Invalid OS X code signature #3575

Closed
semaperepelitsa opened this Issue Aug 11, 2015 · 14 comments

Comments

Projects
None yet
2 participants
@semaperepelitsa

I downloaded the latest app 3.0b2 and was warned about "unidentified developer" by OS X. I thought you didn't have the signature so I proceeded with launching it, adding it to the whitelist. Now, I learned that you do in fact have the signature, and I don't know how to remove it from the whitelist to show you the issue. However, I downloaded 3.0b1 and it has the same error:

screen shot 2015-08-11 at 09 56 27

screen shot 2015-08-11 at 10 03 53

How do I troubleshoot this? The download from Github must be authentic. I'm running OS X 10.10.4.

@benfry

This comment has been minimized.

Show comment
Hide comment
@benfry

benfry Aug 11, 2015

Member

Thanks a lot for the report. I suspect it's legit and my certificate wasn't installed properly. I'm baffled that I received no errors during the code signing process, however, and haven't seen this on any other machines. I'll look into it today and get back shortly.

Member

benfry commented Aug 11, 2015

Thanks a lot for the report. I suspect it's legit and my certificate wasn't installed properly. I'm baffled that I received no errors during the code signing process, however, and haven't seen this on any other machines. I'll look into it today and get back shortly.

@benfry

This comment has been minimized.

Show comment
Hide comment
@benfry

benfry Aug 11, 2015

Member

Hm, I'm not seeing anything wrong with this tool:

screen shot 2015-08-11 at 3 49 01 pm

Though code signing is dark magic, so I must be missing something...

Member

benfry commented Aug 11, 2015

Hm, I'm not seeing anything wrong with this tool:

screen shot 2015-08-11 at 3 49 01 pm

Though code signing is dark magic, so I must be missing something...

@benfry

This comment has been minimized.

Show comment
Hide comment
@benfry

benfry Aug 11, 2015

Member

And codesign tells me that it's properly passing:

% codesign --verify --deep --verbose=2 Processing\ 3.0b2.app
--prepared:/Users/fry/Desktop/Processing 3.0b2.app/Contents/PlugIns/jdk1.8.0_51.jdk
--validated:/Users/fry/Desktop/Processing 3.0b2.app/Contents/PlugIns/jdk1.8.0_51.jdk
Processing 3.0b2.app: valid on disk
Processing 3.0b2.app: satisfies its Designated Requirement

Is your system up to date with all security updates?

Member

benfry commented Aug 11, 2015

And codesign tells me that it's properly passing:

% codesign --verify --deep --verbose=2 Processing\ 3.0b2.app
--prepared:/Users/fry/Desktop/Processing 3.0b2.app/Contents/PlugIns/jdk1.8.0_51.jdk
--validated:/Users/fry/Desktop/Processing 3.0b2.app/Contents/PlugIns/jdk1.8.0_51.jdk
Processing 3.0b2.app: valid on disk
Processing 3.0b2.app: satisfies its Designated Requirement

Is your system up to date with all security updates?

@benfry

This comment has been minimized.

Show comment
Hide comment
@benfry

benfry Aug 11, 2015

Member

Tested on a clean machine and can't reproduce. I would make sure you have the latest security updates installed and that your clock is set correctly. If not, check Applications > Utilities > Console.app to see if it's printing any information about why it's failing. Or try the same codesign incantation on the command line as I used in the last comment, and see if it gives you any information about what's going on.

Member

benfry commented Aug 11, 2015

Tested on a clean machine and can't reproduce. I would make sure you have the latest security updates installed and that your clock is set correctly. If not, check Applications > Utilities > Console.app to see if it's printing any information about why it's failing. Or try the same codesign incantation on the command line as I used in the last comment, and see if it gives you any information about what's going on.

@benfry benfry closed this Aug 11, 2015

@semaperepelitsa

This comment has been minimized.

