Hi!
In case you are interested, i have learned that these scripts that run in the background were developed by Apple before scripts needed to be signed. If someone knows someone who might be able to request that Apple consider signing them, I would appreciate. I do not have an developer’s account because of the numerous requests I submitted, I do not believe even one was acted upon. But I am hoping there is someone out there with more horsepower that might. Thanks for listening
“Mere users” can use this URL.:
I am a “mere registered developer” and they pay no attention to me. Good luck.
Where did you learn that?
“osascript” is the name of a macOS command-line program (stored at /usr/bin/osascript). It is signed, as shown by the following command:
% codesign --verify --verbose /usr/bin/osascript
/usr/bin/osascript: valid on disk
/usr/bin/osascript: satisfies its Designated Requirement
One cause of this could be that some program(s) you have installed include their own sub-programs that are also named “osascript”, and those programs are either not signed, or are signed with an ad-hoc signature, which is valid only on the machine they were signed on.
Another: you have run an Xcode project that makes a program named “osascript”.
Another: it isn’t referring to something named “osascript” at all, and macOS is just plain wrong! System Settings >> General >> Login Items is weird about the name it displays. For some programs that are signed properly but installed “the old way” (Apple is always changing the way such programs should be installed), instead of the name of the program, or the app that contains the program, macOS will show the Apple Developer ID of the person or entity that signed the program.
Another: Apple’s code signing program (codesign) has an option (-i) that allows an arbitrary name to be imbedded in the signature as the “unique identifier string”.
Another: “osascript” is used to launch the program, which has some other name. The macOS “osascript” program is used to run actual scripts (Applescripts, typically, although I think other scripting languages are also supported. Perhaps macOS is seeing a command such as “osascript foo.applescript” and, because foo.applescript is not signed, or is signed with an ad-hoc signature, deciding to display “osascript” as being signed by an unidentified developer.
Or it could be some combination of the above!
Hello,
The company that produces Cocktail (out of Sweden) invokes these scripts.
I had not activated them for quite some time as I was chasing down a problem with my Wallet working on my M2 MBP.
Eventually they emailed me back telling me what I wrote.
Here is a copy of their email:
@lalicata - I don’t see their email, did you forget to attach it or copy/paste it?
Hello,
The company that produces Cocktail (out of Sweden) invokes these scripts.
I had not activated them for quite some time as I was chasing down a problem with my Wallet working on my M2 MBP.
Eventually they emailed me back telling me what I wrote.
Here is a copy of their email:
From: Maintain <cocktail@maintain.se>
Subject: Re: Unidentified Developer scripts are being installed when I install Cocktail………
Date: July 20, 2024 at 16:54:23 GMT+3
Hello,
Thank you very much for your email.
These are add-ons that some features in Cocktail relay on.
They were developed by Apple before signing was required.
You can safely use them.
Regards,
Kristofer Szymanski
MaintainEmail: cocktail@maintain.se
Home Page: https://www.maintain.se
Facebook: Maintain | Stockholm
Twitter: x.com
The scripts might be code samples that Apple provided years ago and are now out-of-date, or they might use undocumented “private” macOS features that are not meant to be used by third parties.
Either way, this isn’t something that Apple needs to do anything about, it is something that the Cocktail developers need to do something about.
I faced a similar problem with bash scripts I had written for my app long before signing was required. The initial problem was that scripts cannot be signed, so when signing became required I first rewrote the scripts as “command line” programs, which are compiled binaries which can be signed. That worked until Apple again changed how “login items” are to be installed, at which point I had to change them into full (but tiny) macOS applications, so they could be installed properly (i.e, using Apple’s new mechanism) and have the proper descriptions in System Settings >> General >> Login Items.
In summary:
But you shouldn’t fault them for not signing scripts that developers should not be using.
(I understand why Apple did #1 and #2; it helps the user better understand what programs their computer runs when they log in.)
Yes, but if you look at it’s manual page:
$ man osascript
OSASCRIPT(1) General Commands Manual OSASCRIPT(1)
NAME
osascript - execute OSA scripts (AppleScript, JavaScript, etc.)
SYNOPSIS
osascript [-l language] [-i] [-s flags] [-e statement | programfile]
[argument ...]
DESCRIPTION
osascript executes the given OSA script, which may be plain text or a
compiled script (.scpt) created by Script Editor or osacompile(1). By
default, osascript treats plain text as AppleScript, but you can change
this using the -l option. To get a list of the OSA languages installed
on your system, use osalang(1).
...
In other words, osascript is a launcher for scripts, provided by a third party. I don’t think those scripts have to be signed.
And, as was later shared, the scripts are part of the Cocktail software package.
To find out what, specifically, these scripts are, you should be able to type the following into a Terminal window:
ps axww | grep osascript
The ps command shows processes. The two w options tell it to not limit output to any particular terminal-width. The grep command will filter output to only show lines containing osascript.
If you look at the parameters passed to each instance of osascript, you should be able to see what the scripts are. From there, you can determine if there is or is not a problem.