7439 – macOS client can't start without internet access

Bug 7439 - macOS client can't start without internet access

Summary: macOS client can't start without internet access

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Client platforms (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.11.0
Assignee:	Bugzilla mail exporter

URL:
Keywords:	aleta_tester, prosaic

Depends on:	7371
Blocks:
	Show dependency tree / graph

Reported:	2019-11-19 15:43 CET by Samuel Mannehed
Modified:	2019-11-25 14:33 CET (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Samuel Mannehed cendio

2019-11-19 15:43:07 CET

With bug 7371 we now do notarization of our signed macOS client, this allows tlclient to run on macOS 10.15.

The notarization verification works by contacting Apple's gatekeeper system when trying to start the ThinLinc client for the first time. If you don't have internet access your Mac can't contact the gatekeeper servers. This results in the following dialogue: 

> "ThinLinc client" can't be opened because Apple cannot check it for malicious software.
>
> This software needs to be updated. Contact the developer for more information.
>
> Safari downloaded this file today at 1:16 PM from cendio.com
>
> [Show in Finder]  [OK]

This dialog is the same as when the client isn't notarized at all.

You can work around this by right-clicking ThinLinc client from Finder and
choosing "Open". After doing this you no longer receive the warning.

The proper solution to this bug is to "Staple" the notarization approval to the app: 
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow?language=objc#3087720

Comment 1 Samuel Mannehed cendio

2019-11-19 15:46:48 CET

Since the notarization and signing requirements on macOS only apply to apps downloaded from the internet; one way to reproduce this stapling issue is as follows:

 1) Download a signed AND notarized ThinLinc Client from Safari
 2) Go to network settings in macOS
 3) Select 'Ethernet' in the list
 4) Press the small cogwheel at the bottom of the list and choose "Deactivate service"
 5) Press "Apply"
 6) Start the ThinLinc Client you just downloaded
 7) Observe that it can't be started

Comment 5 Samuel Mannehed cendio

2019-11-21 15:55:08 CET

Fixed now, this bug should be tested along with bug 7371.

Comment 7 Alex Tanskanen cendio

2019-11-25 14:33:42 CET

To verify that it works I followed the steps presented in comment #1:

(In reply to comment #1)
> 
>  1) Download a signed AND notarized ThinLinc Client from Safari
>  2) Go to network settings in macOS
>  3) Select 'Ethernet' in the list
>  4) Press the small cogwheel at the bottom of the list and choose "Deactivate
> service"
>  5) Press "Apply"
>  6) Start the ThinLinc Client you just downloaded
>  7) Observe that it can't be started

First time I did this, I used a non-stapled client and it didn't open as expected. I then stapled the same client and re-downloaded it from a browser. I turned off the internet and the client opened just fine without any messages saying it cannot be opened.

Note You need to log in before you can comment on or make changes to this bug.