Bug KoLmafia-15.7.dmg broken on Mountain Lion due to gatekeeper

JeffAMcGee · Oct 14, 2012

When I install kolmafia on my MacBook and run it, I get this message: "“KoLmafia-15.7” is damaged and can’t be opened. You should move it to the Trash."

The problem is with Apple's new gatekeeper that by default disallows running unsigned binaries. If I change the security settings, the application works. I can also build and run the jar from svn.

Usually you can run an unsigned app by right-clicking on it, but this doesn't seem to work for kolmafia.

lostcalpolydude · Oct 14, 2012

Signing an app requires having an Apple Developer ID, which costs $99/year. I don't think anyone with commit access already has that or has a reason besides mafia to get one, so signing mafia probably won't happen. Marking Won't Fix.

Also, according to http://support.apple.com/kb/HT5290 the error message you posted is supposed to mean that you can't open it no matter what your settings are.

merric · Oct 14, 2012

Corrupted Download File

I'm not sure if this is the right way to do this but I couldn't find a way to email somebody...

For the past three updates (.5, .6, .7), after downloading the DMG file and trying to run it, I'm consistently told that the file is corrupted and needs to be moved to the trash. I'd really like to update, especially since the Mall function appears to be broken now in 15.4.

If easier to resolve this via email I'm at kol.merric@gmail.com.

Using Mac 10.8.2 and Chrome.

Thanks,

~Merric

wrldwzrd89 · Oct 14, 2012

merric said:
I'm not sure if this is the right way to do this but I couldn't find a way to email somebody...

For the past three updates (.5, .6, .7), after downloading the DMG file and trying to run it, I'm consistently told that the file is corrupted and needs to be moved to the trash. I'd really like to update, especially since the Mall function appears to be broken now in 15.4.

If easier to resolve this via email I'm at kol.merric@gmail.com.

Using Mac 10.8.2 and Chrome.

Thanks,

~Merric

Duplicate of http://kolmafia.us/showthread.php?11256-KoLmafia-15-7-dmg-broken-on-Mountain-Lion-due-to-gatekeeper (caused by the exact same issue).

slyz · Oct 14, 2012

merged.

jercos · Oct 15, 2012

Signing the binaries with a self-signed key is enough to allow the file to be right-click->open'd and from there on, simply opened normally... I made myself a self-signed certificate called "codesign", with extendedKeyUsage=codeSigning, ran codesign -s codesign -f KoLmafia-15.7.app, and was good to go. This could be done with a self-signed certificate owned by a committer, or with a paid-for "professional" code signing certificate, and either way would "fix" this issue without paying Apple for permission to write software for their platform

lostcalpolydude · Oct 15, 2012

Is it possible to trust everything signed by a particular author then? Otherwise there doesn't seem to be any practical difference between "signed by some unknown person" and "not signed at all".

Regardless, I will figure this out and upload a new .dmg with a self-signed .app.

lostcalpolydude · Oct 15, 2012

A version that should be self-signed is available at http://sourceforge.net/projects/kolmafia/files/15.7/KoLmafia-15.7-signed.dmg/download . Can someone with OS X 10.8 check that? I'll make that the default download if that worked properly.

jercos · Oct 15, 2012

lostcalpolydude said:
there doesn't seem to be any practical difference between "signed by some unknown person" and "not signed at all".

There's minimal difference cryptographically... I don't believe it's trivial if at all possible to give full trust to a self-signed key, but once a given app is opened via right-clicking, that app will work unless it's modified again, avoiding the potential for say, for example, malware to overwrite it. Of course the malware could just generate its own key and resign, with the assumption that the user will then trust the altered binary.

The main difference is practical, in that tiny difference in usability for Mountain Lion users that have not circumvented gatekeeper.

jercos · Oct 15, 2012

lostcalpolydude said:
A version that should be self-signed is available at http://sourceforge.net/projects/kolmafia/files/15.7/KoLmafia-15.7-signed.dmg/download . Can someone with OS X 10.8 check that? I'll make that the default download if that worked properly.

While the JavaApplicationStub binary itself is signed, the resources don't appear to be signed. I get the same error preventing me from loading the program at all from Finder (though running either the jar or JavaApplicationStub from the terminal is still functional). If I overwrite that signature with my own using codesign, it creates Contents/_CodeSignature/CodeResources, which appears to include hashes of the resources, and I suppose must itself be signed from the signature in the main binary.

merric · Oct 31, 2012

Thanks - the new download didn't work, but that Support link (I'll repost here) shows how you can turn off the security setting (which did work):
http://support.apple.com/kb/HT5290

lostcalpolydude · Oct 31, 2012

Oh right, I haven't looked at this in a little while. When I was last testing, the .jar that ant creates says it isn't signed, but the .app that comes out of jarbundler claims to be improperly signed (I don't remember the actual message) without me trying to sign it. Maybe if I opened up Jar Bundler I could get that worked out. I think the .jar would work more easily for people with Mountain Lion, at least for now.

Bug KoLmafia-15.7.dmg broken on Mountain Lion due to gatekeeper

JeffAMcGee

New member

lostcalpolydude

Developer

merric

New member

wrldwzrd89

Member

slyz

Developer

jercos

New member

lostcalpolydude

Developer

lostcalpolydude

Developer

jercos

New member

jercos

New member

merric

New member

lostcalpolydude

Developer