5625 – Signed client downloaded from our web fails to pass OS X Gatekeeper

Bug 5625 - Signed client downloaded from our web fails to pass OS X Gatekeeper

Summary: Signed client downloaded from our web fails to pass OS X Gatekeeper

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Client platforms (show other bugs)
Version:	4.3.0
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.5.0
Assignee:	Peter Åstrand

URL:
Keywords:	hean01_tester, relnotes

Depends on:
Blocks:

Reported:	2015-09-01 13:49 CEST by Henrik Andersson
Modified:	2015-09-28 12:33 CEST (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Henrik Andersson cendio

2015-09-01 13:49:07 CEST

Downloaded our OS X client from www.cendio.se on out Mac OS X 10.10 client. The GateKeeper prevent running the application. Verified that package was signed using `codesign -v`...

Also verified that GateKeeper was configured to allow apps from identified developers.

Comment 1 Peter Åstrand cendio

2015-09-08 13:11:34 CEST

https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211

"You can also use the spctl tool to check if Gatekeeper will accept
your app's signature. spctl is a command-line interface to the same
security assessment policy subsystem that Gatekeeper uses."

$ spctl -a -t exec -vv Foo.app

Comment 2 Peter Åstrand cendio

2015-09-11 12:59:57 CEST

lab-42:~ admin$ spctl -a -t exec -vv /Volumes/ThinLinc\ Client\ 1/ThinLinc\ Client.app
/Volumes/ThinLinc Client 1/ThinLinc Client.app: accepted
source=Developer ID
origin=Developer ID Application: Cendio AB (PHUT6TWL4H)

However:

Sep  8 13:33:55 lab-42.lkpg.cendio.se CoreServicesUIAgent[314]: Error -60005 creating authorization
Sep  8 13:33:55 lab-42.lkpg.cendio.se CoreServicesUIAgent[314]: File /Volumes/ThinLinc Client 1/ThinLinc Client.app/Contents/lib/tlclient/pulseaudio failed on loadCmd /opt/thinlinc/lib/libpulsecore-4.0.dylib
Sep  8 13:33:55 lab-42.lkpg.cendio.se CoreServicesUIAgent[314]: Fails dylib check

This is mentioned here:

https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG207

"Gatekeeper Changes in OS X v10.10.4 and Later"

Note: The changes in this section also apply to OS X v10.9.5 if Security Update 2015-005 Mavericks has been installed.

The changes in this section also apply to OS X v10.8.5 if Security Update 2015-005 Mountain Lion has been installed."

Comment 7 Peter Åstrand cendio

2015-09-23 09:59:54 CEST

Tested signing tl-4.4.0post_4895-client-osx.iso, seems to work fine.

Comment 9 Henrik Andersson cendio

2015-09-25 08:12:15 CEST

Verified that my test signed iso worked as expected.

Note You need to log in before you can comment on or make changes to this bug.