Packaging - OSX: GateKeeper shows 'can't be opened because Apple cannot check it for malicious software'

[bryphe]

Issue: When downloading, and trying to run the Onivim2.dmg from our published builds, we get this GateKeeper warning:

WORKAROUND:

• Right-click on the Onivim2.dmg and select Open With -> DiskImageMounter (default)

• Install as usual (drag-and-drop Onivim2 -> Applications)
• Run from Finder

Details:

Running the spctl tool with spctl --assess --verbose Onivim2.dmg shows:

spctl --assess --verbose Onivim2.dmg
Onivim2.dmg: rejected (the code is valid but does not seem to be an app)

It's not clear to me why we're getting this message - the process we follow is:

• Run codesign --deep against the app package
• Package DMG
• Run codesign again on the DMG
• Submit DMG for notarization
• Get successful result back w/ no warnings from notarization

In the meantime, I did find several issues with our .App package that we need to address (none of these fixed that particular issue, but they might prevent future / other issues):

• There are several resource files in the Onivim2.App/Contents/MacOS folder - an image, fonts, and others. We need to move these to the Onivim2.App/Contents/Resources folder.
• There are several folders at the Contents folder that should be moved to Resources: camomile, textmate_service, extensions
• The dynamic libs (dylibs) that we bundle need to be in the Onivim2.App/Contents/Frameworks folder

I trouble-shooted by packaging an absolute minimum app - with just a single executable - and still consistently received this failure when running spctl --assess --verbose.

However, I found that if I package as a .zip, it actually passes validation - and opening it still gives a prompt, but a workaround isn't needed, and it's less scary sounding:

Unfortunately, this will be a pretty significant / risky change - so I won't be able to get it in prior to the release. But I will work on this next so we can get rid of this.

Plan of action is:

• Fix bundle issues listed above
• Switch to distributing a .zip instead of a .dmg

[bryphe]

It looks like the 'runtime hardening' is also problematic for node - it causes the node process we bundle to fail to execute.

In addition to above, we'll have to set up a proper set of entitlements for that process to enable application hardening - a related issue / discussion is here: electron/osx-sign#188

[montogeek]

If you are in Catalina:

1. Download tar.gz
2. Decompress it.
3. Move Onivim2.App.app to Applications.
4. Right click on it, click in Show Package Contents
5. Open Contents > MacOS
6. Double click in Oni2 executable.

This will run a bash (I think) script that would run the application.

[ronakg]

If you are in Catalina:

1. Download tar.gz
2. Decompress it.
3. Move Onivim2.App.app to Applications.
4. Right click on it, click in Show Package Contents
5. Open Contents > MacOS
6. Double click in Oni2 executable.

This will run a bash (I think) script that would run the application.

This is not working for me. I get the same error when I click the Oni2 script to open it.

[TheSpyder]

Do you even need to sign the DMG? I thought most of those that I download are unsigned, it’s just the app inside that counts, and what I thought needed to be notarised.

The “app downloaded from the internet” dialog is totally normal.

[bryphe]

@TheSpyder - I actually tried both ways! I thought too maybe the signing of the DMG was causing an issue, but if you try to upload the DMG to be notarized, it has to be signed (or else the upload will fail) - and the contents have to be signed of course.

[gitbugr]

.tar.gz didn't work for me. However after dragging the .app to my Applications folder, running this in the terminal works for now:

/Applications/Onivim2.App/Contents/MacOS/Oni2

[TheSpyder]

@bryphe what if you only upload the app for notarization, not the dmg? Or am I totally misunderstanding the notarization process? Here's an example (electron app) I downloaded just yesterday:
https://github.com/Automattic/simplenote-electron/releases/tag/v1.6.0

$ spctl --assess --verbose Simplenote-macOS-1.6.0.dmg 
Simplenote-macOS-1.6.0.dmg: rejected
source=no usable signature
$ spctl --assess --verbose /Volumes/Simplenote\ Installer/Simplenote.app
/Volumes/Simplenote Installer/Simplenote.app: accepted

And the DMG opens without issue. The app doesn't, but I don't think automattic code sign their builds at all.

Although, the oni v1 DMG has the same spctl result but it opens fine:

$ spctl --assess --verbose Oni-0.3.9-osx.dmg
Oni-0.3.9-osx.dmg: rejected (the code is valid but does not seem to be an app)

But I guess that could just be because existing apps are not forced to be notiarized until Catalina.