Hacker News new | past | comments | ask | show | jobs | submit login

I tried this exact combination but it did not work out of the box for the apps I tried. For gui apps bundled with brew-nix they will panic due to something about how the code signing keys are copied with brew-nix. The Mac-app-util trampoline launcher does work with the regular way that brew is managed with nix (which under the hood just shells out to brew) though. So the problem is likely related to brew-nix installing apps outside of the Applications folder.

I hacked around a bit trying a few different approaches before giving up and switching back to the regular nix-Darwin homebrew approach. But the issue is probably solvable by someone who knows a lot more about how the code signing process works with Macs and the Applications folder




Ugh! How annoying. Which apps did you try that with? I just gave it a try with a couple random ones. I tried Marta, CyberDuck, IINA, KeePassXC, and CotEditor and they all worked.

(Spotify didn't build because the Brew package doesn't have a hash, and Karabiner Elements didn't build bc idk why, but that's actually in Nixpkgs already and that version works fine.)

I did double-check that I have SIP enabled and everything. I'd be interested in trying to repro!

Aside: that mac-app-util works so nicely for the macOS apps that are already in Nixpkgs makes it feel much more worth it to me to package GUI apps for macOS, if that'll mean I can get rid of `brew` entirely. I wonder if this will spur others to also package more GUI apps this way.


1Password and docker desktop are two good test subjects. 1Password especially is the one I mentioned above as being a problem child in general with nix setups on Mac

VScode in particular was the one that broke for me, though that is actually available and mostly functional in nixpkgs so that one is not a showstopper.but might be a good test case to repro


I just tried 1Password and it refused to start not being in `/Applications`. I've seen this happen with one other app (Secretive), although it doesn't quite refuse to run. I can't remember all the details, but I think it has to do with a limitation in newer versions of macOS, where apps that try to register launchd services can only do so if they live in /Applications rather than ~/Applications. The problem with launching those background services from binaries that live in ~/Applications disappears if you disable SIP. When I first encountered it, it made me wonder if ~/Applications is not really supported on modern macOS. I wish I could find the issue for that but I didn't, when I looked just now. :-\

Oh, here's that issue: https://github.com/maxgoedjen/secretive/issues/77

1Password definitely acts weird for me, to where I kind of wonder if the .app folder is malformed somehow. The version installed in the Nix store actually works fine-- but not if I double-click it or open it with the `open` command. In that case it kinda acts like something is going to launch but then it never comes up. But if I manually invoke `/Applications/Nix\ Apps/1Password.app/Contents/MacOS/1Password` from my terminal, it starts up fine! But when I directly launch that executable from Finder, the application does not start and I see that same message about not living in /Applications printed in the terminal. Idk why 1Password refuses to run from anywhere other than /Applications but that seems to be it's message rather than the operating system's.

It's a shame 1Password's Mac app can't run from the Nix store. They clearly have at least one Nixer at the company because they have cool integrations like this:

https://developer.1password.com/docs/cli/shell-plugins/nix/

I couldn't even get the Docker Desktop package to build from `brew-nix`. OrbStack in the Nix store died on signature errors, but when I visited Security & Privacy in System Preferences after that, there was a little notice that OrbStack had been blocked from running because it was from an unrecognized developer, with the option to allow it. After being allowed, it seemed to work as normal. Same for Podman Desktop.

Why do the signatures for those apps end up getting replaced with this setup anyway?


As for your first question, about why 1Password refuses to run outside of Applications, I’m pretty sure it’s security. There is something special about Applications on MacOS that apparently AgileBits views as an attack vector when run outside of it.

I was curious about your final question as well, but I know little about how this works. The error when I tried vscode looked to be that the signature had gotten malformed somehow during brew-nix’s copy operation but since I had no idea what a correct signature should even look like I got stumped there.




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: