Completely Signed and Notarized App doesn't work anymore when loaded from DMG

Question

Completely Signed and Notarized App doesn't work anymore when loaded from DMG

bjesuiter opened this issue 4 years ago · comments

I created an app build and signed, notarized and stapled it completely.
See the Step Build, Sign & Notarize App in my github workflow.

This produces the 'dist' artefact, which is simply my complete dist folder uploaded as github actions artifact. You can:

download the zip directly: https://github.com/bjesuiter/macos-file-summoner/suites/819538575/artifacts/9026758
Run the app directly after unziping
Check the app signature and notarization with spctl -a -vvvv /Applications/File\ Summoner.app
(after putting it into your Applications folder)

The Problem

When Installing the same app from the DMG created with create-dmg,
the app does appear to be valid by spctl, but it can't be run.

(You can download the dmg from the same github actions run directly here:
https://github.com/bjesuiter/macos-file-summoner/suites/819538575/artifacts/9026759)

❯ spctl -a -vvvv /Applications/File\ Summoner.app             
/Applications/File Summoner.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: Benjamin Jesuiter (BB38WRH6VJ)

When running, it produces the following error message:
(Which reads: 'The app File Summoner.app can't be opened' in german)

Could you please look into what is going on here?

Sindre Sorhus · Answer 1 · Sat Jun 20 2020 15:08:51 GMT+0800 (China Standard Time)

(You can download the dmg from the same github actions run directly here:
bjesuiter/macos-file-summoner/suites/819538575/artifacts/9026759)

That one opens successfully for me:

Sindre Sorhus · Answer 2 · Sat Jun 20 2020 15:09:13 GMT+0800 (China Standard Time)

If the DMG works before notarization, but not after, I don't think it's an issue with create-dmg.

Benjamin Jesuiter · Answer 3 · Sat Jun 20 2020 20:27:52 GMT+0800 (China Standard Time)

Thanks again for looking into my issue!

I think, there is a small misunderstanding.
I can open the dmg just fine.
But when I copy the app package from the dmg to the application folder, the app package can't be launched anymore.

My confusion is, that the same app package in the 'dist' artifact from one github actions job earlier can be opened without a problem on my Mac after unzipping.

The dmg you tested is already notarized, I have to add the unnotarized version to the artifacts for testing whether there is a difference between the notarized and the unnotarized dmg variant.

Benjamin Jesuiter · Answer 4 · Wed Jun 24 2020 04:27:41 GMT+0800 (China Standard Time)

I found the issue:

I built, signed and notarized my mac app in one github actions job,
stored it as an artifact in github,
opened a new job for creating the dmg,
downloaded the stored app into the new job
and built the dmg.

The problem was, that the binary in the downloaded artifact was missing the -x execute flag because of the download from github artifacts.
So my mac app has been signed and notarized correctly, but the binary could not be executed on filesystem level.

Thanks again for looking into it!
Here's the link to the latest release, if you're interested: https://github.com/bjesuiter/macos-file-summoner/releases/latest
I'll look into submitting this to some awesome lists, because i think it solves a big problem in macos :)