Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

[jon]

Description:
Analyzing

Code: Select all

OpenWebStart javaws.app

with Terminal or an application like Apparency reveals an invalid code signing certificate

Code: Select all

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ javaws.app  Executable=/Applications/OpenWebStart/OpenWebStart javaws.app/Contents/MacOS/JavaApplicationStub designated => always

Steps to Reproduce:
Open Applications > Utility > Terminal
Run

Code: Select all

codesign -dr - /Path/To/OpenWebStart\ javaws.app

Observe output:

Code: Select all

designated => always

Expected Behavior:
Expected output should be something like

Code: Select all

designated => anchor apple generic and identifier "com.OpenWebStart" and (certificate leaf[field.XXXXXXXXXX] /* exists */ or certificate 1[field.XXXXXXXXXX] /* exists */ and certificate leaf[field.XXXXXXXXXX] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX)

Actual Behavior:
Output indicates code signature is invalid or unsigned

Environment:
OpenWebStart version: 1.9.1 ARM64 Mac and X64 Mac
Operating System: macOS Sonoma 14.4.1

Impact:
Security Risks: The source and integrity of the application cannot be verified.
Deployment Issues: It may be impossible for MDM administrators to manage configurations with the Application and OS, causing delays and inefficiencies in the deployment process. For example: Privacy Preferences Policy Control https://support.apple.com/guide/deploym ... f53c2a/web
Trust Issues: On macOS, applications with invalid or missing signatures are often flagged by Gatekeeper and are not allowed to run by default. This could lead to trust issues, as users might be reluctant to use an application that their device flags as potentially unsafe.

[Janak Mulani]

The installer is signed and notarized by Apple . So far none of our customers have pointed out issue with App signing on Mac. We will look into this. i will come back.