Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
jon
Posts: 5
Joined: 18 Apr 2024, 21:54

Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by jon »

Description:
Analyzing

Code: Select all

OpenWebStart javaws.app
with Terminal or an application like Apparency reveals an invalid code signing certificate

Code: Select all

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ javaws.app  Executable=/Applications/OpenWebStart/OpenWebStart javaws.app/Contents/MacOS/JavaApplicationStub designated => always
Image

Steps to Reproduce:
Open Applications > Utility > Terminal
Run

Code: Select all

codesign -dr - /Path/To/OpenWebStart\ javaws.app
Observe output:

Code: Select all

designated => always
Expected Behavior:
Expected output should be something like

Code: Select all

designated => anchor apple generic and identifier "com.OpenWebStart" and (certificate leaf[field.XXXXXXXXXX] /* exists */ or certificate 1[field.XXXXXXXXXX] /* exists */ and certificate leaf[field.XXXXXXXXXX] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX)
Actual Behavior:
Output indicates code signature is invalid or unsigned

Environment:
OpenWebStart version: 1.9.1 ARM64 Mac and X64 Mac
Operating System: macOS Sonoma 14.4.1

Impact:
Security Risks: The source and integrity of the application cannot be verified.
Deployment Issues: It may be impossible for MDM administrators to manage configurations with the Application and OS, causing delays and inefficiencies in the deployment process. For example: Privacy Preferences Policy Control https://support.apple.com/guide/deploym ... f53c2a/web
Trust Issues: On macOS, applications with invalid or missing signatures are often flagged by Gatekeeper and are not allowed to run by default. This could lead to trust issues, as users might be reluctant to use an application that their device flags as potentially unsafe.

Janak Mulani
Posts: 817
Joined: 24 Mar 2020, 13:37

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by Janak Mulani »

The installer is signed and notarized by Apple . So far none of our customers have pointed out issue with App signing on Mac. We will look into this. i will come back.

Janak Mulani
Posts: 817
Joined: 24 Mar 2020, 13:37

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by Janak Mulani »

Here is what I tried:

Executing the following commands on Mac M1:

Code: Select all

>codesign -dvvv OpenWebStart\ javaws.app

>codesign -dvvv OpenWebStart\ Settings.app

>codesign -dvvv OpenWebStart\ Uninstaller.app
Shows that all these apps are signed with

Code: Select all

Authority=Developer ID Application: Karakun AG. 

Authority=Developer ID Certification Authority

Authority=Apple Root CA
However executing the same command on Mac Intel says

Code: Select all

OpenWebstart javaws.app: code object is not signed at all

jon
Posts: 5
Joined: 18 Apr 2024, 21:54

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by jon »

Hi there, thank you for checking Janak.

As it turns out, I see the same unexpected codesign output on Intel and M-series Macs when running any of the following commands:

Code: Select all

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ javaws.app
Executable=/Applications/OpenWebStart/OpenWebStart javaws.app/Contents/MacOS/JavaApplicationStub
designated => always

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ Settings.app 
Executable=/Applications/OpenWebStart/OpenWebStart Settings.app/Contents/MacOS/JavaApplicationStub
designated => always

codesign -dr - /Applications/OpenWebStart/OpenWebStart\ Uninstaller.app 
Executable=/Applications/OpenWebStart/OpenWebStart Uninstaller.app/Contents/MacOS/JavaApplicationStub
designated => always
The output

Code: Select all

designated => always
is unexpected.

Here's an example of an expected output for this command. In this example, I'm using Mozilla Firefox.

Code: Select all

codesign -dr - /Applications/Firefox.app
Executable=/Applications/Firefox.app/Contents/MacOS/firefox
designated => anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"

Janak Mulani
Posts: 817
Joined: 24 Mar 2020, 13:37

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by Janak Mulani »

Hi,

Code: Select all

>man codesign

  -r, --requirements requirements
             During signing, indicates that internal requirements should be
             embedded in the code path(s) as specified. See "specifying
             requirements" below.  Defaults will be applied to requirement
             types that are not explicitly specified; if you want to defeat
             such a default, specify "never" for that type.
             During display, indicates where to write the code's internal
             requirements. Use -r- to write them to standard output.

     -R, --test-requirement requirement
             During verification, indicates that the path(s) given should be
             verified against the code requirement specified. If this option
             is omitted, the code is verified only for internal integrity and
             against its own designated requirement.

     -s, --sign identity
             Sign the code at the path(s) given using this identity. See
             SIGNING IDENTITIES below.

     -v, --verbose
             Sets (with a numeric value) or increments the verbosity level of
             output. Without the verbose option, no output is produced upon
             success, in the classic UNIX style.  If no other options request
             a different action, the first -v encountered will be interpreted
             as --verify instead (and does not increase verbosity).

     -v, --verify
             Requests verification of code signatures.  If other actions
             (sign, display, etc.) are also requested, -v is interpreted to
             mean --verbose.

     -d, --display
             Display information about the code at the path(s) given.
             Increasing levels of verbosity produce more output.  The format
             is designed to be moderately easy to parse by simple scripts
             while still making sense to human eyes.  In addition, the -r,
             --file-list, --extract-certificates, and --entitlements options
             can be used to retrieve additional information.

As I understood, -r option is to be used while signing. To verify and display verbose signature you use -dvv. You can add more 'v' s to increase verbosity eg. -dvvvvvvvv...

As I said we are signing and notarizing .dmg files for Mac Intel and Aarch64. If they were not signed then Mac would complain at the time of installation:
UnsignedInstallerMessage.jpeg
UnsignedInstallerMessage.jpeg (69.67 KiB) Viewed 5127 times

jon
Posts: 5
Joined: 18 Apr 2024, 21:54

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by jon »

Hello Janak,

As an IT administrator, I’d like to clarify the process of managing privacy preferences for applications on macOS. According to Apple’s Platform Deployment documentation and their developer documentation, the code signing value plays a crucial role.

This value, which can be obtained by running the command

Code: Select all

codesign -dr - /Path/To/Application.app
, must be included in a Mobile Device Management (MDM) profile that controls privacy preferences for an application. This allows or disallows an application or binary to access specific privacy classes of data.

However, there’s a challenge when it comes to OpenWebStart javaws. The command

Code: Select all

codesign -dr - /Applications/OpenWebStart\ javaws.app
does not yield a valid output for this, making it impossible for an administrator to configure privacy preferences via MDM, such as granting access to files and folders like Desktop and Documents, or even Full Disk Access to an application.

For reference, you can find an example of a valid output in Apple’s documentation or in the post above. I hope this clarifies the process and the issue at hand. Let me know if you have any further questions.

Apple Platform Deployment Documentation: https://support.apple.com/guide/deploym ... f53c2a/web
Apple Developer Documentation: https://developer.apple.com/documentati ... s/identity

Best,
jon

Janak Mulani
Posts: 817
Joined: 24 Mar 2020, 13:37

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by Janak Mulani »

Here is a reply from Install4J which we use to create and sign the OWS installers:
Question: As per https://support.apple.com/en-in/guide/d ... f53c2a/web, designated should show codesign value such as:

designated => anchor apple generic and identifier "com.OpenWebStart" and (certificate leaf[field.XXXXXXXXXX] /* exists */ or certificate 1[field.XXXXXXXXXX] /* exists */ and certificate leaf[field.XXXXXXXXXX] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX

Answer:
This is just a description of the minimal requirements. designated => always will work, too. designated => always is broader than the condition mentioned above.
There is no way to change this in install4j. We have always signed everything like this and no one had a problem with it so far.

jon
Posts: 5
Joined: 18 Apr 2024, 21:54

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by jon »

Hi Janak,

It seems that designated => always is too broad of a condition to grant OpenWebStart javaws.app Full Disk Access via an MDM configuration profile.

Best,
jon

jon
Posts: 5
Joined: 18 Apr 2024, 21:54

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by jon »

Hello Janak,

This problem is fixed in the latest OpenWebStart release 1.10.0. Upon installing OpenWebStart 1.10.0, I am able to control the Full Disk Access setting via an MDM configuration profile. I tested on both Apple Silicon and Intel Macs and the test was successful on both platforms.

The issue was present and reproducible with OpenWebStart 1.9.1 but is no longer present or reproducible as of version 1.10.0.

I see that the code signature has not changed, but what has changed is that notarization is granted. Perhaps that was the real fix for the problem.

Thank you very much for your time and consideration on this issue. This request can be closed out.

Best regards,
jon

Janak Mulani
Posts: 817
Joined: 24 Mar 2020, 13:37

Re: Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

Post by Janak Mulani »

Hi Jon.

We upgraded the version of Install4J and changed to the Maven Plugin provided by I4J. Also, changed a parameter in the installer build config to sign all apps. This must have fixed the issue. Thanks for pointing to the issue. We would not have made these changes if you had not brought up this issue. We did not know such thing existed as no one had reported so far.

May I request you to help us keep the opensource OWS project going by buying paid support?

Post Reply