Security Q:A new app fails signature verification. What steps are appropriate to address this?
I downloaded an app, and after installation, it fails signature verification:
codesign -vv Amazon\ Music.app
Amazon Music.app: a sealed resource is missing or invalid
file added: /Applications/Amazon Music.app/Contents/Frameworks/update.ini
What I've tried: I don't think it's a transmission error; aside from any internal checks, I downloaded the .dmg twice, over https (URL), and got the same crc32 both times: 74ecf8ab
The installer checks out fine:
codesign -vv */Am*er.app/
Amazon Music/Amazon Music Installer.app/: valid on disk
Amazon Music/Amazon Music Installer.app/: satisfies its Designated Requirement
Adding
-R='anchor apple generic'
doesn't help.
Anyone come across this before?
Solution 1:
In the case of the particular app that prompted the question: download the current version of the app. It's properly signed.
You can see this in any of several ways. By opening the DMG and checking the installer for a signature:
% codesign -v --verbose=4 -R="anchor apple generic" /Volumes/Amazon\ Music/Amazon\ Music\ Installer.app
--prepared:/Volumes/Amazon Music/Amazon Music Installer.app/Contents/MacOS/osx-intel
--validated:/Volumes/Amazon Music/Amazon Music Installer.app/Contents/MacOS/osx-intel
--prepared:/Volumes/Amazon Music/Amazon Music Installer.app/Contents/MacOS/osx-x86_64
--validated:/Volumes/Amazon Music/Amazon Music Installer.app/Contents/MacOS/osx-x86_64
/Volumes/Amazon Music/Amazon Music Installer.app: valid on disk
/Volumes/Amazon Music/Amazon Music Installer.app: satisfies its Designated Requirement
/Volumes/Amazon Music/Amazon Music Installer.app: explicit requirement satisfied
or checking for three checkmarks, like this, in Finder:
Also, you could check that the DMG was downloaded over HTTPS from where you thought it should come from, by checking "Where from", in the Finder, Info window for the DMG file.
May still be useful in other cases:
w/o guidance, my plan is:
-
report it as a security issue to security@ (per https://www.amazon.com/gp/help/customer/display.html?nodeId=201909140),
-
try to get codesign to show me what's missing,
-
Pick apart the .ini