Nv: Gatekeeper code signing is broken

Created on 4 Dec 2016 · 9Comments · Source: ttscoff/nv

I get this message for v2.2.7 (125) on two different computers (one on El Cap 10.11.6, one on Sierra 10.12.1):

Downloaded .dmg from http://brettterpstra.com/2016/11/14/nvalt-2-dot-2-7-everythingll-be-fine/
Dragged to /Applications folder
Launched nvALT

screen shot 2016-12-04 at 13 12 46

Source

frankrausch

Most helpful comment

Woohoo, I got it! I'll put an update out shortly.

On 19 Jan 2017, at 19:11, Kent Sutherland wrote:

@ttscoff Here's the likely issue:

spctl --verbose=4 --assess --type execute nvALT.app:
/Applications/nvALT.app/: rejected (invalid destination for symbolic link in bundle)

Specifically, there's broken symlinks in Sparkle:
Sparkle.framework//Versions/A/Resources:
lrwxr-xr-x  1 kent  admin     84 Nov  1 12:44 fr_CA.lproj -> 
/Users/andym/Development/Build 
Products/Release/Sparkle.framework/Resources/fr.lproj

Sparkle.framework//Versions/A/Resources/fr.lproj:
lrwxr-xr-x  1 kent  admin    84 Nov  1 12:44 fr.lproj -> 
/Users/andym/Development/Build 
Products/Release/Sparkle.framework/Resources/fr.lproj
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/ttscoff/nv/issues/423#issuecomment-273948712

ttscoff on 20 Jan 2017

❤1 👍1

All 9 comments

This is normal, if you haven't adjusted security settings. Go to the "Security and Privacy" panel in System Preferences, in the general tab, set "Allow apps downloaded from:" to Anywhere.

sdonovan1985 on 4 Jan 2017

Thanks, but I’m afraid this is not great advice for most users. :)
The system setting should never be changed to allow launching unsigned apps globally.

But yeah, since code signing is broken for nvALT at the moment, right-clicking the .app and choosing “Open” does the trick (and circumvents Gatekeeper for just this one app).

frankrausch on 4 Jan 2017

Ah, that's what you were after! I follow now.

sdonovan1985 on 4 Jan 2017

You’re right, I should change the title to reflect that this issue is about Gatekeeper being broken (and that I’m not looking for a workaround).

frankrausch on 4 Jan 2017

Yeah, I'm still wracking my brain to figure out why this happens. The
app is codesigned with a wildcard developer ID that I use successfully
with other distributions, and the binary passes codesign validation. I
think one of the bundled binaries may be causing this.

-Brett

On 4 Jan 2017, at 10:19, Frank Rausch wrote:

Thanks, but I’m afraid this is not great advice for most users. :)
The system setting should never be changed to allow launching unsigned
apps globally.

But yeah, since code signing is broken for nvALT at the moment,
right-clicking the .app and choosing “Open” does the trick (and
circumvents Gatekeeper for just this one app).

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/ttscoff/nv/issues/423#issuecomment-270412807

ttscoff on 4 Jan 2017

👍1

@ttscoff Here's the likely issue:

spctl --verbose=4 --assess --type execute nvALT.app:
/Applications/nvALT.app/: rejected (invalid destination for symbolic link in bundle)

Specifically, there's broken symlinks in Sparkle:

Sparkle.framework//Versions/A/Resources:
lrwxr-xr-x  1 kent  admin     84 Nov  1 12:44 fr_CA.lproj -> /Users/andym/Development/Build Products/Release/Sparkle.framework/Resources/fr.lproj

Sparkle.framework//Versions/A/Resources/fr.lproj:
lrwxr-xr-x  1 kent  admin    84 Nov  1 12:44 fr.lproj -> /Users/andym/Development/Build Products/Release/Sparkle.framework/Resources/fr.lproj

P.S. You might want to update to a newer version of Sparkle.

ksuther on 20 Jan 2017

Ok, I found those symbolic links and removed, checked the built product
for any other broken links, and ran spctl again, still rejected (but
without any helpful error message). Any other thoughts?

-Brett

On 19 Jan 2017, at 19:11, Kent Sutherland wrote:

@ttscoff Here's the likely issue:

spctl --verbose=4 --assess --type execute nvALT.app:
/Applications/nvALT.app/: rejected (invalid destination for symbolic link in bundle)

Specifically, there's broken symlinks in Sparkle:
Sparkle.framework//Versions/A/Resources:
lrwxr-xr-x  1 kent  admin     84 Nov  1 12:44 fr_CA.lproj -> 
/Users/andym/Development/Build 
Products/Release/Sparkle.framework/Resources/fr.lproj

Sparkle.framework//Versions/A/Resources/fr.lproj:
lrwxr-xr-x  1 kent  admin    84 Nov  1 12:44 fr.lproj -> 
/Users/andym/Development/Build 
Products/Release/Sparkle.framework/Resources/fr.lproj
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/ttscoff/nv/issues/423#issuecomment-273948712

ttscoff on 20 Jan 2017

You can give codesign a shot and see if it comes up with anything:

codesign -vvvvv --deep --strict /Applications/nvALT.app

With the broken symlinks I couldn't get it to run cleanly (presumably it was choking on them), but maybe that'll turn something up.

ksuther on 20 Jan 2017

Woohoo, I got it! I'll put an update out shortly.

On 19 Jan 2017, at 19:11, Kent Sutherland wrote:

@ttscoff Here's the likely issue:

spctl --verbose=4 --assess --type execute nvALT.app:
/Applications/nvALT.app/: rejected (invalid destination for symbolic link in bundle)

Specifically, there's broken symlinks in Sparkle:
Sparkle.framework//Versions/A/Resources:
lrwxr-xr-x  1 kent  admin     84 Nov  1 12:44 fr_CA.lproj -> 
/Users/andym/Development/Build 
Products/Release/Sparkle.framework/Resources/fr.lproj

Sparkle.framework//Versions/A/Resources/fr.lproj:
lrwxr-xr-x  1 kent  admin    84 Nov  1 12:44 fr.lproj -> 
/Users/andym/Development/Build 
Products/Release/Sparkle.framework/Resources/fr.lproj
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/ttscoff/nv/issues/423#issuecomment-273948712