Suggestion: Use Rosetta to create older ISOs on Apple Silicon

[madsmtm]

It would be really helpful if creating ISOs for older macOS systems was possible on Apple Silicon Macs.

I've had a little luck with running Mist itself in Rosetta, but unfortunately it seemed to not work consistently - maybe because the helper program was not running in Rosetta?

It seems like the way to do it would be to slap arch -arch x86_64 in front of a few commands that require it, but I'm unsure if that's enough?

ℹ️ Additional context

• This could also be implemented in mist-cli? ✅

[ninxsoft]

@madsmtm hoping to get some clarification - does creating ISOs for older versions of macOS fail when running on Apple Silicon, or do they build successfully and you have issues with the ISOs that are built (eg. booting from them)?

I am running an Apple Silicon Mac + have Rosetta installed, and do not seem to have any issues building ISOs for older versions of macOS.

[madsmtm]

I think some of them failed to build, and some of them failed to boot - I'll try to check, hold on.

In any case, if it's a supported use-case, then it could maybe be added to the README?

[madsmtm]

Creating an ISO for OS X 10.12 to macOS 10.15 fails in the Create macOS Installer in temporary Disk Image ISO step with:

Invalid Termination Status: 9

For OS X 10.10 to OS X 10.11 I had errors booting (I think I hit this), but that is likely just an issue with my setup (I'm trying to use the ISOs in the emulator UTM, with this configuration).

I could get all the other steps (Application, Disk Image and Package) to succeed.

[madsmtm]

I should say, I'm using Mist 0.9.1 and macOS Ventura 13.5.1 (22G90)

[ninxsoft]

Apologies, I think I need further clarification - can I confirm how you are creating 10.10 - 10.15 ISOs in Mist on Apple Silicon?

ISOs are unavailable for building macOS Catalina 10.15 and older on Apple Silicon Macs.

Just to be clear, Mist.app is a universal app

[F1248]

Apologies, I think I need further clarification - can I confirm how you are creating 10.10 - 10.15 ISOs in Mist on Apple Silicon?

@ninxsoft, I think @madsmtm created the ISOs after checking "Open using Rosetta" at Mist.app in Finder → "Get Info".

[ninxsoft]

I stumbled across this forum post:

https://forums.macrumors.com/threads/you-cant-use-an-m1-mac-to-create-bootable-pre-bigsur-macos-installers.2283560/page-2?post=31104893#post-31104893

It appears that replacing the existing code signing with an ad-hoc signature for all files within the app bundles allows the createinstallmedia command to complete without error.

I was able test this and create ISOs for OS X Yosemite 10.10 all the way to macOS Catalina 10.15. I was also able to create bootable installers for the same OS versions, as they leverage the same createinstallmedia binary.

That being said, I have not tested these ISOs / bootable USBs. I suspect the changing of certificates may cause issues - testing that these actually boot and macOS installs correctly is next on my list 👍

[ninxsoft]

After countless hours spent testing various VMs, here are my findings:

Operating System	Outcome	Details
OS X Yosemite 10.10.5	❌	Unable to boot ISO successfully. Only way to successfully create VM is via app installer.
OS X El Capitan 10.11.6	❌	Unable to boot ISO successfully. Only way to successfully create VM is via app installer.
macOS Sierra 10.12.6	✅	Successful boot and installation of macOS. Required adhoc codesign on createinstallmedia:
macOS High Sierra 10.13.6	✅	Successful boot and installation of macOS. Required adhoc codesign on createinstallmedia:
macOS Mojave 10.14.6	✅	Successful boot and installation of macOS. Required adhoc codesign on createinstallmedia:
macOS Catalina 10.15.7	❌	Unable to boot ISO successfully. Only way to successfully create VM is via app installer.

Unfortunately, since it's a 50% success ratio at best for these legacy ISOs, and there is already a proven path to create VMs via the app installers, I am making the call to abandon attempting to add support for creating legacy ISOs on Apple Silicon.

If anybody is able to provide concrete steps to make the "broken" ISOs build correctly on Apple Silicon, I will be more than happy to re-visit this issue. Until then, I will go ahead and close this issue + related PR #106 👍

[madsmtm]

Totally fair, and thank you for all the time you've put into this!

a proven path to create VMs via the app installers

Hmm, I'm not sure what you mean here, could you describe (or link to a place describing) this?

[ninxsoft]

For the older versions of OS X, in my testing, both VMware Fusion and Parallels Desktop accept the installer .app bundle to create a bootable installer - I believe what they are doing under the hood is writing the app installer to a read/write disk, which is mounted as a hard drive (and not an ISO).

I have been able to successfully create VMs by simply dragging + dropping / importing the app installer to create these legacy macOS VMs 👍

[PicoMitchell]

I was just able to run Catalina createinstallmedia from Apple Silicon! I simply had to code sign EVERY executable within the app with the ad-hoc signature rather than just the createinstallmedia binary! (I'm assuming that maybe the issue is that createinstallmedia calls something in the PlugIns bundles and/or Frameworks which causes a failure when those don't have a valid signature as well.)

UPDATE 1: I was able to successfully boot the Catalina USB (created on Apple Silicon) on an Intel Mac, but I'm seeing it hang at the "Preparing to run macOS installer..." phase when running startosinstall. Will continue investigating more and edit this comment with my findings.

UPDATE 2: Just found that codesign --remove-signature works as well to be able to run createinstallmedia on Apple Silicon rather than re-signing with ad-hoc signature. But, still getting hanging on actually running startosinstall (or the GUI installer) when booted into the Catalina USB.

UPDATE 3: FIGURED IT OUT! To be able to run createinstallmedia on Apple Silicon, the expired code signatures needs to be dealt with (by re-signing or removing), BUT when actually performing an installation in the booted USB installer, the installer app NEEDS to have Apple's signatures (even if they're expired). So, what I did was removed the expired code signatures to be able to run createinstallmedia to create the bootable USB, but once createinstallmedia was finished I DELETED the "Install macOS Catalina.app" within the bootable USB (which is a copy of the modified app with no signatures) and REPLACED it with ORIGINAL "Install macOS Catalina.app" which has the expired Apple code signature. And, I just performed a successful Catalina install on an Intel Mac with a bootable USB created on Apple Silicon this way!

UPDATE 4: I also just created High Sierra and Mojave USB installers on Apple Silicon using this technique (described above in UPDATE 3) and I can confirm that those also successfully started installs on an Intel Mac.

[PicoMitchell]

Here is the relevant part of my bash code for creating working bootable USB installers for Catalina (and older) on Apple Silicon:

echo "Updating Connected Installer at \"${this_os_installer_volume}\"..."

createinstallmedia_path="${installer_source_volume}/Install macOS ${this_installer_name_to_update}.app/Contents/Resources/createinstallmedia"

if [[ "$(sysctl -in hw.optional.arm64)" == '1' && "$(lipo -archs "${createinstallmedia_path}")" != *'arm64'* ]]; then
	# See "UPDATE 3" on https://github.com/ninxsoft/Mist/issues/85#issuecomment-2021342539
	if [[ ! -e "${TMPDIR}/Install macOS ${this_installer_name_to_update}.app" ]]; then
		echo "Copying \"Install macOS ${this_installer_name_to_update}.app\" to temporary location to be able to remove expired code signatures so \"createinstallmedia\" can run via Rosetta on Apple Silicon..."
		ditto "${installer_source_volume}/Install macOS ${this_installer_name_to_update}.app" "${TMPDIR}/Install macOS ${this_installer_name_to_update}.app"

		echo "Removing expired code signatures so \"createinstallmedia\" can run via Rosetta on Apple Silicon..."
		while IFS='' read -rd '' this_installer_app_path; do
			if codesign -d "${this_installer_app_path}" &> /dev/null; then # Remove expired signatures for ANYTHING that is currently signed (which could be executables or bundles/folders such as frameworks, etc).
				echo "Removing expired code signature: ${this_installer_app_path}"
				codesign --remove-signature "${this_installer_app_path}"
				# NOTE: Others found the replacing with an ad-hoc signature works (https://forums.macrumors.com/threads/you-cant-use-an-m1-mac-to-create-bootable-pre-bigsur-macos-installers.2283560/page-2?post=31104893#post-31104893),
				# but through testing I found that simply removing all the apps expired signatures is enough to get "createinstallmedia" to run on Apple Silicon and removing the signatures is FASTER than re-signing.
			fi
		done < <(find "${TMPDIR}/Install macOS ${this_installer_name_to_update}.app" -print0)
	fi

	createinstallmedia_path="${TMPDIR}/Install macOS ${this_installer_name_to_update}.app/Contents/Resources/createinstallmedia"

	"${createinstallmedia_path}" --volume "${this_os_installer_volume}" --nointeraction
	rm -rf "${TMPDIR}/Install macOS ${this_installer_name_to_update}.app"

	echo "Merging ORIGINAL \"Install macOS ${this_installer_name_to_update}.app\" with expired Apple code signatures into bootable USB \"${this_os_installer_volume}\" so that \"startosinstall\" works when booted into the USB..."
	# IMPORTANT: While removing (or replacing) the expired Apple code signature is required to be able to run "createinstallmedia" on Apple Silicon to make a bootable USB,
	# once you are booted into the USB installer, "startosinstall" or the GUI installer will HANG or FAIL when run without Apple's original code signatures (even though they are expired).
	# So, MERGE the installer app within the bootable USB installer with the ORIGINAL installer app with Apple's expired code signatures which allows the installation to work properly.
	# Using "rsync" to MERGE the contents ONLY copies over the signed executables and "_CodeSignature" folder contents without having to re-copy the large DMGs that were not modified,
	# which is faster than deleting the modified app in the installer USB and copying over the entire original installer app.
	rsync -avi "${installer_source_volume}/Install macOS ${this_installer_name_to_update}.app/" "${this_os_installer_volume}/Install macOS ${this_installer_name_to_update}.app" | grep '^>' # Use "grep" to only show lines where files were copied to destination.
else
	"${createinstallmedia_path}" --volume "${this_os_installer_volume}" --nointeraction
fi

This code is slightly modified as the original runs within a loop which runs through multiple installer versions and updates multiple connected USBs at once. Once I commit my latest code this actual updated code will be within: https://github.com/freegeek-pdx/macOS-Testing-and-Deployment-Scripts/blob/main/Build%20Tools/update-mac-drives.sh