Receipt validation from Mac App Store fails on macOS 15 beta

[Bettarg]

This ticket system is to report bugs and feature requests. For support, visit the help page first.

Very simple , the App crash on Startup. In Detail, MacOS claimed the App is corrupted. Reinstall does not help.

[dkocher]

I cannot reproduce on 15.0 beta, 24A5264n.

[matthewberryman]

To reproduce, you need the version from the App Store:

The version from outside the App Store doesn't have this issue.

Edit: it's to do with MAC address rotation, see my later comment

[matthewberryman]

Looking through the logs:

2024-06-17 07:40:31,446 [main] ERROR ch.cyberduck.core.aquaticprime.ReceiptVerifier - Failed verification. Hash with GUID redacted_hex_string does not match hash in receipt
2024-06-17 14:00:48,063 [main] ERROR ch.cyberduck.core.aquaticprime.ReceiptVerifier - Failed verification. Hash with GUID different_redacted_hex_string not match hash in receipt

[matthewberryman]

matthew@MacBookPro /A/C/C/MacOS> codesign -vvv --deep --strict ./Cyberduck
--prepared:/Applications/Cyberduck.app/Contents/PlugIns/Runtime.jre
--validated:/Applications/Cyberduck.app/Contents/PlugIns/Runtime.jre
--prepared:/Applications/Cyberduck.app/Contents/Frameworks/librococoa.dylib
--validated:/Applications/Cyberduck.app/Contents/Frameworks/librococoa.dylib
--prepared:/Applications/Cyberduck.app/Contents/Frameworks/libjdns_sd.dylib
--validated:/Applications/Cyberduck.app/Contents/Frameworks/libjdns_sd.dylib
--prepared:/Applications/Cyberduck.app/Contents/Library/Spotlight/Cyberduck Spotlight Importer.mdimporter
--prepared:/Applications/Cyberduck.app/Contents/Frameworks/libjnidispatch.dylib
--validated:/Applications/Cyberduck.app/Contents/Frameworks/libjnidispatch.dylib
--prepared:/Applications/Cyberduck.app/Contents/Frameworks/libcore.dylib
--validated:/Applications/Cyberduck.app/Contents/Frameworks/libcore.dylib
--prepared:/Applications/Cyberduck.app/Contents/Frameworks/JavaNativeFoundation.framework/Versions/Current/.
--validated:/Applications/Cyberduck.app/Contents/Library/Spotlight/Cyberduck Spotlight Importer.mdimporter
--validated:/Applications/Cyberduck.app/Contents/Frameworks/JavaNativeFoundation.framework/Versions/Current/.
./Cyberduck: valid on disk
./Cyberduck: satisfies its Designated Requirement

matthew@MacBookPro /A/C/C/MacOS [1]> spctl -a -vv ./Cyberduck
./Cyberduck: accepted
source=Mac App Store
origin=Apple Mac OS Application Signing

[matthewberryman]

So starting it from the CLI, I get an exit status of 173,

cyberduck/core/src/main/java/ch/cyberduck/core/aquaticprime/ReceiptFactory.java

Line 40 in b31156b

private static final int APPSTORE_VALIDATION_FAILURE = 173;

which at the GUI level obviously flags it as "corrupt"

The error message I was seeing in the logs is coming from here:

cyberduck/core/src/main/java/ch/cyberduck/core/aquaticprime/ReceiptVerifier.java

Line 194 in b31156b

log.error(String.format("Failed verification. Hash with GUID %s does not match hash in receipt", hex));

Here you are using the MAC address:

cyberduck/core/src/main/java/ch/cyberduck/core/aquaticprime/ReceiptVerifier.java

Line 162 in b31156b

final byte[] mac = en0.getHardwareAddress();

But that won't work for macOS 15, since it randomises the MAC address:
https://www.macrumors.com/2024/06/10/ios-18-rotate-wifi-address/

(Note: this feature is turned off for my workplace wifi network, but maybe macOS 15 uses a different MAC address per wifi network, or has changed it on upgrade, I will explore when I get home)

Maybe the hardware UUID can be used instead, but that introduces a couple of issues:

1. Migration of users from MAC address to hardware UUID.
2. Logic board replacements / change of computer (although that would have been an issue with the MAC based way, I'm guessing).

[dkocher]

@matthewberryman Thanks for looking into this in detail. I assume this will break many applications as the sample code ¹ by Apple uses en0 interface as well for validation. I have filed FB13979956 as I don't know how the implementation would need to be changed.

There is some documentation in ² not yet updated for macOS 15.

Footnotes

1. https://developer.apple.com/documentation/appstorereceipts/validating_receipts_on_the_device#3744656 ↩

2. https://support.apple.com/guide/security/wi-fi-privacy-secb9cb3140c/web ↩

[matthewberryman]

@dkocher Ah, the <sarcasm>joy</sarcasm> of being an Apple developer. I'm really curious as to what Apple come back to on FB13979956, as you point out the docs themselves use the MAC address, which is now no longer fixed...
Further up the on-device validation page there's a note suggesting the use of AppTransaction, but:

1. Only for macOS 13+
2. Only in swift as far as I can see, so one would have to write a wrapper class in swift, then wrap that up in objective-c, then use JNI to get from there to Java (!).
   There must be an easier path...

[matthewberryman]

So, although I don't have the MAC address randomisation turned on for my home wifi, I do get a different MAC address.

Forcing this line to if (true) { when building from source (to force the behaviour we want to see), when the app is opened, gives a window with the following message

exit(173) Not Available

The exit(173) API is no longer available. 
You can use Transaction.all or AppTransaction.shared to verify in‑app purchases instead.

before a subsequent window with the message:

“/Users/matthew/code/cyberduck/osx/target/Cyberduck.app” is damaged and can’t be opened. 
Delete “/Users/matthew/code/cyberduck/osx/target/Cyberduck.app” and download it again from the App Store.

There's a swift example here although then you'd need to introduce swift code and expose it by @objc public class... and @objc public func... and then drop in a .h file to expose the interface to obj-c and then do JNI and then Java. Introducing swift would bump up the minimum macOS required from 10.7 to 10.9.

[zeemyself]

Also affect Mountain Duck downloaded from Mac App Store