Sublime Forum

Invalid code signature after self-update on macOS

#1

Hi,

On macOS, after self-update, .sublime-package files loose their code signature related extended attributes i.e. : com.apple.cs.Code(Directory|Requirements|Requirements-1|Signature)

As a consequence, the .app code signature is no longer valid.

This doesn’t block Sublime Merge launch since the quarantine extended attributes are gone too, so LaunchServices will not apply Developer ID restrictions.

The issue appeared during the last two minor updates.
Changing .app bundle owner and group to root:admin before self-update may be required to trigger the issue.
This is most certainly the case for Sublime Text too.

Steps to reproduce:

  1. download and install outdated Sublime Merge application bundle ;

  2. check Security Assessment:

    $ spctl --assess --verbose Sublime\ Merge.app
    Sublime Merge.app: accepted
    source=Developer ID

  3. self update to current Sublime Merge version ;

  4. check Security Assessment:

    $ spctl --assess --verbose Sublime\ Merge.app
    Sublime Merge.app: rejected
    source=no usable signature

Kindly please consider improving self-update process to keep extended attributes.

Thanks!

0 Likes

#2

Hi! Turns out the current Sublime Merge package was created in a non HFS+/APFS file system and has extended attributes in “._” files. Not all the archivers apply those files, so the application signature fails.

To be more precise, there’re extended attributes files created for /Contents/MacOS/changelog and all (or almost) the files in /Contents/MacOS/Packages/*

I recommend using a DMG package or at least create the ZIP package in a HFS+/APFS file system so this package is extracted properly with any archiver.

I found out that here: https://github.com/aonez/Keka/issues/294

0 Likes

#3

From what you are saying, it has a valid signature, but the program you are using chooses not to look in the right place. It sounds like Keka could use an enhancement here.

Either way, I am planning on looking into the signature when the self-updater runs.

0 Likes

#4

If the ZIP package is extracted with an archiver that does not take care of the ._ files, common unless you use the bundled macOS archiver, the system checks to this app will always fail. If you sing an app and then add some extra files inside, this signature is no longer valid.

Just trying to be helpful here, but I assume my help is not welcome here.

0 Likes

#5

I wouldn’t say that. I was just pointing out that Keka sounds like it could use an enhancement to handle an archive that the macOS archiver can handle.

0 Likes

#6

The ditto CLI keeps macOS metadata when creating and extracting Zip archives:

$ man ditto
(...)
     The command:
           ditto -c -k --sequesterRsrc --keepParent src_directory archive.zip
     will create a PKZip archive similarly to the Finder's Compress functionality.

and the expand arguments are -x -k.

0 Likes

#7

Yes, in fact we use ditto to create the zip.

0 Likes

#8

Great, I like the idea of Sublime HQ paying attention to the forum and considering to fix stuff with this cool attitude.

Proud of being a Sublime user, have you ever considered developing an OS? :wink:

0 Likes

#9

This is being tracked at https://github.com/sublimehq/sublime_merge/issues/34

0 Likes