I would just love it if a project using something like this came out that allowed you to use a VM run old versions of applications (EG: perpetually licensed adobe products) that are no longer supported. Bonus points if they let us adjust the date that is presented to the VM so that the subcomponents that Adobe did not get a perpetual license on (EG: face recognition) that were sold as part of a perpetually licensed product continue to function. I literally have an old Mac Mini running an old version of macOS and its only purpose is to run Lightroom 6. I'd love to not have to do that.
I have a whole stable of machines running Mavericks just because I have a huge investment in iPhoto. I would like to switch to Photos but every time I try to convert an iPhoto library to Photos it fails (after a very very long time).
Once it’s up and running it’s fine but importing photo libraries into Photos is truely the worst software experience I have ever had. It took me weeks of on and off tinkering to get my partner’s photo library setup correctly and syncing with iCloud Photos. The worst part is that when it does fail there’s absolutely no indication to the user what went wrong. At best you’ll get some kind of generic error message, at worst it just hangs forever. Perfectly demonstrates how Apple’s “it just works” design philosophy falls apart when it doesn’t just work.
This is why I so dislike these garbage apps with their own proprietary formats that leave you stranded when the vendors abandons you. Apple, Google. They're all guilty of it. I want my photos in a directory using open formats that I control.
It's especially bad with the crap programs on Windows that encoded videos and the like.
I have a huge Aperture library. After Apple screwed me by abandoning it, I have no good options. I'm trying to run Aperture in VMware. Dog slow, but kind of works...
Yeah, that would be my advice. Either export all images from iPhoto, original files (not compressed, down-scaled). Then pull them into Photos.
Or literally open the iPhoto Library folder and go rescuing your photos. There are all sort of thumbnail versions in there for performance, so you'll have to discover the folder hierarchy to find your originals, but they're there.
The problem is not rescuing the original photos. That's easy. The problem is that we have put a lot of effort into editing the photos, curating them into albums, and adding captions.
I came from Aperture into modern Photos after holding out as long as possible. As versions updated, Photos understood more and more Aperture metadata and edits.
With 10^6 photos, to get this to work I had to use old Aperture Library manager utilities to split those by album (by year for unclassified), then bring those split libs into Photos one at a time.
I brought each into its own Photos library to limit blast radius of import issues, and was able to isolate which image(s) caused faults.
After having an array of Photos libraries, I made a big enough store on a fast Mac that could stay online uninterrupted to act as my library host and iCloud Photos master.
I imported Photos to Photos, and let it sync. Able to use logs and narrow down and retry remaining from an import when issues. Eventually, all good.
There is a rate limit on syncing Photos to cloud. If Photos thinks you’re doing separate syncs, it can hit at 25K. So after that either just let it sit to catch up over the next week(s), or, if you are somehow certain of zero errors, keep cloud sync off until all Photos are imported and indexed locally then turn it on. Helping others with this, I’ve had to try both ways. All at once is best if no errors, as it doesn’t seem to rate limit the first batch.
Note, with 10^6 photos in iCloud Photos and multiple devices syncing, sometimes one or more usually older items lose sync or won’t sync from an iPhone. In my experiences, nothing fixes this, not even disable/enable iCloud Photos — until the next major version number iOS release, which seems to reindex or rebuild device Photos library.
I don't know, I haven't counted them in a long time. But probably tens of thousands of photos curated into hundreds of albums across a few dozen separate iPhoto libraries. It's over 20 years worth of work.
Even if I exported all the albums manually I would lose the captions.
Also, I don't want my photos in the cloud. I want them only on media in my direct physical control because I want to retain my Fourth Amendment rights.
Would RAM be a limiting factor there? I suppose macOS is ok on 8gb so as long as you have 16 to give another 8 to the guest you can do it. It’d also depend on the resource needs of that legacy app you want to run.
Big Sur was available for Apple Silicon; presumably there are new hooks in Monterey to support this virtualisation that Apple didn't see the need to backport. It's something of a sore point for Mac devs, as it means it's basically impossible to test their apps on Big Sur on Apple Silicon without having a dedicated box for it...
Im currently looking for a Linux distribution to run in an immutable VM on macOS. It will only be used to run a web browser. A browser is the primary way your machine can get compromised.
Since it is immutable, restarting the VM will clear all files back to a clean slate.
macOS has app sandboxing built-in, but it is not as good as a VM.
