Finder reports Java applications as damaged when Gatekeeper is on
| Originator: | juandesant | ||
| Number: | rdar://14346748 | Date Originated: | 03/07/2013 |
| Status: | Closed (Third party to resolve) | Resolved: | 12/07/2013 |
| Product: | OS X | Product Version: | 10.8.4 (12E55) |
| Classification: | UI/Usability | Reproducible: | Always |
Summary: After downloading a Java application, and Gatekeeper is set to only allow applications from either the Mac App Store or identified developers, trying to run the application results in the Finder reporting that the application is damaged Steps to Reproduce: 1) Download a Java-based application, for instance, the Aladin Sky Atlas: http://aladin.u-strasbg.fr/java/Aladin.dmg 2) Open the .dmg and move Aladin.app to the /Applications folder 3) Double click on Aladin.app in the /Applications folder Expected Results: The Finder should show an alert that the file is not signed, and disallow execution. After that, control-clic on the application icon and then clicking Open in the pop-up menu should show an alert that the file is not signed, and after accepting it, the application should start. Actual Results: The Finder shows an alert that the file is damaged (see attached screenshot), and offers to move it to the Trash. Control-clic on the application icon, and then clicking Open in the pop-up menu shows the same dialog. Regression: Happens in all versions of Mac OS X 10.8.x. Not tested in 10.9 yet. Notes: There are two workarounds: 1) erasing the com.apple.quarantine extended attribute with xattr -d com.apple.quarantine /Applications/Aladin.app 2) deactivate Gatekeeper before trying to open the application, and possibly reactivate it after the application has run for the first time.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
17-Jul-2013 07:32 PM Juan de Dios Santander Vela reply
After talking with the developer of another application with the same problem, Topcat, I have been able to use codesign to verify the issue. I have found this recently published hint:
http://hints.macworld.com/article.php?story=20130715141650672
I have been able both to use my Developer ID, and the ad-hoc signature, to bypass the problem. However, if the cause is how the JavaStub is signed, that should still be considered a bug, or at least an official workaround proposed.
12-Jul-2013 05:31 PM Apple Developer Bug Reporting Team reply
Engineering has determined that this is an issue for a third party to resolve.
The Aladin.app is signed, and its signature has been broken. This is very different from being altogether unsigned. Programs with existing, broken signatures cannot be allowed through Gatekeeper. You need to get a new, un-broken version of this App from its developer.
If you have questions regarding the resolution of this issue, please update your bug report with them.
We are closing this report.
Please be sure to regularly check new Apple releases for any updates that might affect this issue.