Clear Recent Documents List on OS X

TL;DR: 
Remove the relevant .sfl file located under the following directory:
~/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/

- * -

It's Halloween! Time for scary stuff. As the tech admin of the house, my job tonight was to make sure a series of old scary movie classics, think of Poltergeist , can be streamed to TV.

I decided to clear the existing list of QuickTime Player's Recently Opened Files and pre-populate the list with the scary movies. This can be done from GUI:

QuickTime Player > File > Open Recent > Clear Menu

Nothing is wrong with that, but I wondered how I would do that from Command Line. Interestingly, I could not locate a setting in a .plist. If you Google, you will find suggestions similar to below, but on El Capitan (10.11), these settings did not exist

adil-imac-1:~ adil$ defaults read com.apple.QuickTimePlayerX.LSSharedFileList RecentDocuments

2015-10-31 23:35:21.932 defaults[12222:1913397] 

The domain/default pair of (/Users/adil/Library/Preferences/com.apple.QuickTimePlayerX.LSSharedFileList, RecentDocuments) does not exist

So, to find which file I needed to look at, I decided to use good old, 'find' command. The technique is well known:

• First create a temporary file
• Then take action (launch a movie) to cause a file change, as new movie is added to the recent items
• Lastly do a find for all files newer than the temporary file we created

touch /private/var/tmp/now

sudo find / -newer /private/var/tmp/now

This, usually works, but file list could be larger. In my test, it returned 120 files in that short time frame.

No Birthday Reminders for People You Don't Know

I made it a habit to add my Google account to "Internet Accounts" in OS X, which also enables me to see calendar events on the notification window when I am on my Mac. Problem is that I get bombarded with birthday reminders for people I do not personally know.

My first shorthand solution was to uncheck "Calendar" from Google Account in the OS X Calendar application.

That solves the problem on Mac, but I am 'still' a Chrome user and see these alerts on Chrome too.

There is a long article on Techcrunch from early 2015 complaining about this issue, but a note at the end that Google was working on a solution. No update after that, but I think Google has fixed it now, and you can stop these alerts at the source :

• Go to google.com/calendar, you should see Birthdays under Calendars
  
• Under My calendars, click on dropdown box to the right of Birthdays and select "Calendar Settings" or "Edit Notifications"
  
  
  
• Select "Contacts only" option next to "Show birthdays from"
  
  

• Hit "Save" at the bottom

Enjoy!

Chrome Remote Desktop Eating Up Free Space

Last night, I noticed my iMac was a bit unhappy as it had run out of (250GB) SSD space. I recalled that the night before I had installed Google Drive and left it synchronizing and also had not yet moved the new Photos app to larger secondary drive, which was importing more and more photos in the last few days. By default Photos app installs at ~/Pictures. So they were both eating up precious SSD space.

To  move the Google Drive to secondary drive:

• exited the app, 
• moved the ~/Google Drive/ folder to second drive, 
• restarted the app
• Disconnected and reconnected the account choosing the new location where I moved the directory

To move the new Photos App to the secondary drive:

• exited the app
• moved the ~/Pictures/Photos.Library.photoslibrary to secondary drive, next to my iPhoto Library
• Restarted the app
• It detected the new location and prompted me to select the library.

April 22 was the earth day. So, today, I took my daughter to her school and together with her friends and their parents we cleaned up the school playground. 

I came back home and checked the Disk Utility to see if my clean up from yesterday had tidied things up enough. To my surprise, there was still a ton of space consumed by "something".

I launched my favorite tool "Disk Inventory X" which quickly detected that I had a 150Gig log file: 

/var/log/org.chromium.chromoting.log.0

Looking at the folder, it seemed that the log file was roller over, but the old log file somehow kept going and consumed the whole disk. This file is created by Google's awesome "Chrome Remote Desktop" extension which I really like to use. 

Unfortunately, there is currently an open issue for this case: 452121. It's not clear when this bug was introduced but it has been there for the last few versions of chrome (38..42) and some people have seen it eating up to a TeraByte of space, unless "remoting_me2me_host" process is killed and restarted with: 

killall -HUP remoting_me2me_host

Well, thanks Google for giving a reason to clean up ;)

Automount NAS share on Mac

NAS

It's been several years since I was sold on using a NAS to solve the data sharing problems at home. QNAP TS-439 Pro was my choice. Frequent firmware updates kept it up to date and relevant. When something becomes popular, say Google Drive, you get a firmware update that integrates it to NAS. One firmware for all versions of QNAP, new and old. So, your old hardware does not become irrelevant in a year or two.