I’m curious why this isn’t a more popular setup? Running a browser in an isolated VM seems like it should be a best practice. Does anyone else run a similar setup?
Security theatre. If your browser is attacked by an 0day of any sort, or malware or whatever, it will have access to the shared credentials and information inside your browser. This means any and all cookies, shared logins, account access, tab information — is all game. That's where all the actual value is; why would I care if it's inside a VM or not when I can get credentials to your mail provider from the browser itself and just exfiltrate? It doesn't matter if you restart the browser once or a million times; anytime it has sensitive information, it is a target. Unless you plan to literally restart/wipe after every interaction with every domain in a separate same-origin policy where any sensitive information exposure occurs.
But if you're that careful, what is the VM really doing for you, and why the hell are you even exposing yourself that much? Just use Lynx or something.
The real solution is this: Install Firefox, install noscript to nuke all javascript, install ublock too, and get a password manager. Selectively allow any webpage interactivity, as necessary. The world isn't a Tom Clancy novel so you don't actually need to do anything more than this to be very secure and on top of almost all active threats.
Ultimately to achieve what we all actually want (strong isolation guarantees that would prevent a full browser exploit from both A) your SSH keys from getting stolen and B) also your gmail spool from being attacked, and let's be honest, B is the worst case scenario) requires a rethinking of the fundamental software stack from OS to user-visible applications. No amount of Browsers-in-a-VM are a substitute.
> Security theatre. If your browser is attacked by an 0day of any sort, or malware or whatever, it will have access to the shared credentials and information inside your browser.
Yes running a VM won’t protect against this threat.
Running a VM will pretty much eliminate that 0-day from infecting the host OS, where it could become a persistent threat and have access to a range of sensitive data.
This is not security theatre. You just have incomplete threat modelling here.
The easiest way of getting security wrong is assuming it's all or nothing. This is a very common error I see here.
Security is about risk management and levels of protection. Saying locking your door is useless because someone might drive a car through is not going to help anything.
We need to take a step back and remember that Facebook paid for a 0 day exploit in the Tails OS to catch a criminal [1]. Note, I'm not commenting on the morality of this, I'm only commenting that one can never really be "secure" even if using the most secure of protocols. FWIW, this is an interesting read.
What protocol are you referring to? Tails makes a lot of great efforts to prevent undesired network access but at the end of the day it doesn't do any isolation by virtualisation and the bundled video player was able to ping a server directly. I don't believe this approach would be possible against Qubes OS.
That doesn't protect any active sessions; if you assume the attacker is capable of exploiting the browser, then they can just exfiltrate an active session for the user for any domain and bypass the login mechanism entirely. Done. This "reset state" approach can only protect against that if you completely wipe after every sensitive interaction on every unique same-origin policy, but at that point you're just doing all the hard work yourself.
Obviously I'm not saying 2FA isn't good, and doesn't mitigate some clearly related attacks like raw credential theft (whether or not the browser is exploited, obviously.) My position is just that browsers-in-VMs is a mostly roundabout threat model whose actual benefits (such as some semblance of filesystem isolation) can be achieved other ways. The things these approaches can not fix are otherwise systematic issues that require major redesigns to achieve.
> My position is just that browsers-in-VMs is a mostly roundabout threat model whose actual benefits (such as some semblance of filesystem isolation) can be achieved other ways.
What other ways would you recommend for filesystem isolation better than simply immutable VM running a web browser?
It's resource heavy to browse in a VM, particularly if you don't use a paravirtual GPU which would greatly increase attack surface, and highly inconvenient to have your browser cleared all the time. It's not unheard of though, Windows even has a built in functionality for this for high security enterprise users.
Qubes is super cool. It's just a pity that it also imposes a bit too many constraints (especially related to USB keyboard... For security reasons) and performance penalties to make it a realistic alternative for me
> WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
It’s also not an install most users are hunting down, it’s pretty much automagic. It mostly supports your point though, as this is why auto update exists.
But that's an enormous "if" that the vast vast vast majority of that big scary number getting patched don't actually have to deal with. The point isn't getting compromised is a minor inconvenience it's that what the VM protects against is such a rare major inconvenience it's multitudes of times more inconvenient over time to constantly deal with the smaller inconvenience of running browsing through a VM instead.
