Page 1 of 1
Code Signature Invalid or Missing in macOS OpenWebStart javaws.app
Posted: 23 Apr 2024, 19:20
by jon
Description:
Analyzing
with Terminal or an application like Apparency reveals an invalid code signing certificate
Code: Select all
codesign -dr - /Applications/OpenWebStart/OpenWebStart\ javaws.app Executable=/Applications/OpenWebStart/OpenWebStart javaws.app/Contents/MacOS/JavaApplicationStub designated => always
Steps to Reproduce:
Open Applications > Utility > Terminal
Run
Code: Select all
codesign -dr - /Path/To/OpenWebStart\ javaws.app
Observe output:
Expected Behavior:
Expected output should be something like
Code: Select all
designated => anchor apple generic and identifier "com.OpenWebStart" and (certificate leaf[field.XXXXXXXXXX] /* exists */ or certificate 1[field.XXXXXXXXXX] /* exists */ and certificate leaf[field.XXXXXXXXXX] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX)
Actual Behavior:
Output indicates code signature is invalid or unsigned
Environment:
OpenWebStart version: 1.9.1 ARM64 Mac and X64 Mac
Operating System: macOS Sonoma 14.4.1
Impact:
Security Risks: The source and integrity of the application cannot be verified.
Deployment Issues: It may be impossible for MDM administrators to manage configurations with the Application and OS, causing delays and inefficiencies in the deployment process. For example: Privacy Preferences Policy Control
https://support.apple.com/guide/deploym ... f53c2a/web
Trust Issues: On macOS, applications with invalid or missing signatures are often flagged by Gatekeeper and are not allowed to run by default. This could lead to trust issues, as users might be reluctant to use an application that their device flags as potentially unsafe.
Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app
Posted: 26 Apr 2024, 10:46
by Janak Mulani
The installer is signed and notarized by Apple . So far none of our customers have pointed out issue with App signing on Mac. We will look into this. i will come back.
Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app
Posted: 08 May 2024, 12:51
by Janak Mulani
Here is what I tried:
Executing the following commands on Mac M1:
Code: Select all
>codesign -dvvv OpenWebStart\ javaws.app
>codesign -dvvv OpenWebStart\ Settings.app
>codesign -dvvv OpenWebStart\ Uninstaller.app
Shows that all these apps are signed with
Code: Select all
Authority=Developer ID Application: Karakun AG.
Authority=Developer ID Certification Authority
Authority=Apple Root CA
However executing the same command on Mac Intel says
Code: Select all
OpenWebstart javaws.app: code object is not signed at all
Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app
Posted: 14 May 2024, 20:51
by jon
Hi there, thank you for checking Janak.
As it turns out, I see the same unexpected codesign output on Intel and M-series Macs when running any of the following commands:
Code: Select all
codesign -dr - /Applications/OpenWebStart/OpenWebStart\ javaws.app
Executable=/Applications/OpenWebStart/OpenWebStart javaws.app/Contents/MacOS/JavaApplicationStub
designated => always
codesign -dr - /Applications/OpenWebStart/OpenWebStart\ Settings.app
Executable=/Applications/OpenWebStart/OpenWebStart Settings.app/Contents/MacOS/JavaApplicationStub
designated => always
codesign -dr - /Applications/OpenWebStart/OpenWebStart\ Uninstaller.app
Executable=/Applications/OpenWebStart/OpenWebStart Uninstaller.app/Contents/MacOS/JavaApplicationStub
designated => always
The output
is unexpected.
Here's an example of an expected output for this command. In this example, I'm using Mozilla Firefox.
Code: Select all
codesign -dr - /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox
designated => anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"
Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app
Posted: 15 May 2024, 15:58
by Janak Mulani
Hi,
Code: Select all
>man codesign
-r, --requirements requirements
During signing, indicates that internal requirements should be
embedded in the code path(s) as specified. See "specifying
requirements" below. Defaults will be applied to requirement
types that are not explicitly specified; if you want to defeat
such a default, specify "never" for that type.
During display, indicates where to write the code's internal
requirements. Use -r- to write them to standard output.
-R, --test-requirement requirement
During verification, indicates that the path(s) given should be
verified against the code requirement specified. If this option
is omitted, the code is verified only for internal integrity and
against its own designated requirement.
-s, --sign identity
Sign the code at the path(s) given using this identity. See
SIGNING IDENTITIES below.
-v, --verbose
Sets (with a numeric value) or increments the verbosity level of
output. Without the verbose option, no output is produced upon
success, in the classic UNIX style. If no other options request
a different action, the first -v encountered will be interpreted
as --verify instead (and does not increase verbosity).
-v, --verify
Requests verification of code signatures. If other actions
(sign, display, etc.) are also requested, -v is interpreted to
mean --verbose.
-d, --display
Display information about the code at the path(s) given.
Increasing levels of verbosity produce more output. The format
is designed to be moderately easy to parse by simple scripts
while still making sense to human eyes. In addition, the -r,
--file-list, --extract-certificates, and --entitlements options
can be used to retrieve additional information.
As I understood, -r option is to be used while signing. To verify and display verbose signature you use -dvv. You can add more 'v' s to increase verbosity eg. -dvvvvvvvv...
As I said we are signing and notarizing .dmg files for Mac Intel and Aarch64. If they were not signed then Mac would complain at the time of installation:
- UnsignedInstallerMessage.jpeg (69.67 KiB) Viewed 1930 times
Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app
Posted: 15 May 2024, 17:31
by jon
Hello Janak,
As an IT administrator, I’d like to clarify the process of managing privacy preferences for applications on macOS. According to Apple’s Platform Deployment documentation and their developer documentation, the code signing value plays a crucial role.
This value, which can be obtained by running the command
Code: Select all
codesign -dr - /Path/To/Application.app
, must be included in a Mobile Device Management (MDM) profile that controls privacy preferences for an application. This allows or disallows an application or binary to access specific privacy classes of data.
However, there’s a challenge when it comes to OpenWebStart javaws. The command
Code: Select all
codesign -dr - /Applications/OpenWebStart\ javaws.app
does not yield a valid output for this, making it impossible for an administrator to configure privacy preferences via MDM, such as granting access to files and folders like Desktop and Documents, or even Full Disk Access to an application.
For reference, you can find an example of a valid output in Apple’s documentation or in the post above. I hope this clarifies the process and the issue at hand. Let me know if you have any further questions.
Apple Platform Deployment Documentation:
https://support.apple.com/guide/deploym ... f53c2a/web
Apple Developer Documentation:
https://developer.apple.com/documentati ... s/identity
Best,
jon