macOS VM doesn't reliably disable System Integrity Protection (SIP)

#1

Issue Description

For a few days, our macOS VMs spontaneously switch between having an enabled or disabled System Integrity Protection (SIP). Our build process relies on having SIP turned off so the build often fails. We can’t identify a pattern here but it’s failing more than it succeeds and rebuilding a couple of times solves the issue most of the time.

Environment:

Where did the issue happen?

We’re using a macOS VM with an Xcode 11.3.x on macOS 10.14.6 (Mojave) Stack triggered by Bitbucket via a pull request.

Which build Step causes the issue and which version of the step?

The issue happens in a bash Script step (v1.1.5) when we attempt to write into an SIP protected directory (~/Library/Containers/com.apple.mail/…).

Reproducibility

Most of the time when we trigger Bitrise using a pull request, the build fails. Manually rebuilding a couple times finally makes the build succeed. The issue seems to have started a few days ago.

We can verify that the unintentionally enabled Security Integrity Protection is the cause of this error because we’re echoing csrutil status in the script step before we make the failing call and the result is often: System Integrity Protection status: enabled.

Affected Build URL

0 Likes

#2

Hi @tobi!

Sorry to hear about the issue, sorry for the delay. We are taking a look and getting back to you ASAP.

0 Likes

#3

Hi @tobi ,

Thank you for your patience.

I have great news! This is being worked on and should be rolled out over the weekend.

I will update you on Monday to confirm this has happened.

Kind regards,
Luna

0 Likes

#4

Thank you very much for the updates, @non-binary and @bitce. I appreciate it!

0 Likes

#5

Unfortunately, as of today, we’re still experiencing that same issue. We haven’t changed the stack.

0 Likes