YOLO works until it doesn't. It's usually self-correcting. In business, it may be corrected by involuntary regulation.
Browser VMs are not the only option. Regular OS wipe/install is another, e.g. rotate between two dedicated browsing devices with native performance. One indicator of a compromised device is a reduction in perceived performance.
HP SureClick or MS AppGuard Edge is another level of complexity: every network connection and browser tab is a separate stateless micro-VM whose output is dynamically composited into a single display, with optional analytics of traffic and malware within each isolated micro-VM.
As for "I'm not important enough to be a target", some humans are on education or career paths to change that calculation. Some adversaries may see value in early access to up-and-coming targets. As the cost of targeting falls, the bar for "important enough" also falls.
You can't just say it could be bad one day therefore everyone should do <x> now - that's just fear mongering not supportive reasoning. For instance it could be everyone falls victim to a hypervisor security bug so nobody should trust VM browsing. It could be everyone falls victim to a firmware big so nobody should trust reusing a device. At some point you have to accept that having the possibility of a bad scenario isn't enough on its own, it needs to be actually weighed and compared.
Sure, there are e.g. certain high security businesses or certain high risk individuals that should consider higher security options (or in some cases regulation therefore). That it's certain conditions is precisely why it isn't for the vast majority though, if it were you wouldn't need to specify corner cases.
Security is about judging how to stay as far up the curve as you can without it costing you more than you'd realistically lose to do so. It is not about closing every conceivable hole in your attack surface to achieve minimal risk.
I'd also add there is a counter to the always increasing cost/reward ratio of targeting: the always decreasing amount of complexity of implementing the security mitigations for the "next level" of security. In a decade browsing via VM may be commonplace for the average user (though probably more persistently for that use case) and not require a thought to use. That doesn't make it any different for today but it points out there is more than "threats have increased" that can change what's a reasonable place to be on the security curve.
> You can't just say it could be bad one day therefore everyone should do <x> now
Who said "everyone" or "one day"? It's bad today, especially for those who assume they are not affected, even though they have never done forensics to test that assumption.
An example: most software incorporates other software as dependencies. As a developer, if a downstream consumer of your software is regulated, your software business could be regulated as a dependency. This also applies to open-source projects. If your software becomes regulated, then the dev/build environment for that software may be regulated. The details are being worked out now, this is not some distant future. https://fossa.com/blog/cybersecurity-executive-order-softwar...
The time will come when more endpoint devices will not be able to connect to sensitive services, because of missing security properties of the endpoint. The definition of sensitive services could be regulated, e.g. CI/CD system. As a software developer, that could mean your dev workstation (including browser configuration) cannot be used to change/publish code without clearing a security bar. https://docs.microsoft.com/en-us/security/compass/privileged...
> there is more than "threats have increased" that can change what's a reasonable place to be on the security curve.
Yes, there is also "damages have increased", so more stakeholders have an interest in consensus definitions and enforcement of reasonable, in specific contexts.
We're a couple layers deep now but the question that started the chain was:
> I’m curious why this isn’t a more popular setup?
If we're no longer talking about that but saying general security implementations and requirements will be tighter at some point in the future then sure, full agree. If we're talking about VM based browsing and why people aren't using it today then I'm not sure how any of this applies outside a tiny fraction of a percentage of machines browsed from.
That's a weird opinion just like all extreme opinions. It's not meant to be perfect - it's a layer of security that mitigates some issues and hopefully exposes as few new ones as possible. Virtualisation kills almost all local IPC / filesystem / shared memory possibilities of privilege escalation through other services. It even mitigates most kernel level exploits, because after that you'll still need to break out of the VM itself.
TLDR: P(non-root-vm-breakout-not-requiring-app-breakout) < P(app-breakout) and P(non-root-vm-breakout) < P(local-pe | system-service-exploit)
The simple solution is to provision a VM with your browser of choice and take a snapshot of it. Every time you use it, restore to the "vanilla" snapshot to revert its state.
If using a Linux VM, your hypervisor's checkpoint capabilities should suffice. If you want to go a step further (albeit with the caveat of using Windows), then Deep Freeze by Faronics will revert your Windows VM during each boot.
Speaking of sandbox is there a way on MacOS to contain corpocrap(TM) that insists on running installation wizards that require admin privileges on 2022?
My employer requires a certain unpopular remote access client suite that installs unnecessary background services running as root. The reliance on a certain unstable audio streaming plugin for skype calls makes everything harder to work on a VM.
I do this, kvm/libvirt on Linux, Linux browsers, SPICE/virt-viewer. I don't rollback the VMs like you're suggesting, although that does seem like a good idea to start doing. In addition to the VM-based isolation, the VMs are running on a completely separate machine. One of the other major features this gets me is that my router sends traffic different places depending on what VM it's coming from. Casual web browsing goes out a rotating cloud IP (need to move this to EU sometime), bank and other surveillance based authentication sites go out my uplink directly (fuckers), torrent traffic goes out a commercial VPN, embedded device configuration gets no WAN.
Performance is acceptable, even for videos and the like. I'm sure it's considerably slower, but it works for me. I also see adding a bit of a speed bump that mentally distances the web from my main computing environment as a benefit.
There is a built-in feature, known as Application Guard, on Windows 10/11 that gives you exactly this out of the box, with minimal configuration. Biggest downside is that it only works with Edge.
This seems to be an artifical limitation in Windows Sandbox, as WSL2 and Edge Application Guard both use separate VMs and you can run them all at once.
"Krypton" is the name of the isolated microVMs in Hyper-V, but they don't really document it at all.
I do a fair amount of upload/download of docs and images. And some of the "cookie pre-fills stuff for me" is useful. I know you can work around all that, but I'm lazy. I suspect more lazy people like me is the primary reason it's not popular.
Because most public web sites, especially with ads, execute untrusted code on your local device, requiring firmware, OS, browser security sandbox and web-page access control contortions for constantly-attacked web browser engines.
> WebKit: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Indeed. Note that qemu has support various native virtualization platforms including kvm, macOS' hypervisor framework, and Windows hypervisor. I'm not sure whether qemu supports M1 macOS out of the box (though it does seem to support ARM Linux and Windows) though, so perhaps that's an added feature from UTM.
A bit off topic but does anyone have a good lightweight vm gui that uses the new framework w/Monterey?
Fusion and Parallels are expensive (and I personally don’t love the interface anyway), and I’ve found UTM a pain to setup. I’d like to just take an Ubuntu ISO (or macOS image) choose a disk size and be on with it. Preferably with support for snapshots, but not required.
I spent a while searching for projects but most are no more than (not actively maintained) proof of concepts.
Self promotion, but I guess you’re specifically asking for it so I hope you’ll let it slide: https://github.com/saagarjha/VirtualApple. I’ve been using it for development so it’s “actively maintained” in the sense that if it breaks I’ll go fix it because I need it to work :P
Do note that the framework for Linux asks for a kernel+disk rather than an ISO. I don’t support it at the moment (the project is macOS-focused) but it wouldn’t be too hard to add support for.
Personally I've tried several linux ISOs and had issues booting and didn't have the resolve to fix it. MacOS VMs I got working but there was a lot of specific setup. There are some things I enjoy fiddling with but VM configs isn't one of them.
Veertu has probably been around for a decade. It used to be on the Mac App Store even! I wonder why they are lesser known than other desktop virtualization software.
Interesting. I wonder if this is because it has really sucked in the last 6 months and this is some sort of hail mary? I have 2 machines with the latest VMware Fusion on it. An iMac (Intel) and a Mac Pro (2013). Both ran all versions of macOS flawlessly until a few months ago. Big Sur and Monterey have massive issues. I couldn't install from scratch anything Monterey. I had random hangs, installing new macOS guests. Just so many issues. It forced me to try Parallels Pro and I found it works fine. I'm in the process of switching over.
I wonder if Fusion was ever even profitable. I have never met anyone who has independently gone and purchased it. But I've bought licenses for it through work and maybe enough others have too.
Maybe it's a loss leader product now, get individuals into it so that they will ask for it at work.
I (grudgingly) paid for personal copies of both Fusion and Workstation Pro, since I did use both heavily for years.
However... my personal opinion of Workstation has taken a nosedive. I've experienced quite a number of really ridiculous bugs, and it appears that the firing of all of the competent maintainers and replacing them with Chinese developers has not done the product quality any favours. Looks like it's been in "cash cow maintenance mode" for almost a decade at this point.
Example from last week at work: When I fire up my Linux VMs on Windows 10 Enterprise, I get a black screen. The workaround: enable a nonexistent floppy drive. When the system boots the "floppy drive not present" dialogue box somehow stops the screen blanking out and it works until the virtualised OS power saving turns off the screen. At which point it's dead until you power it down and repeat the floppy trick. There's some really basic bug here, and it's been around for several years. Reported and unaddressed.
Same with quite a few other issues I've reported. EFI bugs preventing FreeBSD booting. Segfaults when using the PC beeper on Linux. Really stupid stuff that any basic emulation should be handling.
The QA on these products seems to have just gone, and I really resent paying a significant amount of money for bug-ridden poorly-tested software.
With Fusion I've seen the same issues that Workstation has for the most part, since other than the UI the codebase is mostly shared. If they want to be able to compete with the OS-provided and free alternatives, they need to up their game and make their product worth paying money for. Right now, it seems like you pay through the nose for something that has a handful of features nothing else offers, but overall is a worse experience.
I wonder if Beeper (https://www.beeper.com) uses something like this to get you a macOS iMessage instance in the cloud. Was always curious how they could tout that seemingly impossible feature, but looks like this is a way to do it.
Is this recent? This looks like a game changer for the rentable mac instance business if there's some movement in the licensing landscape.
I was watching the github actions launch issue around macOS to see how they would handle the licensing issue[1]. In the end GH/MS didn't comment due to some "NDA" -- would be easy to state if they went the license route so...
AWS/EC2 offers x86 and M1 macOS machines as instances which you can rent in 24-hour increments.
I could imagine them slicing those machines using virtualization, licenses permitting (apparently the 24 hour requirement is from Apple's license agreement.)
Before Monterey's virtualization framework there was the hypervisor framework.
It is a lot lower level and would be what the virtualization framework is built on top of.
I have a Monterey VM running on my home server inside Unraid with virtualization. I can login to Apple developer accounts. I use this as a macOS gitlab runner VM.
Yeah, I’m talking about capital V Virtualization, the framework that Apple provides for making macOS virtual machines (and is used by this sample code). Signing in with your Apple ID is explicitly not supported in those.
To my knowledge, macOS running in an x86 VM works with all iCloud services _except_ iMessage and FaceTime. To get iMessage and FaceTime working, you need to generate a serial number that is in Apple's databases and spoof the virtual machine's serial number.
If the macOS you run in an M1 virtual machine is the same macOS, then why is the same not true? And I suppose I wonder whether the officially-supported ESXi-virtualizing-macOS has iCloud support, and how that works.
I haven’t noticed any problems for the use case I’m using it for.
I’m giving it 8GB of ram and 6 cores/12 threads. VM is running on pcie ssd. Speed is good.
No gpu is in my server so it’s using a basic VNC connection. If you add a gpu and pass it through the desktop experience would be much better. However I only needed to do this to do initial setup.
The cool thing about my setup is that it uses a docker container called macinabox which handles the initial Vm configuration and macOS installation, estuary automating the “hackintosh” process.
This is interesting from a product angle. Apple has historically not supported running macOS on VMs very well.
A few years back I built the vm infrastructure for a CI/CD platform for iOS and macOS app developers. It wasn’t easy to do this in a technically and legally well supported manner.
I mean, screw that; it's been possible to make Mac VMs on arbitrary hardware for decades with commercial software, and QEMU has been capable of it for a number of years now. That's before we even get into Hackintosh, too. Pretty much the only issue is iCloud support, which can be spoofed with a little bit of plist editing.
It's a bit of a hassle, but I got mine to work in less than an hour. Apparently there's now mitigation that could require you to call Apple support, but I never ran into that when I was on Mojave.
I built something similar a couple of years back using Anka. I got the help of lawyers to help with some details but there were definitely cases where Apple’s non explicit stance (until recently) makes you stop and think. https://www.filip.dev/posts/veertu-interview/
AWS's Mac instances aren't VMs; they are dedicated machines. I could swear I read that GitHub uses MacStadium for the Mac runners, which is also dedicated machines, but I can't find any documentation that supports that claim.
"The OS X EULA does allow for OS X to be virtualized on Apple hardware as both host and guest. This is why (as you note) VMware Workstation does not support OS X virtualization, but Fusion, ESXi, and vSphere do. All versions of VMware's apps check to ensure that you are running on Apple hardware and you are running a supported OS (as not all versions of OS X allow virtualization)."
