Signed, Notarized and stapled app still not passing gatekeeper

Question

shinywhitebox OP

Created Aug ’22

Replies 4

Boosts 0

Participants 2

Odd one here. I'm having trouble getting a signed, notarised, stapled app to actually run.

It is packaged as a zip file. When uncompressed and run from finder, I get "“iShowU Switcher” cannot be opened because the developer cannot be verified." and "macOS cannot verify that this app is free from malware."

(this is publicly available, https://shinywhitebox.com/download-thanks/17/1 - app is called iShowU Switcher, currently in development)

Here's what I've checked:

signed

codesign --verify --deep --verbose iShowU\ Switcher.app
iShowU Switcher.app: valid on disk
iShowU Switcher.app: satisfies its Designated Requirement

notarized

spctl -a -t exec -vvv iShowU\ Switcher.app
iShowU Switcher.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Shiny White Box Limited (PMJ275ZTUX)

stapled

xcrun stapler validate iShowU\ Switcher.app
Processing: /Users/neil/Downloads/iShowU Switcher.app
The validate action worked!

So it all looks sane to me.

If I remove the quarantine bit (xatter -d -r) then the app runs fine.

Ideas of where to next look?

Boost

Answer 1

shinywhitebox OP

Aug ’22

This is on an M1, os 12.5. I get same behaviour on an Intel as well.

In console, I get:

ASP: Security policy would not allow process: 12022, /Users/neil/Downloads/iShowU Switcher.app/Contents/MacOS/iShowU Switcher
...
[app<application.com.shinywhitebox.iShowUSwitch.58885753.58885759(501)>:12022] termination reported by launchd (9, 8, 9)

but no further information that I can find. Oh; just above that is:

- 45683955: Checking whether application is managed at file:///var/folders/38/ctsh1hxn4mjbsbw2qmyr81100000gn/T/AppTranslocation/83AC8B29-8DAA-4535-BED4-3A7688B3170F/d/iShowU%20Switcher.app//com.shinywhitebox.iShowUSwitch

so translocation is happening, but AFAIK that shouldn't matter? (but I'm not sure)

0

Answer 2

DTS Engineer OP

Apple

Aug ’22

I have extensive advice on this topic in a cluster of posts rooted at Resolving Trusted Execution Problems. In your case, you should start with Resolving Gatekeeper Problems. Oh, and the first thing to check is described Resolving Gatekeeper Problems Caused by Dangling Load Command Paths. That’s by far the most common cause of this problem.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

shinywhitebox OP

Aug ’22

Thank you. This got me on the right path.

Turns out, I have dynamic library validation disabled specifically because I want to allow plugins to load.

At first, I thought a cocoa pods (bug?) was my problem; with paths such as this appearing:

Load command 117
          cmd LC_RPATH
      cmdsize 112
         path /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift/macosx (offset 12)

However; I have another app with exactly the same LC_RPATH and that has never had an issue.

More digging resulted in me finding a broken framework due to another (different) issue, referencing LC_RATHS from /User

So thanks for the advice. It greatly helped me find the root cause.

Out of interest, do you know if there's a reason the /Applications/Xcode path does not cause the same fault?

0

Answer 4

DTS Engineer OP

Apple

Aug ’22

This got me on the right path.

Neat-o!

Out of interest, do you know if there's a reason the /Applications/Xcode path does not cause the same fault?

No. I would’ve expected that to triggering this failure and I’ve seen it trigger this failure in other situations. If you want a definitive answer, I recommend that you open a DTS tech support incident so that I can allocate the time to look into the details.

Having said that, I don’t think it’s really worth solving that particular mystery. My advice is:

Enable library validation if at all possible.
If not, because like in this situation you need to load plug-ins from other third-party developers, get rid of all dangling load commands. While they might not be causing problems now, they have no place in a shipping product.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0