Jenkins web download corrupts mac app code signing

194 views Asked by At

I'm seeing a bizarre code-signing / file-transfer issue and haven't found any clue as to the cause, wonder if anyone else has an idea.

I have a Mac OS X build server running jenkins which builds and signs mac components and apps just fine. These include apps that are Final Cut Pro X plugins.

When I download a zip file produced by the build system through the browser (from the Jenkins build page) with these FCPX apps, after unzipping the app won't launch - it says it's from an unknown developer, as if it isn't code signed.

And yet if I get that same build output zip another way - downloading via sftp or by afp-mounting the build machine filesystem - it works just fine.

It is definitely code-signed on the build system originally, because the installer (which is built downstream on the build system) deploys the app fully code-signed.

Why would downloading a zip through a browser from jenkins destroy an app's code signature? I've tried it from a few browsers (Chrome, Firefox, Safari) and it's always the same. I'd suspect it's an issue with app bundle bits or sim. except that the download is wrapped up in a zip archive so that shouldn't matter. It's created with the OS-native /usr/bin/zip command (not an ant or python or other possibly non-bundle-savvy version).

1

There are 1 answers

2
Corbell On

So it turns out that it is OS X gatekeeper's fault - it doesn't appear to have anything to do with jenkins. The OS adds a quarantine attribute to the zip which tags along with the app bundle when unzipped, and this seems to cause it to treat the app as unsigned, even though it is signed.

This seems like a bug in OS X. Since the app is signed and the gatekeeper settings are to allow signed apps, it should not be screwing up the app with this quarantine attribute. The app works fine and is treated as signed if it is deployed by any means other than browser download.

There are a few workarounds, some of which a coworker discovered.

One is to download the app by some method other than a browser - I used sftp, afp mounting of the build system volume, and an http request from a python script, and all of those worked.

Another is to strip off the quarantine setting after download:

xattr -dr com.apple.quarantine my_file.zip

Yet another is to use 7z instead of native unzip / Archive Manager to unzip the archive.