App "damaged" for GitHub Release DMG downloads (for 8.x+)

[apjanke]

Looks like we've got a publishing or file hosting problem here.

When trying to publish the 8.3.0 and 8.4.0 alpha1 builds, if I install Octave.app from a DMG that was built locally, or I copied to the test VM over the LAN from the build host, then it works. But if I install it from a DMG downloaded from the GitHub Releases release page that I uploaded it to, the app fails to launch, with an error saying it is "damaged" and should be deleted.

The SHA sums for the two DMG files are identical, so the file contents seem the same, but it's pretty reproducible. Maybe something else is going on, like "download tainting" or other file metadata.

Other users can reproduce the behavior with the "damaged" app on the GitHub-download DMG.

Symptoms

Happened on both the 8.3.0 alpha1 and 8.4.0 alpha1 builds. Same problem on both Intel and Apple Silicon. Has been happening consistently for all DMGs I've uploaded to GitHub Releases for this 8.x series; no successful ones.

SHA sums are the same, seeming to indicate the file contents are the same:

janke@sonny Downloads % shasum -a 256 */*.dmg
d4a7c9af6306bbdbfe657178b07cb6bbf35d21ea614fa18b626b078480464cee  from GitHub/Octave-8.4.0_alpha1.dmg
d4a7c9af6306bbdbfe657178b07cb6bbf35d21ea614fa18b626b078480464cee  from eilonwy/Octave-8.4.0_alpha1.dmg
janke@sonny Downloads %

janke@macos-14 octapp % pwd
/Users/janke/Downloads/octapp
janke@macos-14 octapp % shasum -a 256 */*.dmg
541b22388ec44bc674f6adf8fdf3a4816f8301d63eeb294a1826f63a48b739d6  from GitHub via Safari/Octave-8.4.0_alpha1.Intel.dmg
541b22388ec44bc674f6adf8fdf3a4816f8301d63eeb294a1826f63a48b739d6  from angharad via LAN/Octave-8.4.0_alpha1 (Intel).dmg
janke@macos-14 octapp % 

References

• "macOS code signing in depth" article
• Comment thread in main 8.x release issue discussing this problem
• Code-signing: Sign the app or explain to the user how to open an unsigned app #83
• macOS Gatekeeper front page
• DropDMG's "signing" doco page

Ideas

• xattrs? Maybe my cp to build/ is dropping an important xattr? Compare xattrs.
  • https://osxdaily.com/2019/02/13/fix-app-damaged-cant-be-opened-trash-error-mac/
  • Darktable GH ticket: Darktable 4.4.0 broken on MacOS darktable-org/darktable#14746 (comment)

[apjanke]

"quarantine" xattr

Oh hey, check this out:

• References
  • https://osxdaily.com/2019/02/13/fix-app-damaged-cant-be-opened-trash-error-mac/
  • Darktable GH ticket: Darktable 4.4.0 broken on MacOS darktable-org/darktable#14746 (comment)

Sure enough, when I did xattr -l /Applications/Octave-8.4.0.app on my test VM, there was a com.apple.quarantine: ...;Chrome attribute on it. No xattrs presnet on the app on the box where I built it, in either /Applications or ./build, or on a LAN-copied DMG.

Looks like the "unsigned/downloaded from internet" dialog can now manifest as an "app is damaged" error. Doing a right-click, Open on the app didn't change anything; same "app is damaged" error. I have my System Settings for Gatekeeper set to "Allow applications downloaded from: App store and identified developers". I'm guessing macOS is getting more restrictive about this, and took away the "open anyway" option in the right-click Open dialog somewhere in mac OS 12 through 14.

On my "sonny" test box, I did cd /Applications; xattr -cr Octave-8.4.0.app to clear the xattrs on the installed application. After that, double-clicking the app opened it with no error/warning dialogs, and plotting and the test suite ran.

Maybe I need to do tweak the internet-enable on the DMG file in create-dmg to avoid this?

[apjanke]

Tried the xattr -cr thing on angharad, using a freshly downloaded DMG. Got an odd "no such file" error.

[Applications] $ sudo xattr -cr Octave-8.4.0.app/
xattr: No such file: Octave-8.4.0.app//Contents/Resources/usr/share/fish/vendor_completions.d/brew.fish
[Applications] $

Looks like a bad symlink, maybe due to Homebrew rearranging itself.

[Applications] $ ls -l Octave-8.4.0.app/Contents/Resources/usr/share/fish/vendor_completions.d/
total 0
lrwxr-xr-x  1 janke  admin  44 Jan 10 10:13 brew.fish -> ../../../Homebrew/completions/fish/brew.fish
[Applications] $

Anyway, after that, the app launched, and would plot and run the test suite OK.