Show comment
Hide comment
@semaperepelitsa

semaperepelitsa Aug 12, 2015

Codesign works:

> codesign --verify --deep --verbose=2 Processing-3.0b1.app/
--prepared:/Users/sema/Downloads/Processing-3.0b1.app/Contents/PlugIns/jdk1.8.0_51.jdk
--validated:/Users/sema/Downloads/Processing-3.0b1.app/Contents/PlugIns/jdk1.8.0_51.jdk
Processing-3.0b1.app/: valid on disk
Processing-3.0b1.app/: satisfies its Designated Requirement

This is what I get in console when launching the app:

12/08/15 08:47:12,717 CoreServicesUIAgent[13865]: File /Users/sema/Downloads/Processing-3.0b1.app/Contents/Java/modes/java/application/launch4j/bin/windres failed on loadCmd /opt/local/lib/libgcc/libgcc_s.1.dylib
12/08/15 08:47:12,717 CoreServicesUIAgent[13865]: Fails dylib check
12/08/15 08:47:15,819 com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.oneshot.0x10000029.Processing[19779]) Service exited due to signal: Killed: 9
12/08/15 08:47:15,820 CoreServicesUIAgent[13865]: unexpected message <OS_xpc_error: <error: 0x7fff79b26c60> { count = 1, contents =
    "XPCErrorDescription" => <string: 0x7fff79b26f70> { length = 18, contents = "Connection invalid" }
}>

Codesign works:

> codesign --verify --deep --verbose=2 Processing-3.0b1.app/
--prepared:/Users/sema/Downloads/Processing-3.0b1.app/Contents/PlugIns/jdk1.8.0_51.jdk
--validated:/Users/sema/Downloads/Processing-3.0b1.app/Contents/PlugIns/jdk1.8.0_51.jdk
Processing-3.0b1.app/: valid on disk
Processing-3.0b1.app/: satisfies its Designated Requirement

This is what I get in console when launching the app:

12/08/15 08:47:12,717 CoreServicesUIAgent[13865]: File /Users/sema/Downloads/Processing-3.0b1.app/Contents/Java/modes/java/application/launch4j/bin/windres failed on loadCmd /opt/local/lib/libgcc/libgcc_s.1.dylib
12/08/15 08:47:12,717 CoreServicesUIAgent[13865]: Fails dylib check
12/08/15 08:47:15,819 com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.oneshot.0x10000029.Processing[19779]) Service exited due to signal: Killed: 9
12/08/15 08:47:15,820 CoreServicesUIAgent[13865]: unexpected message <OS_xpc_error: <error: 0x7fff79b26c60> { count = 1, contents =
    "XPCErrorDescription" => <string: 0x7fff79b26f70> { length = 18, contents = "Connection invalid" }
}>
@semaperepelitsa

This comment has been minimized.

Show comment
Hide comment
@semaperepelitsa

semaperepelitsa Aug 12, 2015

I have installed all the updates and my system time is sync with Apple time server.

I have installed all the updates and my system time is sync with Apple time server.

@benfry

This comment has been minimized.

Show comment
Hide comment
@benfry

benfry Aug 12, 2015

Member

Hm, that looks like something on your machine: /opt/local/lib/libgcc/libgcc_s.1.dylib doesn't exist on the build machine. Does that file exist on your machine? Do you have macports installed? If so, try renaming /opt/local to /opt/local.hide and try running Processing.

Member

benfry commented Aug 12, 2015

Hm, that looks like something on your machine: /opt/local/lib/libgcc/libgcc_s.1.dylib doesn't exist on the build machine. Does that file exist on your machine? Do you have macports installed? If so, try renaming /opt/local to /opt/local.hide and try running Processing.

@semaperepelitsa

This comment has been minimized.

Show comment
Hide comment
@semaperepelitsa

semaperepelitsa Aug 12, 2015

It doesn't exist on my machine either! I have never installed Macports.

> ls /opt
ls: /opt: No such file or directory

I have Homebrew installed at /usr/local but that's a different location.

It doesn't exist on my machine either! I have never installed Macports.

> ls /opt
ls: /opt: No such file or directory

I have Homebrew installed at /usr/local but that's a different location.

@benfry

This comment has been minimized.

Show comment
Hide comment
@benfry

benfry Aug 12, 2015

Member

What steps did you use to download and install? (What browser, what version, did it auto-extract itself or did you have to double-click, etc.)

