Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Damaged app" in Big Sur being caused by Sparkle #1691

Closed
chockenberry opened this issue Dec 1, 2020 · 8 comments
Closed

"Damaged app" in Big Sur being caused by Sparkle #1691

chockenberry opened this issue Dec 1, 2020 · 8 comments
Labels
1.x Sparkle 1.x

Comments

@chockenberry
Copy link

We've been getting reports from customers about downloads of our app being "damaged" after being downloaded and opened for the first time.

Today, I tracked this issue down to something in Sparkle (we're using version 1.18.1). It appears that two files in the signed framework are causing the issue.

% codesign -vvvv ./Sparkle.framework/ 
./Sparkle.framework/: a sealed resource is missing or invalid
file added: /Users/CHOCK/Downloads/xScope.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/._fr_CA.lproj
file added: /Users/CHOCK/Downloads/xScope.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Updater.app/Contents/Resources/._fr_CA.lproj
file added: /Users/CHOCK/Downloads/xScope.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Updater.app/Contents/Resources/._pt.lproj
file added: /Users/CHOCK/Downloads/xScope.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/._pt.lproj

Both of these files are symlinks to other localization resource (French Canadian to French, Portuguese to Brazilian Portuguese). Note also that the files that are breaking the signature begin with "._" - these are files used to store extended attributes, such as com.apple.FinderInfo.

What's weird about this issue, and why we didn't see it in our testing, is that it only happens in Google Chrome. Safari is doing something (like maybe ignoring/removing extended attributes) before the signature check.

Our workaround for customers is to tell them to use Safari for the download, but it would be much better to fix the issue at the source.
@chockenberry chockenberry added the 1.x Sparkle 1.x label Dec 1, 2020
@chockenberry
Copy link
Author

Thanks to @danielpunkass for helping me dig into the cause of this issue!

@chockenberry
Copy link
Author

The best solution here would probably be an additional build step that removes any unnecessary attributes. Something along the lines of

$ ditto Sparkle.framework Sparkle-clean.framework

(This technique can also be used to fix the app so it passes the code signing checks.)

@chockenberry
Copy link
Author

Another piece of information: it appears the culprit is actually Archive Utility - Safari has it's own ZIP extraction for "safe download" and this circumvents the system utility.

If you turn off Safari's safe downloads feature, you'll see the same damaged app as with Chrome.

@kornelski
Copy link
Member

I thought that I've got rid of that symlink :/ It used to cause problems even in Sparkle 1.5.

@kornelski
Copy link
Member

Gone in d4d4c68

@danielpunkass
Copy link
Contributor

Kudos @kornelski for folllowing up so quickly on this!

@chockenberry
Copy link
Author

👍 Thanks for the quick response here.

@zorgiepoo
Copy link
Member

Just a late fyi, this was addressed in 2.x in #1722 (paths here look like they might be using 2.x)

@zorgiepoo zorgiepoo mentioned this issue Feb 20, 2021
Closed
@zorgiepoo zorgiepoo mentioned this issue Jun 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.x Sparkle 1.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@danielpunkass @kornelski @chockenberry @zorgiepoo