APFS Bug in macOS 10.15.5 Catalina Impacts the Creation of Bootable Backups

An Apple File System bug has been discovered in macOS 10.15.5 Catalina that can prevent users from making a bootable clone of their system drive, according to the creator of Carbon Copy Cloner.

In a blog post on Wednesday, software developer Mike Bombich explained that the CCC team had uncovered the issue in the Apple File System, or APFS, when attempting to create a bootable backup in a beta version of macOS 10.15.5.

According to Bombich, the bug prevents CCC from using its own file copier to establish an initial bootable backup of a macOS Catalina System volume. In technical terms:

The chflags() system call can no longer set the SF_FIRMLINK flag on a folder on an APFS volume. Rather than fail with an error code that we would have detected, it fails silently – it exits with a success exit status, but silently fails to set the special flag. That's a bug in the APFS filesystem implementation of chflags – if a system call doesn't do what you ask it to do, it's supposed to return an error code, not success.

We don't need to set many of these flags, nor set them frequently – just on the first backup of the macOS system volume. It happens to be essential to the functionality of an APFS volume group, though, so the failure to set these flags means that new full-system backups created on 10.15.5 and later won't be bootable, and it will appear as if none of your data is on the destination (to be clear, though, all of the data is backed up). Kind of the opposite of what we're trying to do here. It's hard to find kind words to express my feelings towards Apple right now.

Suffice it to say, though, I'm extremely disappointed that Apple would introduce this kind of bug in a dot-release OS update. We've seen 5 major updates to Catalina now, we should expect to see higher quality than this from an operating system.

On a positive note, existing backups created in macOS 10.15.4 and earlier are unaffected, the bug has no effect on CCC's ability to preserve data, nor does it affect the integrity of the filesystems on a startup disk or a backup disk. In short, the impact of this bug is limited to the initial creation of a bootable backup.

Any CCC users who established their backup on a previous version of Catalina already has functional firmlinks on their bootable volume and CCC will continue to update that volume just fine. Meanwhile, users wanting to create a new backup of a 10.15.5 volume to an empty disk should replace their copy of CCC with the CCC 5.1.18 beta, then follow these steps on launching the app.

1. Click the X button in the Destination selector box to clear the destination selection.
2. Click on the Destination selector and reselect the destination volume.

CCC will then guide users through the procedure of creating a bootable backup, or a Data-only backup instead. The new functionality uses Apple's Software Restore (ASR) utility and is documented here.

Bombich has notified Apple of the bug, but he ends his blog post by entertaining the possibility that it is a security fix to prevent third-parties from creating firmlinks. If so, he argues, "this is far worse than a bug," since the system currently reports a success when it should report a failure, not to mention that Apple's lack of documentation on the change is hostile to third-party developers who rely on documented functionality.