Only other thing I can think of is that windres is referring to an external library, which is sort of disabled in 10.10.4. But I can't figure out why it would be failing on your machine and not for others.

Member

benfry commented Aug 12, 2015

What steps did you use to download and install? (What browser, what version, did it auto-extract itself or did you have to double-click, etc.)

Only other thing I can think of is that windres is referring to an external library, which is sort of disabled in 10.10.4. But I can't figure out why it would be failing on your machine and not for others.

@semaperepelitsa

This comment has been minimized.

Show comment
Hide comment
@semaperepelitsa

semaperepelitsa Aug 12, 2015

I've downloaded the ZIP archive via Chrome. Here is the SHA sum. Does it match your release?

c41efbd8b373404a390231e454fde976f2343cec  processing-3.0b1-macosx.zip

The link you provided looks to match my issue exactly. I tried otool as suggested and here is the result:

> otool -L /Users/sema/Downloads/Processing-3.0b1.app/Contents/Java/modes/java/application/launch4j/bin/windres
/Users/sema/Downloads/Processing-3.0b1.app/Contents/Java/modes/java/application/launch4j/bin/windres:
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 169.3.0)
    /opt/local/lib/libgcc/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)

The binary windres references an external library, so my Gatekeeper rejects the app. Do you compile that Java thing yourself? Possibly, the build machine has macports and the compiler picks up the wrong thing?

I've downloaded the ZIP archive via Chrome. Here is the SHA sum. Does it match your release?

c41efbd8b373404a390231e454fde976f2343cec  processing-3.0b1-macosx.zip

The link you provided looks to match my issue exactly. I tried otool as suggested and here is the result:

> otool -L /Users/sema/Downloads/Processing-3.0b1.app/Contents/Java/modes/java/application/launch4j/bin/windres
/Users/sema/Downloads/Processing-3.0b1.app/Contents/Java/modes/java/application/launch4j/bin/windres:
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 169.3.0)
    /opt/local/lib/libgcc/libgcc_s.1.dylib (compatibility version 1.0.0, current version 1.0.0)

The binary windres references an external library, so my Gatekeeper rejects the app. Do you compile that Java thing yourself? Possibly, the build machine has macports and the compiler picks up the wrong thing?

@semaperepelitsa

This comment has been minimized.

Show comment
Hide comment
@semaperepelitsa

semaperepelitsa Aug 12, 2015

By the way, I think Command Line Tools do not include GCC for a few years already.

By the way, I think Command Line Tools do not include GCC for a few years already.

@semaperepelitsa

This comment has been minimized.

Show comment
Hide comment
@semaperepelitsa

semaperepelitsa Aug 12, 2015

Also, I didn't ask before, do you have this Security option enabled in System Preferences?

screen shot 2015-08-12 at 22 13 54

Also, I didn't ask before, do you have this Security option enabled in System Preferences?

screen shot 2015-08-12 at 22 13 54

@benfry

This comment has been minimized.

Show comment
Hide comment
@benfry

benfry Aug 12, 2015

Member

No, we don't compile the windres used in the beta releases (in 2.x releases).

And yes, of course I'm testing with the "identified developers" setting turned on.

Looks like we have a launch4j problem.

Member

benfry commented Aug 12, 2015

No, we don't compile the windres used in the beta releases (in 2.x releases).

And yes, of course I'm testing with the "identified developers" setting turned on.

Looks like we have a launch4j problem.

@benfry

This comment has been minimized.

Show comment
Hide comment
@benfry

benfry Aug 12, 2015

Member

Found a different launch4j build that works on 10.8+ and doesn't have the /opt reference so we should be all set for 3.0 beta 4.

Still unclear why it passes Apple's checks and works on most(?) machines (yours is the first and only report of this, but we have a few thousand people using the beta on OS X), but who knows. Code signing is dark magic.

Member

benfry commented Aug 12, 2015

Found a different launch4j build that works on 10.8+ and doesn't have the /opt reference so we should be all set for 3.0 beta 4.

Still unclear why it passes Apple's checks and works on most(?) machines (yours is the first and only report of this, but we have a few thousand people using the beta on OS X), but who knows. Code signing is dark magic.

@benfry benfry added android macosx and removed android labels Aug 12, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment