Mac DMG oddity - signing and "damaged" applications

Question

My Gatekeeper settings are "App Store and Identified Developers"

I have a DMG with a signed app.

When I mount the DMG and run it locally, it works. when I upload the same DMG to our servers (via http), download it (via http), mount it, and try to run the app I get a popup saying my application is "damaged and can't be opened. You should move it to the Trash.

I have no idea what's going on. How can the same file run correctly locally, but when uploaded and downloaded it's corrupt? The server is fine, other parties in our company upload and download applications from it just fine.

Am I missing something?

Answer 1

Figured out the problem after lot of tries.

In my case: The Pop Message - damaged application came due to libraries were missing. I Had created .app file using QT. To generate dmg i was using deploymacqt command tool. deploymacqt tool creates dynamic libraries inside .app, so basically if we codesign before creating dmg, this alter will manipulate code sign. So the proper fix is.

# Create dmg using 
    deploymacqt <yourapp.app> -dmg

# Open resulted dmg file, copy <yourapp.app> to different folder(let's say /Documents/<yourapp.app>)

# Codesign the /Documents/<yourapp.app> using 
    codesign --deep --force --verify --verbose --sign "Developer ID Application: <developerid>" <yourapp.app>

# Verify using
    codesign --verify --verbose=4 <yourapp.app>
 * you should see something like this
    <yourapp.app>: valid on disk
    <yourapp.app>: satisfies its Designated Requirement

# Now create again the dmg file using [dropdmg](https://c-command.com/dropdmg/) application, download, install dropdmg. set the cofiguration preferences with your developer id certificate in signing option.

# drag and drop <yourapp.app> to dropdmg app, wait for creation of dmg to complete. voila you have now successfully created dmg with proper developer id certification.

# verify resulted dmg again using   
     codesign --verify --verbose=4 <yourapp.dmg>
# you can also verify with gatekeeper
     spctl -a -t exec -vv <yourapp.dmg>

once you are done with these, you will not see pop message saying app is damaged or broken or unidentified developer.

Answer 2

I'm glad you found your problem. In case other people find this post searching about corrupted DMGs, I want to add another probable solution:

In addition to signing the .app bundle:

codesign -f -s "Developer ID Application: Your Dev ID Here" -v "Your App.app"

you should also sign the created DMG as well:

codesign -f -s "Developer ID Application: Your Dev ID Here" -v YourProgram.dmg

I didn't put quotation marks around the dmg file path because it's less likely that you have spaces in the dmg name. If you do, don't forget to escape them on the command line, or wrap your file path in quotes.

Answer 3

Open terminal and Run:

sudo xattr -rd com.apple.quarantine /Applications/xxx.app

and the "/Applications/xxx.app" MUST be the path of your app. For example, i wannt run PDF Expert and its path is "/Applications/PDF\ Expert.app". Then i should type this on my Terminal and ENTER:

sudo xattr -rd com.apple.quarantine /Applications/PDF\ Expert.app"

Answer 4

I discovered the problem.

unbeknownst to me, our installer program writes a file into the application bundle at install time.

This breaks the signature and causes the Mac to freak out and declare the application damaged.

Took a while to discover that.

Answer 5

My problem had a similar but different cause to the one described in @JasonGenX's post.

My app had some files that got modified when I ran it, and that caused the app's signature to fail verification.

To fix it, I removed those files and prevented them from ever being created or modified, so that the .app bundle should never change on its own.

---

Specifically, I had Python code in my app bundle. When the app ran Python, it compiled imports to .pyc files. These got signed along with the rest of the app bundle.

When I ran the .app before creating the DMG, Python updated & modified these .pyc files, so they no longer passed signature verification. I verified this using:

$ codesign --verify --verbose=4 my.app
[...]
my.app: a sealed resource is missing or invalid
file modified: /private/tmp/my.app/Contents/Resources/python-dist/chardet/codingstatemachine.pyc
file modified: /private/tmp/my.app/Contents/Resources/python-dist/chardet/euckrprober.pyc
[...etc...]

The .app still ran on my own computer because I had built it myself, so it was trusted. But when I uploaded & downloaded the DMG, it got tagged to indicate it had come from an untrusted source and required signature verification.

Since the signature verification failed, MacOS reported that the app bundle was damaged.

---

The fix was to delete the .pyc files from my bundled Python resources, and run Python as python -B, which instructs it not to create .pyc files.

I rebuilt my .app bundle without the .pyc files, and Python no longer creates them, so the .app bundle remains unmodified.

Answer 6

Ι had same issue with an macOS Application, which created and signed by me. I had some problematic png in my project which can t be transferred at archive. When I tried to validate the App via App Connect had the message bellow.

I deleted problematic png, I archived the app again, notarized it, exported it with Developer-id, uploaded to my server, download from my server and run it successfully.