Tried it on sontel, my clean Intel testbed VM on angharad.

janke@sontel---macos-14---clean-testbed /Applications % date
janke@sontel---macos-14---clean-testbed /Applications % xattr -l Octave-8.4.0.app 
com.apple.quarantine: 0183;65a0abd8;Safari;5244D325-417F-4138-9AE8-E524B048B84C
janke@sontel---macos-14---clean-testbed /Applications % sudo xattr -cr Octave-8.4.0.app 
Password:
xattr: No such file: Octave-8.4.0.app/Contents/Resources/usr/share/fish/vendor_completions.d/brew.fish
janke@sontel---macos-14---clean-testbed /Applications % xattr -l Octave-8.4.0.app      
janke@sontel---macos-14---clean-testbed /Applications % 

App launched, plotting and test suite ran.

This workaround is looking okay.

[apjanke]

Tried un-quarantining the DMG file first, before installing to /Applications. On angharad, using a fresh download just now:

[Applications] $ cd ~/Downloads/
[Downloads] $ ls -lh Octave-8.4.0_alpha1.Intel.dmg
-rw-r--r--@ 1 janke  staff   1.7G Jan 14 06:10 Octave-8.4.0_alpha1.Intel.dmg
[Downloads] $ shasum -a 256 Octave-8.4.0_alpha1.Intel.dmg
541b22388ec44bc674f6adf8fdf3a4816f8301d63eeb294a1826f63a48b739d6  Octave-8.4.0_alpha1.Intel.dmg
[Downloads] $ xattr -l Octave-8.4.0_alpha1.Intel.dmg
com.apple.metadata:kMDItemWhereFroms: bplist00�_8https://objects.githubusercontent.com/github-production-release-asset-2e65be/137706143/07d3adf1-ef9c-44df-b908-4e56cc79a26e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240114%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240114T110925Z&X-Amz-Expires=300&X-Amz-Signature=4038717dec292c629b56b1a782ea43d24aba48ffe6260d3e35e6004b120d8cea&X-Amz-SignedHeaders=host&actor_id=2618447&key_id=0&repo_id=137706143&response-content-disposition=attachment%3B%20filename%3DOctave-8.4.0_alpha1.Intel.dmg&response-content-type=application%2Foctet-stream_Chttps://github.com/octave-app/octave-app/releases/tag/v8.4.0_alpha1
com.apple.quarantine: 0081;65a3c0e5;Chrome;
[Downloads] $ xattr -c Octave-8.4.0_alpha1.Intel.dmg
[Downloads] $ xattr -l Octave-8.4.0_alpha1.Intel.dmg
[Downloads] $

Double-clicked the DMG and dragged the app to the Applications drop link. Looks clean.

[Applications] $ xattr -l Octave-8.4.0.app/
[Applications] $

Double-clicked the app, and it launched okay, and ran the test suite.

I think that implies the taint on all the files is picked up during the DMG extraction, so untainting the DMG itself prevents the /Applications app from being quarantined in the first place.

Tried on sontel, my clean testbed macOS 14 Intel VM, with a fresh download:

janke@sontel---macos-14---clean-testbed octapp % date 
Sun Jan 14 06:29:11 EST 2024
janke@sontel---macos-14---clean-testbed octapp % ls -l */*.dmg
-rw-r--r--@ 1 janke  staff  1821705537 Jan 11 22:02 from GitHub 1 via Safari/Octave-8.4.0_alpha1.Intel.dmg
-rw-r--r--@ 1 janke  staff  1821705537 Jan 14 06:24 from GitHub 2 via Safari then un-quarantined/Octave-8.4.0_alpha1.Intel.dmg
-rw-r--r--@ 1 janke  staff  1821705537 Jan 10 10:14 from angharad via LAN/Octave-8.4.0_alpha1 (Intel).dmg
janke@sontel---macos-14---clean-testbed octapp % shasum -a 256 */*.dmg
541b22388ec44bc674f6adf8fdf3a4816f8301d63eeb294a1826f63a48b739d6  from GitHub 1 via Safari/Octave-8.4.0_alpha1.Intel.dmg
541b22388ec44bc674f6adf8fdf3a4816f8301d63eeb294a1826f63a48b739d6  from GitHub 2 via Safari then un-quarantined/Octave-8.4.0_alpha1.Intel.dmg
541b22388ec44bc674f6adf8fdf3a4816f8301d63eeb294a1826f63a48b739d6  from angharad via LAN/Octave-8.4.0_alpha1 (Intel).dmg
janke@sontel---macos-14---clean-testbed octapp % for f in */*.dmg; do echo "$f"; xattr -l "$f"; echo; done
from GitHub 1 via Safari/Octave-8.4.0_alpha1.Intel.dmg
com.apple.diskimages.fsck: ?h7?&????e?????[?
com.apple.diskimages.recentcksum: i:12884972519 on 3C656221-534D-3D68-ADA7-CBDB18A7D0F0 @ 1705028568 - CRC32:$2DECA5F6
com.apple.macl: 
com.apple.metadata:kMDItemDownloadedDate: bplist00?3AŨq???

