Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] MCAL 1.4 dmg Is Not Code Signed #5817

Open
joshmc82 opened this issue Jun 14, 2023 · 6 comments
Open

[BUG] MCAL 1.4 dmg Is Not Code Signed #5817

joshmc82 opened this issue Jun 14, 2023 · 6 comments
Labels
bug Something isn't working Internal-Issue-Created An issue has been created in NextGen's internal issue tracker RS-10808 triaged

Comments

@joshmc82
Copy link

joshmc82 commented Jun 14, 2023
edited
Loading

Describe the bug
The MCAL 1.4 dmg file for MacOS is not code signed and causes errors trying to launch.

To Reproduce
Setup steps (if required). Example:

  1. Download a version of MCAL 1.4 dmg file

Steps to reproduce the behavior:

  1. Double click on downloaded MCAL dmg file (i.e. mirth-administrator-launcher-latest-macos-aarch64.dmg)
  2. Get Error

Expected behavior
The dmg file itself should be signed like the underlying app

Actual behavior
The dmg is not signed and produces an error from MacOS

Screenshots
If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

  • OS: macOS Monterey (version 12.6.6)

Workaround(s)
Hold ctrl key then click the dmg to open it. This bypasses the security check.

Additional context
It should be pretty easy to sign the dmg the same way you sign the app itself.
Reference: https://stackoverflow.com/questions/23824815/how-to-add-codesigning-to-dmg-file-in-mac
@joshmc82 joshmc82 added the bug Something isn't working label Jun 14, 2023
@jonbartels
Copy link
Contributor

jonbartels commented Jun 14, 2023
edited
Loading

Notes from Slack:

A user sees this warning when opening the DMG
image

The installer app itself is signed, the DMG is not:

10:06:36 with jonathan.bartels in ~/Downloads via ⬢ v16.0.0 via ☕ v11.0.15 
➜ codesign --verify --verbose mirth-administrator-launcher-latest-macos-aarch64.dmg  
mirth-administrator-launcher-latest-macos-aarch64.dmg: code object is not signed at all

10:06:40 with jonathan.bartels in ~/Downloads via ⬢ v16.0.0 via ☕ v11.0.15 
➜ codesign --verify --verbose /Volumes/Mirth\ Connect\ Administrator\ Launcher/Mirth\ Connect\ Administrator\ Launcher\ Installer.app
/Volumes/Mirth Connect Administrator Launcher/Mirth Connect Administrator Launcher Installer.app: valid on disk
/Volumes/Mirth Connect Administrator Launcher/Mirth Connect Administrator Launcher Installer.app: satisfies its Designated Requirement

A sampling of other DMGs from my downloads folder shows some signed and some not:

10:25:35 with jonathan.bartels in ~/Downloads via ⬢ v16.0.0 via ☕ v11.0.15 
➜ find ./ -name "*.dmg" -exec codesign --verify --verbose {} \;
.//Discord.dmg: valid on disk
.//Discord.dmg: satisfies its Designated Requirement
.//mirth-administrator-launcher-latest-macos-aarch64.dmg: code object is not signed at all
.//OpenWebStart_macos-aarch64_1_6_0.dmg: valid on disk
.//OpenWebStart_macos-aarch64_1_6_0.dmg: satisfies its Designated Requirement
.//mirth-administrator-launcher-1.3.0-macos.dmg: code object is not signed at all
.//Brave-Browser.dmg: valid on disk
.//Brave-Browser.dmg: satisfies its Designated Requirement
.//Discord(1).dmg: valid on disk
.//Discord(1).dmg: satisfies its Designated Requirement
.//Docker.dmg: code object is not signed at all
.//Disk Inventory X 1.3.dmg: code object is not signed at all
.//Zed.dmg: code object is not signed at all
.//kse-551.dmg: valid on disk
.//kse-551.dmg: satisfies its Designated Requirement
.//Firefox 102.0.1.dmg: code object is not signed at all
.//mirth-administrator-launcher-latest-macos.dmg: code object is not signed at all
.//LibreCAD-2.2.0.dmg: code object is not signed at all
.//Postgres-2.5.8-14.dmg: code object is not signed at all
.//licecap132.dmg: valid on disk
.//licecap132.dmg: satisfies its Designated Requirement
.//LastPass.dmg: code object is not signed at all

@JackieK5
Copy link
Collaborator

@joshmc82 & @jonbartels Thanks for bringing this up! We have added a note about it to the Upgrade Guide as well so that users will hopefully not have to go looking for this GitHub item to know how to work around it. As that note says, we may be addressing this in our next release. Thanks again!

@pladesma pladesma added triaged Internal-Issue-Created An issue has been created in NextGen's internal issue tracker RS-10808 labels Jun 21, 2023
@joshmc82
Copy link
Author

joshmc82 commented Jul 3, 2023

Perhaps worth adding that if you download the stand-alone tar.gz file, the launcher executable is not signed in that package and will result in the same security issue.

@jonbartels
Copy link
Contributor

@joshmc82 your workaround is not correct. It should be Ctrl-click -> Open and not Cmd-click -> Open https://support.apple.com/guide/mac-help/open-a-mac-app-from-an-unidentified-developer-mh40616

@joshmc82
Copy link
Author

joshmc82 commented Jul 7, 2023

@joshmc82 your workaround is not correct. It should be Ctrl-click -> Open and not Cmd-click -> Open https://support.apple.com/guide/mac-help/open-a-mac-app-from-an-unidentified-developer-mh40616

Good catch. Edited the OP for clarity.

@jonbartels
Copy link
Contributor

Previously reported on 1.3.0 #5575

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Internal-Issue-Created An issue has been created in NextGen's internal issue tracker RS-10808 triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pladesma @jonbartels @joshmc82 @JackieK5