Security Q:A new app fails signature verification. What steps are appropriate to address this?

bug

I downloaded an app, and after installation, it fails signature verification:

codesign -vv Amazon\ Music.app
Amazon Music.app: a sealed resource is missing or invalid
file added: /Applications/Amazon Music.app/Contents/Frameworks/update.ini

What I've tried: I don't think it's a transmission error; aside from any internal checks, I downloaded the .dmg twice, over https (URL), and got the same crc32 both times: 74ecf8ab

The installer checks out fine:

codesign -vv */Am*er.app/
Amazon Music/Amazon Music Installer.app/: valid on disk
Amazon Music/Amazon Music Installer.app/: satisfies its Designated Requirement

Adding 

   -R='anchor apple generic'

doesn't help.

Anyone come across this before?


Solution 1:

In the case of the particular app that prompted the question: download the current version of the app. It's properly signed.

You can see this in any of several ways. By opening the DMG and checking the installer for a signature:

% codesign -v --verbose=4  -R="anchor apple generic" /Volumes/Amazon\ Music/Amazon\ Music\ Installer.app

--prepared:/Volumes/Amazon Music/Amazon Music Installer.app/Contents/MacOS/osx-intel
--validated:/Volumes/Amazon Music/Amazon Music Installer.app/Contents/MacOS/osx-intel
--prepared:/Volumes/Amazon Music/Amazon Music Installer.app/Contents/MacOS/osx-x86_64
--validated:/Volumes/Amazon Music/Amazon Music Installer.app/Contents/MacOS/osx-x86_64
/Volumes/Amazon Music/Amazon Music Installer.app: valid on disk
/Volumes/Amazon Music/Amazon Music Installer.app: satisfies its Designated Requirement
/Volumes/Amazon Music/Amazon Music Installer.app: explicit requirement satisfied

or checking for three checkmarks, like this, in Finder:

Info for the current Amazon Music Installer

Also, you could check that the DMG was downloaded over HTTPS from where you thought it should come from, by checking "Where from", in the Finder, Info window for the DMG file.

May still be useful in other cases:

w/o guidance, my plan is:

  1. report it as a security issue to security@ (per https://www.amazon.com/gp/help/customer/display.html?nodeId=201909140),

  2. try to get codesign to show me what's missing,

  3. Pick apart the .ini

Related

how to split an mp4 into separate clips?
How to report spam that appeared in Messages on iPhone marked "Text Message" & thus sent via carrier (e.g. AT&T) NOT Apple, & NOT from a phone #?
M1 Macbook Air crash on running 4 simple C process in parallel
What can I do to let someone test my iPhone 12 Pro Max without going through my stuff
macOS Finder Sync Extension multiple running processes in Activity Monitor
MacBook Air shutting down randomly
Cisco AnyConnect prevents Continuity from allowing Mac to answer iPhone
Select file from command-line
Where's "More Info" gone?
Problems with Varmilo VA88M keyboard, seems to switch to ANSI layout
Notes and M$ Outlook prevent using a custom keyboard layout
How can I change my child's iCloud account to a 'regular' Adult account?