build due to some issues with MySQL itself.

That issue has now been fixed with MySQL version 5.6.15 and this changeset which is now live in the port index. Simply install like usual:

sudo port install mysql56-server

One thing the portfile doesn’t contain is the flag to enable the new 5.6 InnoDB Memcached Plugin. If you’d like to enable it, you’ll need to create a local portfile with the following changes:

# change
name                mysql56
# to
name                mysql56-custom


# change
-DWITH_SSL:STRING=bundled
# to
-DWITH_SSL:STRING=bundled \
-DWITH_INNODB_MEMCACHED=ON

If you’ve never worked with local portfiles before, here’s a quick tutorial…

Mavericks, MacPorts, PostgreSQL 9, Tomcat 6 and PostgreSQL Studio

Now that Amazon Web Services is supporting PostgreSQL I figured it’s about time I got around to getting it setup locally.

First step was to install PostgreSQL via MacPorts:

You should now be able to connect to your database using pgAdmin or a similar tool. If you’re having trouble, a quick reboot of your machine should get it working (assuming you set PostgreSQL to load at startup).

I also wanted to try out PostgresSQL Studio which requires Tomcat so that got installed next:

Installing Tomcat led to a momentary headache as it would not start, throwing the following error – Apple AWT Java VM was loaded on first thread — can’t start AWT. All of the OS X / MacPorts / Tomcat instructions on Google were pretty out of date so it took a bit of digging to figure out what was going on. Luckily the fix was rather simple – just edit tomcatctl with the change shown in the Gist above.

The final step was to download PostgreSQL Studio, unzip the file and drop pgstudio.war into /opt/local/share/java/tomcat6/webapps/.

After a few moments Tomcat will autodeploy the war and you’ll be able to browse the application at http://localhost:8080/pgstudio/.

Sleepy Thunderbolt Display

Ran into another Mavericks upgrade issue today – my Thunderbolt display would no longer wake up (MacBook Pro connected, cover closed, keyboard & mouse attached to the monitor).

Quick fix is to reset the System Management Controller (SMC):

http://support.apple.com/kb/HT3964?viewlocale=en_US

MacPorts & Mavericks OS X 10.9 & Gnutar Errors

UPDATE – The 10.9 Mavericks binary is now available here.

If you try installing or updating MacPorts ports after upgrading OS X to 10.9, you’ll hit an error with gnutar:

The recommended fix from MacPorts is to reinstall MacPorts and all ports after a major OS upgrade. Unfortunately there is no binary for Mavericks yet and quite a few ports are failing to build right now including MySQL 5.6 and Python 2.7.

The  workaround is to keep your current MacPorts installation and install gnutar from source:

This is definitely not a long term solution and should really just be used for new ports that are must haves. I wouldn’t run port upgrade outdated or try to upgrade any specific ports as you will find that not all ports will build.

Once a Maverick’s binary is out, be sure to remove this gnutar before doing the migration.

Read more discussion of MacPorts on Mavericks.

Note: Be sure to build and install gnutar from source and not just symlink…

OS X Mavericks, Xcode 5.0.1 and the Missing Command Line Tools

So not only was Java gone from my system after the update, the Xcode command line tools disappeared as well. I’m not sure if they disappeared with the Mavericks update or when I upgraded Xcode to 5.0.1, but regardless, they’re gone.

In the past few versions of Xcode you could open the application, head to preferences, and select them under Downloads > Components. Unfortunately they’re no longer there.

In classic Apple fashion they’ve changed the way you get the command line tools without really mentioning it (at least not that I could find). Most likely because there were many folks who wanted the tools without having to install Xcode.

There are now two ways to get them:

1) Download from the Apple Developer Site (you’ll need to login with your account)

2) Or trigger the install to start by running the following command: xcode-select --install

And to be extra clear, Xcode is no longer required in order to install the command line tools as described above.