SMB Versions / Issues

Traditionally AFP (Apple Filing Protocol) was the protocol preferred on Macs for network access. Of course, Windows used SMB (Server Message Block) protocol of Microsoft. Currently Windows 8.1 uses SMB v3. With Maverick (v10.9) release, Apple backed away from their own AFP protocol in support of SMB v2, and that was a problematic release to say the least. With 10.10 Yosemite Mac OS X supports v3 as the default sharing protocol.

QNAP, unfortunately, does not support SMB 3.0. With the release of firmware 4.1.0 Build 0605, QNAP changed samba default protocol to SMB 2.0

SMB Nightmare
After upgrading my Macs to 10.10, I started connecting to my QNAP via SMB 2.0, and problems started. The biggest issue was that whenever I wanted to copy a bunch of files to NAS, it would start copying, and after the first one or two, I would get an error that read:

"Operation cannot be completed because file is in use",

and copy would fail.

I could workaround the problem by going to terminal and use 'scp' to transfer files to NAS, but it was not that convenient.

Many people complained about this problem on Apple forums. None of the solutions offered helped in my case, so I went back to AFP, and that problem disappeared. I still see other issues when, for example, editing a word document: Word somehow cannot save the file the first time, then lock is released and file is saved. That's more of an Microsoft office problem, rather than AFP/SMB though.

Automounting NAS

One problem that annoyed me was that even with AFP, I had to connect to my NAS over and over. It was not as bad as SMB which kept on prompting me, but it was still an hassle, especially on my Macbook, which is not always near my wifi to connect to home NAS.

Over the weekend, I took another look at Apple's Autofs: Automatically Mounting Network Files Shares whitepaper  and implemented it for my macs.

The implementation is simple. Apple now has /etc/auto_master file, which can lookup other files for indirect mounting information and automatically carry out the mount instructions.

adil-imac-1:~ adil$ ls /etc/auto*

-rw-r--r--  1 root  wheel   149 Sep 19 03:15 /etc/auto_home
-rw-r--r--  1 root  wheel   233 Mar  8 17:47 /etc/auto_master
-rw-------  1 root  wheel   203 Mar  8 21:32 /etc/auto_qnap
-rw-r--r--  1 root  wheel  1935 Sep 19 03:15 /etc/autofs.conf

Now let's take a look at auto_master, notice the last line I added

adil-imac-1:~ adil$ cat /etc/auto_master
# Automounter master map
#

+auto_master  # Use directory service
/net   -hosts  -nobrowse,hidefromfinder,nosuid
/home   auto_home -nobrowse,hidefromfinder
/Network/Servers -fstab
/-   -static
/-   auto_qnap

And here is what /etc/auto_qnap look like:

adil-imac-1:~ adil$ sudo cat /etc/auto_qnap

/opt/mnt/myshare -fstype=afp afp://MyUser:MyPassword@MyServerIP/MyShare
/opt/mnt/public  -fstype=afp afp://192.168.1.5/Public

My initial thought was that I would use /Volumes to mount the folders, but that's really a folder Mac uses for dynamically mounting everything and auto-unmounts them. It's more like a temp directory. So I decided to use a folder more common in linux distributions /opt/mnt, which did not exist on my system of course, so I created it:

sudo mkdir -p /opt/mnt

then I created the auto_qnap file and changed its permissions to be read/writeable by root only, as it might need to contain password to connect to certain network shares.

sudo touch /etc/auto_qnap
sudo chmod 600 /etc/auto_qnap

The format for AFP and SMB are similar:

/Local/Mount/Folder   -fstype=afp    afp://MyUser:MyPassword@MyServerIP/MyShare
/Local/Mount/Folder   -fstype=smb    ://MyUser:MyPassword@MyServerIP/MyShare

I used IP address as it is static, but you could use FQDN of your Network Server. Once this is all done, you can run the following command to clear the cache and verbosely execute the mount command:

sudo automount -vc

I then created a symlink to the new mount points and put them in the Finder Sidebar:

ln -s ~/Pictures/PicsOnNAS /opt/mnt/public/pictures

Using this setup, I could now tell Flickr Uploader Mac Client to watch ~/Pictures/PicsOnNAS folder, and automatically upload pictures when I add a new ones there.

There you have it. It's not as easy as it is for Windows which automatically detects connection state of the mapped network drives, but close enough. Enjoy!

Fixing Home and End buttons in Mac Terminal

I hate it when Terminal in my mac scrolls up when I hit 'Home' key, or all the way to the bottom, when I hit 'End' key. As most would do, I expect 'Home' key to take me to the beginning of the line, and 'End' to the end of it.

