Cannot run app downloaded from browser, even though it's been successfully notarized, on macOS 10.14.5

Hello,


I've been trying to identify why a macOS .app file that's been successfully notorized and stapled will not run after it's zipped, uploaded as a GitHub tag asset, then download via a browser (I've tried Chrome and Safari). I can run the .app before zipping it and uploading to the GitHub tag. I can also run it if downloaded from something like Slack (file sharing). However, once it's been zipped, uploaded to the internet, then download, Gatekeeper refuses to allow it to run because it cannot identify the developer. I keep getting the a notification that says, "“<My-Apps-Name>” can’t be opened because the identity of the developer cannot be confirmed." Screeshot below...



Also, as I mentioned, the notarization and stapling succeeds. Here's the truncated output from those processes...


Notarizing:

{
  "logFormatVersion": 1,
  "jobId": "a16db2e5-3426-479e-b48e-479ceac17c51",
  "status": "Accepted",
  "statusSummary": "Ready for distribution",
  "statusCode": 0,
  "archiveFilename": "MyAppsName.app.zip",
  "uploadDate": "2019-07-16T23:45:16Z",
  "sha256": "f36fea195ff2a1d32b0cae153ead8e8ae1e0da416c7bcb62473695a5c2772db5",
  "ticketContents": [
    {
         ...
    }
  ],
  "issues": null
}


Stapling:

Processing: /tmp/MyAppsName/MyAppsName.app
Processing: /tmp/MyAppsName/MyAppsName.app
The staple and validate action worked!


Any info anyone can provide as to why this is happening would be greatly appreciated. Thanks you.

Accepted Reply

Thanks for the info. This helped point me in the right direction for how to verify what the issue actually was. I read the technical note you linked to which referenced the `check-signature` tool. I downloaded that and was able to easily determine exactly what the problem was. Here's the output from `check-signature` on a version of the app I downloaded from GitHub:


$ ./check-signature /tmp/MyApp/MayApp.app

(c) 2014 Apple Inc. All rights reserved.

/tmp/MyApp/MyApp.app: bundle format is ambiguous (could be app or framework)

In subcomponent: /private/tmp/MyApp/MyApp.app/Contents/Frameworks/Kingfisher.framework

NO


After identifying there was an issue with the Kingfisher.framework I decided to compare this framework with a working version of my app. The result was the working version has valid symbolic links and the non-working version didn't. This led me to belive there could be an issue with how the applicaiton was being zipped before being uploaded to GitHub. I should also note that this is happening as part of a Fastlane script. When I was uploading the zip to Slack's file sharing, I was manually zipping a working version of the app. After updating the command that was creating the .zip to `ditto -c -k --rsrc --keepParent \"#{app_path}\" \"#{zipped_app_path}\"`, I can now download the zip from GitHub and run the application.


Thanks for your help!

Replies

Does the application have the quarantine attribute in both cases? I suspect it does when you download from GitHub with a browser, but it probably doesn't on your machine after you create it and Slack might also not add the quarantine attribute. As far as I understand, Gatekeeper doesn't check (or maybe less intrusively checks) if there is no quarantine attribute.


You can use xattr or ls -la@ in terminal to see if it has the quarantine attribute.


It does seem that your app should run either way if it's successfully notarized, but I suspect the quarantine attribute explains the difference you're seeing in the two conditions.

The most likely cause of problems like this is extended attributes (EAs). If your app fails to follow the rules in the Nested Code section of TN2206, you can end up with data signed as code. There’s no place for the system to store a code signature in your data, so it puts it in an EA. The app works, but stops working once you run it through a distribute channel that doesn’t support EAs.

You can confirm this by looking for EAs in the app that you notarise.

The ultimate fix for this is to structure your app correctly so that that code is signed as code and data is signed as data.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Just checked. Yes, when I download the app from a broswer, `com.apple.quarantine` is returned from xattr. When I run from the app built on my machine, or downloaded from Slack's file sharing, `com.apple.quarantine` is not returned from xattr.

Thanks for the info. This helped point me in the right direction for how to verify what the issue actually was. I read the technical note you linked to which referenced the `check-signature` tool. I downloaded that and was able to easily determine exactly what the problem was. Here's the output from `check-signature` on a version of the app I downloaded from GitHub:


$ ./check-signature /tmp/MyApp/MayApp.app

(c) 2014 Apple Inc. All rights reserved.

/tmp/MyApp/MyApp.app: bundle format is ambiguous (could be app or framework)

In subcomponent: /private/tmp/MyApp/MyApp.app/Contents/Frameworks/Kingfisher.framework

NO


After identifying there was an issue with the Kingfisher.framework I decided to compare this framework with a working version of my app. The result was the working version has valid symbolic links and the non-working version didn't. This led me to belive there could be an issue with how the applicaiton was being zipped before being uploaded to GitHub. I should also note that this is happening as part of a Fastlane script. When I was uploading the zip to Slack's file sharing, I was manually zipping a working version of the app. After updating the command that was creating the .zip to `ditto -c -k --rsrc --keepParent \"#{app_path}\" \"#{zipped_app_path}\"`, I can now download the zip from GitHub and run the application.


Thanks for your help!