com.apple.metadata:kMDItemWhereFroms: bplist00?_2https://objects.githubusercontent.com/github-production-release-asset-2e65be/137706143/07d3adf1-ef9c-44df-b908-4e56cc79a26e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240112%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240112T030114Z&X-Amz-Expires=300&X-Amz-Signature=cce3ece39f16c94b5b4e165a5883de89066352f20f438675138883412da983e8&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=137706143&response-content-disposition=attachment%3B%20filename%3DOctave-8.4.0_alpha1.Intel.dmg&response-content-type=application%2Foctet-stream_Chttps://github.com/octave-app/octave-app/releases/tag/v8.4.0_alpha1
com.apple.quarantine: 0083;65a0abd8;Safari;5244D325-417F-4138-9AE8-E524B048B84C

from GitHub 2 via Safari then un-quarantined/Octave-8.4.0_alpha1.Intel.dmg
com.apple.macl: 
com.apple.quarantine: 0083;65a3c461;Safari;DD4A5B9C-E7B1-416F-A610-F8FEFFB60DB2

from angharad via LAN/Octave-8.4.0_alpha1 (Intel).dmg
com.apple.FinderInfo: deviddsk
com.apple.diskimages.recentcksum: i:12884972468 on 3C656221-534D-3D68-ADA7-CBDB18A7D0F0 @ 1704899667 - CRC32:$2DECA5F6
com.apple.lastuseddate#PS: (??e
com.apple.macl: 

janke@sontel---macos-14---clean-testbed octapp %

janke@sontel---macos-14---clean-testbed octapp % xattr -c from\ GitHub\ 2\ via\ Safari\ then\ un-quarantined/Octave-8.4.0_alpha1.Intel.dmg 
janke@sontel---macos-14---clean-testbed octapp % xattr -l from\ GitHub\ 2\ via\ Safari\ then\ un-quarantined/Octave-8.4.0_alpha1.Intel.dmg
com.apple.macl: 
janke@sontel---macos-14---clean-testbed octapp % 

After installing by dragging to the drop target in the DMG Finder view:

janke@sontel---macos-14---clean-testbed /Applications % ls -ld Octave-8.4.0.app 
drwxr-xr-x  5 janke  admin  160 Jan 10 10:11 Octave-8.4.0.app
janke@sontel---macos-14---clean-testbed /Applications % xattr -l Octave-8.4.0.app 
janke@sontel---macos-14---clean-testbed /Applications % 

App launches with no error, plots, and runs the test suite. This version of the workaround is looking good.

---

I think I like this approach of un-quarantining the DMG first better: it's faster, it doesn't require sudo and a password entry, and the one-time DMG un-quarantining will apply to multiple installations from the same DMG file, or copies thereof (I think). Updating the 8.4.0_alpha1 release notes to recommend this instead.

[apjanke]

Now here's something interesting: create-dmg itself has a --codesign option to sign the installer DMG itself. I wonder, if I did that, would that avoid the DMG getting quarantined when it was downloaded from the web?

Maybe that would be easier to get working than codesigning the whole app. I don't know how DMG signing works, but I'd assume that it's a simpler bulk signing of the entire filesystem state as like a big blob, and that's immutable, so might be simpler, and not affected by any symlinks or other oddness in the app bundle that make code signing the app not work.

[apjanke]

Oh hey, this article about "Gatekeeper Path Randomization aka App Translocation" might explain why this problem presents itself as and "app damaged" error: https://mjtsai.com/blog/2016/06/16/gatekeeper-path-randomization/

[apjanke]

Changing this ticket's milestone from 8.4.0 to The Future, since I think we're stuck with the xattr workaround for the time being, and I don't see myself getting this fixed for any particular release in the near future.

[apjanke]

Hmm. As viewed in the installer DMG in Finder, for 8.4.0 through 9.2 beta2:

"Important Installation Instructions" sounds a little formal and long. Especially bc all three words are very similar: starting with an "I", about the same length, same-ish "rhythm". Maybe "Install" instead of "Installation" would be better. "Important Install Instrutions". Or maybe "Important Installation Stuff" or "Procedure".