Notarized app does not open on Catalina

I have a macOS application that is signed, notarized, stapled, and distributed as a DMG file. I thought we had everything done correctly, but I had a user on Catalina download and test out the final package and they reported they got the message (with yellow triangle) "APP is an app downloaded from the internet. Are you sure you want to open it?" They clicked "Open", but then nothing happened, the app did not start and they didn't get any further messages. They checked the "Security & Privacy" settings, but there is no option to launch the app anyway. The "App Store and ideftified developers" option is selected. I had them "spctl -a -vv APP" at a terminal to check the app, and it shows as accepted with "source=Notarized Developer ID".


Any ideas what else is stopping the app from launching? Thanks!

Up vote post of jeremy3000 Down vote post of jeremy3000
2.6k views
Posted by
jeremy3000
Reply
Add a Comment

Accepted Reply

Our app uses a bundled JVM runtime to execute, so it looks like that is failing to load for some reason? I'm not sure why it would fail when run this way and succeed with the quarantine flag removed.

10.15 changes the way that the system checks for notarisation. On 10.14.x, x ≥ 5, Gatekeeper does an initial notarisation check of your app and that’s it. On 10.15 it will also check the notarisation of any libraries you load. It’s likely that these JVM libraries have a signing or notarisation problem, and that’s what’s causing them to fail to load.

To debug this further I recommend that you grab the log returned by the notarisation system and check that every Mach-O image in your app’s bundle is covered by the notarisation ticket. There’s some info on how to do that in this post.

Finally, watch WWDC 2019 Session 701 Advances in macOS Security, and specifically the part leading up to slide 39, for an explanation of how Gatekeeper has evolved recently.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Any ideas what else is stopping the app from launching?

Are you sure it didn’t crash? Generally, if Gatekeeper prevents an app from launching it’s pretty up front about that fact. If Gatekeeper indicates that it was allowed to launch, it probably started launching.

Are you able to reproduce this on a 10.15 system in your office?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you for the reply and the ideas.


I was able to get another Catalina 10.15 mac to test, and I found the same behavior - I double-click, see the prompt, click "Open", and nothing happens.


If I use "sudo xattr -dr com.apple.quarantine /Applications/APP.app" to remove the quarantine flag, the app runs just fine, no crashes or anything. This same app also worked fine on prior versions of macOS. It seems like somethign odd related to Gatekeeper to me, but I'd love to verify one way or another.


Anything else I can test out?


-Jeremy

Posted by
jeremy3000
Up vote reply of jeremy3000 Down vote reply of jeremy3000
Add a Comment

In looking through what happens as I go through the failing process in Console.app, I did find an error after hitting the "Open" button. 


Failed to find library.:
APP:Failed to locate JNI_CreateJavaVM
APP:Failed to launch JVM
[executable<APP(501)>:5673] Death sentinel fired!


Our app uses a bundled JVM runtime to execute, so it looks like that is failing to load for some reason? I'm not sure why it would fail when run this way and succeed with the quarantine flag removed. I've been searching through some JDK issues, and while there are some reports about problems with getting apps with a bundled JRE properly notarized, nothing about an issue like this with a properly notarized bundled JRE failing to start.

Posted by
jeremy3000
Up vote reply of jeremy3000 Down vote reply of jeremy3000
Add a Comment

Our app uses a bundled JVM runtime to execute, so it looks like that is failing to load for some reason? I'm not sure why it would fail when run this way and succeed with the quarantine flag removed.

10.15 changes the way that the system checks for notarisation. On 10.14.x, x ≥ 5, Gatekeeper does an initial notarisation check of your app and that’s it. On 10.15 it will also check the notarisation of any libraries you load. It’s likely that these JVM libraries have a signing or notarisation problem, and that’s what’s causing them to fail to load.

To debug this further I recommend that you grab the log returned by the notarisation system and check that every Mach-O image in your app’s bundle is covered by the notarisation ticket. There’s some info on how to do that in this post.

Finally, watch WWDC 2019 Session 701 Advances in macOS Security, and specifically the part leading up to slide 39, for an explanation of how Gatekeeper has evolved recently.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks for your help, Quinn, your comment about "...every Mach-O image in your app's bundle ... covered by the notarization ticket" pointed me in the right direction. I was signing each individual .app in our package, but we include the JRE separately so the .apps can share it (we have several "sub applications"). I stapled the actual .dmg file (after getting it notarized), then checked it with `spctl -a -t open --context context:primary-signature -v /path/to/disk`, and that has passed all our tests so far.

Posted by
jeremy3000
Up vote reply of jeremy3000 Down vote reply of jeremy3000
Add a Comment