Topic: Air-gapped Armory installation on MacOS (Read 237 times)

I usually download the latest macOS from the Mac App Store, and then use a utility like DiskMaker X to make bootable USB. That does require that I trust the Mac App Store, but I am willing to make that compromise. Then you can boot from the USB, erase the hard drive with Disk Utility, and do a fully clean install of macOS.

how do you wipe a MacBook Pro clean in prep for an offline Armory install?

for other PC's, i've always used dban and then offline installed the OS from a fresh Ubuntu.iso file that can be verified with a checksum.  once wiped, from where can you reinstall High Sierra in similarly secure way?

Any updates? 

Thanks, will patiently stay tuned.

Been sucked into some other work that's a bit more important at the moment, unfortunately. Had hoped to get everything moved in time for 0.97. Don't think that's going to happen, but you never know.

Hi, any updates on doing a fully offline install on macOS?

Not really. That version of OpenSSL (0.9.8) won't make Python happy. So, no dice. :(

Hmm. Think i should give it a try on OS X Yosemite (10.10)?

Hey. I have some bad news. As things stand, this is tricky. The problem is that, starting with macOS 10.11, Apple stopped shipping OpenSSL header files. Python needs those files when being compiled. In addition, it looks like importing all the binaries onto the machine from brew or Macports isn't feasible. Your only real option would be to compile OpenSSL on the Mac, mod the Armory build script to allow Python to link against that version of OpenSSL, and place the other components to be compiled in special locations where the build script can find them. It's doable (one change in the script), just painful, and you'd be on your own if something went wrong.

The good news (IMO) is that the build system will change soon in order to rely on pre-built binaries. You'd have to get the machine online for brew to work (no way around that, unfortunately) but the situation's basically the same for Linux and Windows, just with a different binary repo. Once you have binaries you trust, you can either copy Armory binaries over or compile your own on the offline machine via the Xcode command line tools.

Haha! I think the Airport card is wifi + bluetooth. I'll take my chances with sound and light-based attacks

Do you wanna be mega safe? Remove internal microphone too!
I've read that there was a worm which was spreading via... sounds or ultrasounds, either way, high pitch sounds. Go figure it out!
Also, maybe check your hdd/ssd controller memory.

Do I need to mention Bluetooth, IR?

No luck

I'll play around tonight and see if I can get some sort of offline homebrew build working.

Definitely need a long-term fix for this though, as I think one of Armory's most powerful use cases is air-gapped cold storage.

Damn. Was hoping you wouldn't encounter that. It's looking for the version of OpenSSL that brew installs. The easiest stopgap fix is to see if there's some way that you can do an offline install of a "brewed" OpenSSL. Google should turn something up. (I have something to do and won't be back for awhile.) Or, as an alternative, you might be able to cheat if macOS 10.13 (and only 10.13) has the headers that Python requires when being compiled. I'd have to edit the build script and play with that. The only thing is that goatpig couldn't distribute the binary, as people not using 10.13 could be hosed. I can also look into workarounds for that.

No luck. Getting this error on a fresh install of High Sierra with 0.96.4 RC2.



I removed the Airport card to make sure wifi is off

Ok thanks. Will report back tomorrow. Currently prepping the High Sierra usb drive.

If that doesn't work, hoping you can help walk me through the steps so that I can publish a user-friendly guide for setting up the offline Mac

Hi. Thanks for the feedback. Let me know what happens. I think you'll be fine with RC2, especially if you're using it for offline stuff. In fact, RC2 fixes at least one Mac-specific bug (albeit a small one) that would affect offline machines. It also fixes some multisig stuff in case that's of interest to you. I recommend giving it a spin.

Also, I apologize if I was a little unclear. If RC2 won't run on your airgapped Mac, you'll need Xcode and multiple packages to compile on the Mac. It takes me ~20 min. but it might take you longer. Also, the build process will change soon-ish (late January???) and be much smoother, although you'll have to install some more binaries on the offline Mac at that point.

Ahhh! It all makes sense. I'll get a usb drive set up with High Sierra and give it a try tomorrow. I'm a bit concerned running 0.96.4 RC2 though, since it's still in RC. Don't want to move any significant amount of Bitcoin to it. Would feel much more comfortable on 0.96.3. Could I maybe create an alias to the default OpenSSL installation? I can track down where it's located in High Sierra.

I think the patch may be a good idea. Installing Xcode command line tools is no problem, as Apple provides dmg downloads on their dev site. My only concern is the security – can I trust a patch?

Reason I am using MacOS is I have an old MacBook (2010) sitting around. And also, it's super easy to use. For the site I am putting together (https://www.hodl.co), I want to provide nontechnical users with an easy setup guide. If it's something more technical than installing a couple software packages, then I would not feel comfortable publishing. If it requires opening terminal at all, I think it would be a problem. So ideally the users would just download a few files onto a usb drive (Armory, Xcode command line tools) and bring it over to their air-gapped Mac to install.

I'll report back on 0.96.4 RC2 tomorrow. Thanks for the quick reply.

Hi. I think I know why you got the impression that El Capitan and earlier could handle things. The way I wrote the macOS README that I think you read, it states that Sierra can't satisfy the requirement for OpenSSL. While true, I can see how this could confuse people. AFAIK, all versions of macOS that Armory supports (10.8 and beyond, although I'm lightly pushing to drop 10.8 sooner rather than later) require OpenSSL 1.0.0 or higher to be installed due to what the Python binary requires. This change is now reflected in updated documentation that you can see here.

Regarding how to create an airgapped build, this is a little tricky but there may be a solution. If you run 10.13, Apple has finally updated the pre-installed OpenSSL to a sane version (1.0.2l). The Armory binary may expect OpenSSL to be in a location where it isn't. Try running the latest Armory (0.96.4 RC2) on your airgapped machine (and verify the binary if you're really paranoid). If it crashes and complains about OpenSSL, we'll have to go to Plan B.

I could probably whip up a patch pretty quickly that bypasses the download process for all the files needed by the build script. No guarantees - I haven't tried compiling Python against Apple's pre-installed OpenSSL in ages, and you'll still need to get an Xcode binary to install on the airgapped machine - but it would basically solve the airgap issue once you download all the required files (and verify them against the SHA-1 hashes in the build script if you're sufficiently paranoid) onto the offline machine.

Thoughts? I think I'll proceed with the patch anyway. I just want to know what makes you comfortable. Honestly, I think getting a cheap laptop (or even a Raspberry Pi 3) would be an easier solution for offline machines, but I'm happy to help if I can.

Hi all, am currently trying to work through a setup on 2 Macs – 1 online + 1 air-gapped. I have the online setup on an iMac running High Sierra. Had to install OpenSSL from Homebrew, but was able to successfully get set up and running with Bitcoin core full node. All good to go.

Having a lot of trouble on my air-gapped MacBook though. First tried to install High Sierra, and realized I would have to install OpenSSL. So rather than figuring that out, I just decided to install El Capitan, since the readme noted that the OpenSSL installation was only required on Sierra or High Sierra. But then I got the same error at startup on El Capitan, looking for my OpenSSL installation...

Is there any version of MacOS (or well, OS X) where I am able to install just Armory, and no other software? Or is there an easy way to get these dependencies installed without having to connect to the internet?

Back in 2013-2014 I used Armory with this same kind of setup, and I never had to install any dependencies. I remember getting setup with the offline version was very easy. I am currently putting together a website to help users get set up with true cold storage, and I am hoping to feature Armory – but if I am having enough trouble getting set up on my air-gapped computer, then I am sure many others will as well.

Thanks so much! Hoping for some guidance. Maybe the quick answer is to just figure out how to properly install OpenSSL without Homebrew, but I tried a few methods to no avail.