hoakley December 26, 2021 Macs, Technology

Last Week on My Mac: Maintaining macOS has changed

One of the most common questions Mac users ask is how to maintain macOS. It might be how to fix a problem with the system, or how to reinstall it. Most of these users are experienced, with years of tackling problems behind them. These days, most end up in a long exchange of messages before they realise how this has changed over the last year or so.

Looking back twenty years, repairing the System was far simpler when you knew what you were doing. Mac OS 8 and 9 were straightforward to patch from the Mac OS Installer, as that consisted of a whole series of Tomes for each sub-system, which the free utility TomeViewer could install individually.

If it was OpenGL that was in trouble, you could just select and install the 4 MB containing the OpenGL components in Mac OS.

OS X wasn’t so easy, and some users took to reinstalling it completely, to which I responded that it isn’t Windows. But the arrival of Pacifist from CharlesSoft allowed you to install single applications and components. For apps like Mail with complex dependencies, this often didn’t work, and the trend towards reinstalling the whole of OS X gathered momentum.

One advanced technique which became popular was to install the latest Combo updater, as that often contained sufficient for whatever trick was needed to fix most problems. By macOS 10.12, this had become a panacea for many system ills, and five years ago it was an excellent choice.

Reinstalling the system continued to grow ever more popular. In macOS 10.12.4, Apple made Recovery more complex, and depending on which combination of startup keys you used, you could end up installing a different version, as I explained here. This had also been made more complicated with the introduction of SIP in El Capitan, which came to envelop almost all the system including its bundled apps.

In theory, SIP should have seen an end to any need to keep reinstalling macOS, because of the way that it prevented protected files from being altered. Whatever the reason, it didn’t seem to help much when it came to fixing all those problems which seemed to be solved by reinstalling macOS. Pacifist had now been joined by Suspicious Package, but neither could really do much to help as the system had become so sprawling and interdependent.

Just over a year ago, with the release of Big Sur, this all changed. The entire contents of the System volume became frozen in a snapshot, whose integrity is verified by a tree of cryptographic hashes, signed and sealed so not a bit can be altered. At the same time, because Apple had changed the way that macOS is updated and installed, standalone updaters became a thing of the past. So installing a Combo update was no longer an option: from now on, you either leave your System volume well alone, or install the whole of macOS.

Signing and sealing of the System volume is now checked before your Mac will boot into macOS, at least on Macs with T2 and M1 chips. According to Apple’s Platform Security Guide:
“During macOS installation and update, the seal is recomputed from the file system on device and that measurement is verified against the measurement that Apple signed. On a Mac with Apple silicon, the bootloader verifies the seal before transferring control to the kernel. On an Intel-based Mac with an Apple T2 Security Chip, the bootloader forwards the measurement and signature to the kernel, which then verifies the seal directly before mounting the root file system. In either case, if the verification fails, the startup process halts and the user is prompted to reinstall macOS.
This procedure is repeated at every boot unless the user has elected to enter a lower security mode and has separately chosen to disable the signed system volume.”

Sadly, Apple doesn’t explain whether or how the signed system volume (SSV) is checked in Intel Macs without a T2 chip.

On an M1 or T2 Mac, to check the integrity of everything installed on its System volume, all you have to do is restart that Mac. So long as Secure Boot is enabled, the fact that it boots into macOS is confirmation that every last bit is intact.

This doesn’t, of course, cover the entirety of macOS. The most significant part which is installed on the Data volume, therefore falls outside the scope of the SSV, is Safari. So there is a cogent argument, if you suspect a problem lies in Safari, that reinstalling macOS could be a useful solution, and worth the time and effort. However, that means a 13 GB download and protracted installation for the sake of one app a thousandth of that size. Perhaps we should be asking Apple not for standalone updaters, but an installer which only refreshes parts of macOS which are now stored on the Data volume, and remain at risk of damage or corruption.

The SSV has transformed the maintenance of macOS. Instead of viewing the system as hundreds of thousands of files which are all susceptible to damage or corruption, it’s better to look at it as an extension of the firmware. Although there are rare circumstances in which you might wish you could reinstall your Mac’s firmware – something now supported for T2 and M1 Macs, using Configurator 2 – it’s hardly an everyday procedure for use whenever the system seems a bit wonky or burps a bit.

It has been a long journey from the days of patching the system using TomeViewer, but I think we’ve finally reached the point where we can concentrate our efforts on diagnosing problems rather than relying on the universal snake-oil of reinstalling macOS.

13Comments

Add yours

1

almeath on December 26, 2021 at 6:38 pm

I stopped using Apple support forums a few years ago because of this issue. It felt like virtually anything I asked about would result in a recommendation to reinstall macOS. I’ll be happy to see that practice come to an end.

LikeLiked by 1 person
- 2
  
  hoakley on December 26, 2021 at 7:31 pm
  
  Thank you – me too. It’s very lazy troubleshooting.
  Howard.
  
  LikeLike
- 3
  
  Walt on December 27, 2021 at 9:31 am
  
  Agree. Those forums have adopted the Windows syndrome of recommending reinstall macOS as a catch all solution to problems.
  
  LikeLiked by 1 person
4

Oofy Prosser on December 26, 2021 at 7:01 pm

” …I think we’ve finally reached the point where we can concentrate our efforts on diagnosing problems rather than relying on the universal snake-oil of reinstalling macOS.”

But your description of the situation seems to say that the only remedy is to reinstall macOS. If we can’t change anything in it, what option is left? Diagnosing the problem isn’t much help if we can’t fix it. Your report sounds as if the only choice we have is to report the problem to Apple and hope they fix it in a future OS update/upgrade.

Or did I misunderstand what you wrote?

LikeLiked by 1 person
- 5
  
  hoakley on December 26, 2021 at 7:39 pm
  
  Sorry, I think we’re at completely cross purposes here.
  If you come across a bug in macOS, then other than reporting it, all you can do is work around it. No amount of reinstallation is going to change anything, although amazingly I still see people recommending it. Of course diagnosing the bug is also an excellent way of devising a workaround, which is what you need until it’s fixed.
  In the real world, problems from bugs are actually relatively rare, and the most common are due to user error, damaged preference files, and all the other mishaps that give us trouble. In Big Sur and later, we can then have confidence that the problem isn’t due to some ‘corruption of system files’, and apply the panacea of reinstalling macOS. Instead – just like with a car with a problem – we need to discover the cause of the problem and fix that. And we can be confident that cause doesn’t lie in the SSV.
  I hope that’s clearer.
  Howard.
  
  LikeLike
6

Oofy on December 27, 2021 at 10:58 pm

OK, got it. Since the SSV is locked and sealed, reinstalling it would make no difference, since you are replacing like-for-like. Updating it would, of course. But don’t forget that there are millions of users still on earlier versions of macOS that don’t have this feature. And reinstalling those versions must sometimes work, otherwise why would that procedure be so popular? And, yes, reinstalling as a first (rather than last) resort is lazy trouble-shooting.

LikeLiked by 1 person
- 7
  
  hoakley on December 27, 2021 at 11:22 pm
  
  Thank you. I’m well aware that there are many Mac users who aren’t yet running 11 or 12, and for them reinstalling can sometimes solve problems. However, I do think it is overused, and as others have commented, it’s a slick answer to many questions, but often not the right one.
  I’m just so glad that I don’t have to even think about it now. We all thought the SSV was just about security, but this is a real user benefit.
  Howard.
  
  LikeLike
8

RalphB on December 28, 2021 at 4:31 am

RE: “On an M1 or T2 Mac, to check the integrity of everything installed on its System volume, all you have to do is restart that Mac. So long as Secure Boot is enabled…”
How can a “mere mortal” user know/recognize whether “Secure Boot” is enabled on an M1 Mac? I searched Help, which led to an Apple Support article applying only to T2 Macs. And I looked in the Mac Utilities folder.
Are “Secure Boot” settings something users can/should check?

LikeLiked by 1 person
- 9
  
  hoakley on December 28, 2021 at 7:21 am
  
  Thank you.
  By default, and unless you disable Secure Boot using Startup Security Utility in Recovery, Secure Boot is enabled on all T2 and M1 Macs.
  Checking in macOS isn’t as simple as you might expect, though: the best info is in System Information, where you need to select the oddly-named Controller item at the left. While that’s clear on an M1, which lists Secure Boot under Boot Policy, it isn’t as clear on a T2.
  Of course, my SilentKnight has this made far easier – on a T2 it states that SIP & SSV are enabled. On an M1, it reports clearly “Platform Security full” in the upper section, and explicitly states the full security status in the text view below.
  I’m not really surprised that there isn’t a clear accessible guide in Help, I suppose.
  Howard.
  
  LikeLike
10

Jimmy on December 29, 2021 at 3:11 am

Another great article! Yup, it’s a new world for us long-time Mac techs. *This reminds me of an old go-to, “Clean Install Assistant” back in the OS 8.x days. At least for now, we can still trash .Plist files for misbehaving apps… Ye Olde Alsoft’s Disk Warrior is (also) toast, sadly.

LikeLiked by 1 person
- 11
  
  hoakley on December 29, 2021 at 3:13 pm
  
  Thank you.
  Howard.
  
  LikeLike
12

Pico on December 29, 2021 at 6:54 am

“Sadly, Apple doesn’t explain whether or how the signed system volume (SSV) is checked in Intel Macs without a T2 chip.”

I haven’t run into it myself, but I believe non-T2 Intel Macs continue booting and show a “Volume Hash Mismatch” notification within macOS.

You can see examples of the notification if you Google that phrase. It seems like the issue has come up a handful of times for folks on Monterey but at least some people writing about it don’t seem to realize that it really means there’s an SSV issue.

LikeLiked by 1 person
- 13
  
  hoakley on December 29, 2021 at 3:18 pm
  
  Thank you, Pico. That appears to be the case. But nowhere does Apple bother to mention it, nor to explain its significance. For such a security issue, that’s seriously bad.
  Howard.
  
  LikeLike