I am trying to get Snow Leopard+Rosetta virtualized under Mac OS 10.10 Yosemite, as well as get Mac OS 10.8 Lion to run under Snow Leopard ( software requirements, and supporting PowerMac application, Freehand ).
Its a total complete uphill battle, that apple does not want to happen:
"You are completely correct that the EULAs are unclear about the question of running 3+ OS X VMs on a single OS X host. This is a legal question, and not a technical one. For that matter, so is the limitation about which versions of OS X can be virtualized (ex: 10.6 virtualization requires the Server edition, and all VMware applications block you from virtualizing the Standard edition)."
So, it actually is true, and there is proof in VMWare's documentation.
You’re saying that ‘traditionally’ Apple hasn’t supported this, but your examples are 10+ years old. Apple has been supporting virtualization of macOS for quite a while now, both with their own frameworks (hypervisor previously, now Virt framework) and 3rd party hypervisors.
It’s true that “once upon a time” it wasn’t supported, but those days are long past.
Traditionally Apple has supported it when it shipped hardware: Apple ][ to 68K (1991), 68k to PPC (1994), PPC to Intel(2006), and Now Intel to Mx(2020), but a few years after, its not a feature. 6 years, is 4 generations, like 100 human years. Why are the Classic and PowerPC emulators so popular? People want them.
I had someone bring in a Franklin Ace Apple II clone. There are Apple ][ emulators too. Not just for nostalgia, but for applications that are no longer supported or being developed.
I can run DOS on a Core II duo after 40 years.
My point is Apple emulation is only profitable when selling hardware, don't even think its nifty, when its dumped like old fish.
Old versions of macOS requiring the server version for use inside a VM was dumb, but there's nothing technically or legally difficult about satisfying that requirement.
It works totally fine, the hardest part is finding a (legal) copy of SLS (if you care about that).
I run CodeWarrior on SLS on top of Fusion on Mojave.
In December 2021, I decided to check the state of macOS virtualization using parallels 17.
Parallels has exceeded my every expectation and seems to be full of “It just works!” Presently running an instance of macOS 10.8 (Mountain Lion) in Parallels 17, but I don’t know if it offers GPU support.
Sure, just build the app and use it outside of Xcode. (Note that this is sample code, so I wouldn’t really recommend using it for actual work; you should pick something that’s more of a “product” instead.)
This style of naming is common on everything Apple, all their APIs and SDKs and most things in Objective-C/Swift are verbose like this, it’s on purpose.
I personally quite like it, but it can be jarring for people coming from other languages.
I’m a big proponent of verbose naming, but I suppose I should say in this context that I generally have a negative preference for terse naming. There are some exceptions to that preference, usually deferring to idiomatic usage, e.g.:
- i or idx is often preferred over index
- fn or fun is often used where function is a reserved word
That said, I’m also cognitively sensitive to column width. I’m not “80 columns or fight”, but I definitely find longer lines of code challenging to follow. As such I prefer to balance verbosity by deferring to the context (lexical scope, imported module name/hierarchy, file name/path, general contextual assumptions that you’d already need to be effective in the codebase).
I find both extremes jarring, and there’s usually an opportunity to optimize for both local understanding and reading without reaching those extremes (of course at the expense of keystrokes/autocomplete pitfalls, but once you’ve embraced verbosity at any level that’s assumed).
I tried macOS in Parallels and it was _awful_. Significantly worse than Windows 11 ARM and Ubuntu ARM. It seemed like it had zero acceleration. Very poor experience. I just used the wizard to install it so I didn't do anything weird.
From what I hear, Parallels has out approximately zero effort into their Virtualization implementation, to the point where a toy I whipped up over the weekend has better usability than it does.
If you are 'fortunate' enough to catch weird code signing bugs, like MacCatalyst app with a few dylibs / so's then getting the correct code signature will be a game of cat and mouse -- Eskimo is even one to say just use a developer support credit because they are so hard.
Well, the very first time a Mac sees an app, there are special GateKeeper error codes that are never repeated... so if you are unfortunate enough to not know this and test your app on all the Macs you have in your possession, and still can't identify the bug, it was most likely error coded at the very first run time...
To which the solution is make a VM or do all the un-niceties of removing the special security from the Mac, safe boots and all.
