Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

[jon]

Description:
Analyzing

Code: Select all

OpenWebStart javaws.app

with Terminal or an application like Apparency reveals an invalid code signing certificate

Code: Select all

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ javaws.app  Executable=/Applications/OpenWebStart/OpenWebStart javaws.app/Contents/MacOS/JavaApplicationStub designated => always

Steps to Reproduce:
Open Applications > Utility > Terminal
Run

Code: Select all

codesign -dr - /Path/To/OpenWebStart\ javaws.app

Observe output:

Code: Select all

designated => always

Expected Behavior:
Expected output should be something like

Code: Select all

designated => anchor apple generic and identifier "com.OpenWebStart" and (certificate leaf[field.XXXXXXXXXX] /* exists */ or certificate 1[field.XXXXXXXXXX] /* exists */ and certificate leaf[field.XXXXXXXXXX] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX)

Actual Behavior:
Output indicates code signature is invalid or unsigned

Environment:
OpenWebStart version: 1.9.1 ARM64 Mac and X64 Mac
Operating System: macOS Sonoma 14.4.1

Impact:
Security Risks: The source and integrity of the application cannot be verified.
Deployment Issues: It may be impossible for MDM administrators to manage configurations with the Application and OS, causing delays and inefficiencies in the deployment process. For example: Privacy Preferences Policy Control https://support.apple.com/guide/deploym ... f53c2a/web
Trust Issues: On macOS, applications with invalid or missing signatures are often flagged by Gatekeeper and are not allowed to run by default. This could lead to trust issues, as users might be reluctant to use an application that their device flags as potentially unsafe.

[Janak Mulani]

The installer is signed and notarized by Apple . So far none of our customers have pointed out issue with App signing on Mac. We will look into this. i will come back.

[Janak Mulani]

Here is what I tried:

Executing the following commands on Mac M1:

Code: Select all

>codesign -dvvv OpenWebStart\ javaws.app

>codesign -dvvv OpenWebStart\ Settings.app

>codesign -dvvv OpenWebStart\ Uninstaller.app

Shows that all these apps are signed with

Code: Select all

Authority=Developer ID Application: Karakun AG. 

Authority=Developer ID Certification Authority

Authority=Apple Root CA

However executing the same command on Mac Intel says

Code: Select all

OpenWebstart javaws.app: code object is not signed at all

[jon]

Hi there, thank you for checking Janak.

As it turns out, I see the same unexpected codesign output on Intel and M-series Macs when running any of the following commands:

Code: Select all

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ javaws.app
Executable=/Applications/OpenWebStart/OpenWebStart javaws.app/Contents/MacOS/JavaApplicationStub
designated => always

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ Settings.app 
Executable=/Applications/OpenWebStart/OpenWebStart Settings.app/Contents/MacOS/JavaApplicationStub
designated => always

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ Uninstaller.app 
Executable=/Applications/OpenWebStart/OpenWebStart Uninstaller.app/Contents/MacOS/JavaApplicationStub
designated => always

The output

Code: Select all

designated => always

is unexpected.

Here's an example of an expected output for this command. In this example, I'm using Mozilla Firefox.

Code: Select all

codesign -dr - /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox
designated => anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"

[Janak Mulani]

Hi,

Code: Select all

>man codesign

  -r, --requirements requirements
             During signing, indicates that internal requirements should be
             embedded in the code path(s) as specified. See "specifying
             requirements" below.  Defaults will be applied to requirement
             types that are not explicitly specified; if you want to defeat
             such a default, specify "never" for that type.
             During display, indicates where to write the code's internal
             requirements. Use -r- to write them to standard output.

     -R, --test-requirement requirement
             During verification, indicates that the path(s) given should be
             verified against the code requirement specified. If this option
             is omitted, the code is verified only for internal integrity and
             against its own designated requirement.

     -s, --sign identity
             Sign the code at the path(s) given using this identity. See
             SIGNING IDENTITIES below.

     -v, --verbose
             Sets (with a numeric value) or increments the verbosity level of
             output. Without the verbose option, no output is produced upon
             success, in the classic UNIX style.  If no other options request
             a different action, the first -v encountered will be interpreted
             as --verify instead (and does not increase verbosity).

     -v, --verify
             Requests verification of code signatures.  If other actions
             (sign, display, etc.) are also requested, -v is interpreted to
             mean --verbose.

     -d, --display
             Display information about the code at the path(s) given.
             Increasing levels of verbosity produce more output.  The format
             is designed to be moderately easy to parse by simple scripts
             while still making sense to human eyes.  In addition, the -r,
             --file-list, --extract-certificates, and --entitlements options
             can be used to retrieve additional information.

As I understood, -r option is to be used while signing. To verify and display verbose signature you use -dvv. You can add more 'v' s to increase verbosity eg. -dvvvvvvvv...

As I said we are signing and notarizing .dmg files for Mac Intel and Aarch64. If they were not signed then Mac would complain at the time of installation:

UnsignedInstallerMessage.jpeg (69.67 KiB) Viewed 15 times