I can of course use 'control+a' and 'control+e' to do that, but it's tough to beat muscle memory.

There is a Stack Exchange 'Ask Different' entry for this, but the keys mentioned there for terminal were not working for me: https://apple.stackexchange.com/questions/16135/remap-home-and-end-to-beginning-and-end-of-line

What seems to work for me is:
* \033[H -> Home
* \033[F -> End

These can be set from Terminal > Preferences > Keyboard as shown in the screenshot. Enjoy!

How to move iPhoto Library to a different drive

I wanted to move my iPhoto Library from my SSD disk to secondary SATA disk on my iMac.
It's pretty easy to do:

• Create a folder in the target drive
• Hold down Command button and move the "~/Pictures/iPhoto Library.photolibrary" directory to the target drive 
• Double click on the "iPhoto Library.photolibrary" directory to launch iPhoto. 

That's it! It remembers the directory next time you launch it.

In the screenshot above, you can see the iPhoto Library directory at the bottom, and the target directory (/Data/pictures) on the secondary (SEAGATE) drive at the back right while library is being moved.

Note: My iPhoto version is 9.6. Also found this KB article from Apple describing the same process, so this seems to work for other versions as well: http://support.apple.com/en-us/HT1229

Using Mac as the primary machine and fixing Synergy

I had this zen moment the other day, and realized that there is very little reason that's keeping me from using a Mac as my primary machine right now. Although I had my mac up on the second monitor, I realized that I was using it less, as it was not connected to my primary screen.

So, I swapped my Mac and PC. Now, my mac is connected solely to the primary screen in front of me (Samsung SyncMaster 245BW at 1980x1200) with a displayPort to DVI adapter. Unfortunately, that meant that my PC had to be connected using a VGA as that was the only other input. 

My PC is also connected to the 20" ViewSonic VP2030b (1600x1200) on my right via DVI.  I have dual ATI Radeon HD 5700 in CrossFire setup (4xDVI out), so I would like to get a monitor that supports dual DVI input but there does not seem to be many options out there that I like. In fact, I like Dell UltraSharp U2412 the most at this point but still trying to decide.

Anyway,  I did not want to use multiple keyboards and mouses anymore, so I wanted to try the latest version of Synergy (v1.4.9 as of this writing). I used Synergy at work on 10.7 for some time but quickly had to give up on it when I upgraded one of my Macs to 10.8. 

I set it up so that My Windows 7 x64 would be the 'server' and Mac OS X 10.8 Mountain Lion as the 'client'. Setting it up is not really difficult, there is a single synergy.conf file that has to be common to both client and server (see mine below). 

The biggest trouble was that back and forward buttons of my mouse stopped working on Mac side. That was really annoying when browsing web sites and after some google'ing I found out that this was an issue that has been experienced by several others.

Some posts in that google code link put me into the right direction and after some trial and error, I figured out that using 'Windows + [' key was like hitting back button key, and 'Windows + ]' key was acting as forward key.

I solved the problem by mapping mousebutton(4) to keystroke(Meta+BracketL) and mouse(button5) to keystroke(Meta+BracketR). The whole config file is shown below:

section: screens

        AHPC:

                halfDuplexCapsLock = false

                halfDuplexNumLock = false

                halfDuplexScrollLock = false

                xtestIsXineramaUnaware = false

                switchCorners = none

                switchCornerSize = 0

        AHMac:

                halfDuplexCapsLock = false

                halfDuplexNumLock = false

                halfDuplexScrollLock = false

                xtestIsXineramaUnaware = false

                switchCorners = none

                switchCornerSize = 0

end

section: aliases

end

section: links

        AHPC:

                right = AHMac

        AHMac:

                left = AHPC

end

section: options

        mousebutton(4)=keystroke(Meta+BracketL)

        mousebutton(5)=keystroke(Meta+BracketR)

        relativeMouseMoves = false

        screenSaverSync = false

        win32KeepForeground = true

        switchCorners = none

        switchCornerSize = 0

end

Fraudulent Certificates...Again

If you did not hear about the latest saga of "rogue certificates" out there because of a Dutch company called DigiNotar by now, well, you are not paying attention to the security news :)

Certificate Authorities are backbone of Trust system we use for "secure" online access. To see that "lock" icon in the browser when we visit a site with an SSL certificate, and even a green bar if the site has an Extended Validation SSL (EV SSL), may give us a sense of security, which unfortunately proving to be a "false sense of security" these days.

There are plenty of articles out there on what happened (even a Wiki), how it happened, who got involved and what Microsoft, Google, Mozilla, etc are doing to contain damage, even a Wiki about it but also what you should be aware of. Here is one from Windows Secrets that explains it in laymen terms. I personally liked the detailed account from Firefox folks.

If you are reading this blog, you are probably interested in an easier way to find whether you have a cert or not and PowerShell can come to the rescue:

PS C:\Users\Adil> gci certificate::LocalMachine\Root |?{$_.subject -match "DigiNotar"}

I do not have it on my machine, so I won't go further but you if you search only "Digi", you will see some results:

PS C:\Users\Adil> gci certificate::LocalMachine\Root |?{$_.subject -match "Digi"}

    Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject

----------                                -------

5557C0953FBD9F93745B214FB2483E9369B597F0  CN=DT Soft Ltd, OU=Digital ID Class 3 - Microsoft S
5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25  CN=DigiCert High Assurance EV Root CA, OU=www.digic
3E2BF7F2031B96F38CE6C4D8A85D3E2D58476A0F  CN=StartCom Certification Authority, OU=Secure Digi
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43  CN=DigiCert Assured ID Root CA, OU=www.digicert.com

Unfortunately, Safari / OS X does not have a mechanism to detect Revoke Lists (RL) but Apple should be releasing an update soon to fix the chain. In the mean time you can open up 'Keychain Access' tool and remove the DigiNotarRoot Certificate from GUI but where is the fun in that?

If you double click the certificate, you get detailed information as shown below.

And what if you had to do this on multiple Macs in an enterprise environment? You would want to use command line to do it. The command for all certificate related work is named 'security'.

You can dump a pretty list of all Root CAs in OS X using 'dump-keychain' parameter of 'security' command, which, as we mentioned above, is used to manipulate Keychains from command line.

If we only wanted to display the Friendly names of certificates, which would be equivalent of what we see in 'Keychain Access' GUI, we can filter by 'labl'

adil$ security dump-keychain "/System/Library/Keychains/SystemRootCertificates.keychain" |grep labl


    "labl"<blob>="Prefectural Association For JPKI"
    "labl"<blob>="Entrust.net Certification Authority (2048)"
    "labl"<blob>="A-Trust-Qual-01"
    "labl"<blob>="A-Trust-Qual-02"
    "labl"<blob>="A-Trust-nQual-01"
    "labl"<blob>="A-Trust-nQual-03"
    "labl"<blob>="AOL Time Warner Root Certification Authority 1"
    "labl"<blob>="AOL Time Warner Root Certification Authority 2"
...

We can filter the results that start with 'D' and while at it, beautify it by getting rid of '=' and everything before it:

adil$ security dump-keychain "/System/Library/Keychains/SystemRootCertificates.keychain" |grep labl |awk -F '=' '{print $2}' |grep ^\"D

"DST Root CA X4"
"Deutsche Telekom Root CA 2"
"DigiCert Assured ID Root CA"
"DigiCert Global Root CA"
"DigiCert High Assurance EV Root CA"
"DigiNotar Root CA"
"DoD CLASS 3 Root CA"
"DoD Root CA 2"
"DST Root CA X3"
"DST ACES CA X6"

We can use also use find-certificate parameter to find the certificate and print all info. (-a for all keychains, not actually necessary here as we know this is a Root Certificate but good to be safe. If you happen to know the e-mail you could also use -e parameter)

adil$ security find-certificate -a -c "DigiNotar"/System/Library/Keychains/SystemRootCertificates.keychain
keychain: "/System/Library/Keychains/SystemRootCertificates.keychain"
class: 0x80001000
attributes:
    "alis"<blob>="info@diginotar.nl"
    "cenc"<uint32>=0x00000003
    "ctyp"<uint32>=0x00000001
    "hpky"<blob>=0x8868BFE08E35C43B386B62F7283B8481C80CD74D  "\210h\277\340\2165\304;8kb\367(;\204\201\310\014\327M"
    "issu"<blob>=0x305F310B3009060355040613024E4C31123010060355040A1309444947494E4F544152311A301806035504031311444947494E4F54415220524F4F542043413120301E06092A864886F70D0109011611696E666F40646967696E6F7461722E6E6C  "0_1\0130\011\006\003U\004\006\023\002NL1\0220\020\006\003U\004\012\023\011DIGINOTAR1\0320\030\006\003U\004\003\023\021DIGINOTAR ROOT CA1 0\036\006\011*\206H\206\367\015\001\011\001\026\021info@diginotar.nl"
    "labl"<blob>="DigiNotar Root CA"
    "skid"<blob>=0x8868BFE08E35C43B386B62F7283B8481C80CD74D  "\210h\277\340\2165\304;8kb\367(;\204\201\310\014\327M"
    "snbr"<blob>=0x0C76DA9C910C4E2C9EFE15D058933C4C  "\014v\332\234\221\014N,\236\376\025\320X\223<L"
    "subj"<blob>=0x305F310B3009060355040613024E4C31123010060355040A1309444947494E4F544152311A301806035504031311444947494E4F54415220524F4F542043413120301E06092A864886F70D0109011611696E666F40646967696E6F7461722E6E6C  "0_1\0130\011\006\003U\004\006\023\002NL1\0220\020\006\003U\004\012\023\011DIGINOTAR1\0320\030\006\003U\004\003\023\021DIGINOTAR ROOT CA1 0\036\006\011*\206H\206\367\015\001\011\001\026\021info@diginotar.nl"

Well, enough playing. To delete the certificate, we will use 'delete-certificate' command. We have two choices:
1) Use -c parameter which is using 'common name'
2) Use SHA-1 fingerprint (safer).

Let's do both.

1) We need to use common name. This is the name you see in the GUI and we seem to get it from 'labl' line above. Command becomes

adil$ sudo security delete-certificate -c "DigiNotar Root CA" /System/Library/Keychains/SystemRootCertificates.keychain

2) As mentioned above, using SHA-1 fingerprint is less error-prone than relying on common names. To do that, we have to first locate the fingerprint. Noticed that it was not showing above when we displayed the certificate?

OK, so how do we get the fingerprint? Simple: we add -Z to the 'find-certificate' command which returns SHA-1 in the first line and then prints what we have seen above. So we will simply 'grep' the fingerprint:

adil$ security find-certificate -a -c "DigiNotar" -Z /System/Library/Keychains/SystemRootCertificates.keychain |grep SHA-1

SHA-1 hash: C060ED44CBD881BD0EF86C0BA287DDCF8167478C

And now we can get rid of the certificate:

adil$ sudo security delete-certificate -Z  C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain

Well that's all. Now, all you would need is to put these two lines in a shell script (find fingerprint if certificate exists & delete it), then run it against all your Macs.

Note that in general Safari and Chrome honor system-wide certificates, however, some versions of Firefox is not using the Keychain to store/retrieve certificates. It has its own database and you might need to manipulate that as well. Also note that browsers have their own list of trusted CAs so updating Chrome and Firefox would solve the problem as of today.

Update: There are several articles about why revoking this certificate may not be enough because of the way EV SSL treated in Safari. If you delete the certificate, this should not be a concern. However, there seems to be additional certificates that needs to be revoked to be safer.

In any case, I visited DigiNotar web site on Safari and found a page with "Order" button that takes you to another page with SSL. As soon as I clicked the "Order" link, Safari warned me that the certificate on the site was invalid (expired).

As far as I can tell chain goes like this:
DigiNotar Root CA -> DigiNotar Services 1024 CA -> *.diginotar.nl

So this seems to be good sign. I tried some other sites but I am yet to find a site that was issued and SSL from the the Root CA I deleted.

Update2: I saw https://www.maestre.com mentioned as a test site here.  This is what I got on Safari:

It's good that I am getting a notification. Unfortunately, it is not because DigiNotar Root CA is missing from my Root keychain but because certificate has expired.

Update3: Apple today released a security patch to put the issue at rest. In their terms, here is what they did:
Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.

Of course, they would not tell exactly what they did.  I had a pretty good idea which file they were talking about. Let's look at the last one "configuring default system trust settings":

adil$ pwd
/System/Library/Keychains

adil$ ls -l
total 1048
-rw-r--r--  1 root  wheel    5353 Sep  9 17:53 EVRoots.plist
-rw-r--r--  1 root  wheel  167848 Jul  9 23:39 SystemCACertificates.keychain
-rw-r--r--  1 root  wheel  395312 Sep  9 17:53 SystemRootCertificates.keychain
-rw-r--r--  1 root  wheel   86380 Sep  9 17:53 SystemTrustSettings.plist
-rw-r--r--  1 root  wheel  282984 Jul 28  2008 X509Anchors

So backed up these files before applying the patch and ran a diff. First let's look at a record in the last one.

The bottom is the original, and above you see the updated file. Basically they updated the date and added a new array with a dictionary which set kSecTrustSettingsResult to 3.

Notice that I am looking at the Key that starts with C060E... which is the SHA-1 fingerprint we got above.

Also notice that IssuerName, we know that's DigiNotar. As noted in some of the links above, there were several certs by DigiNotar published by others. I can tell from the diff which are the ones that were affected but I cannot tell a way of figuring them out only by looking at the original as Issuer Names would be different and don't have a list of chains where DigiNotar exists.