SOTI Pulse Logo

Mac app crash on launch - Code Signature Invalid

Solved
JK
James Knight

Hi

I've been installing our in-house app to a few Macs and it works ok (other than the fact that you have to nudge MobiControl to update the app when a new version is deployed, which Soti are investigating).

This morning, I deployed an update to the app. I do this by removing the old version from the application policy and adding the new version. 

MobiControl went ahead and installed the new version, but it crashed immediately on launch with the following exception:

EXC_CRASH (SIGKILL (Code Signature Invalid))

Termination Reason: CODESIGNING 1 Taskgated Invalid Signature

I used the same code signature as I always use, and the same version of the app runs fine on my Mac.

I tried re-compiling/building/packaging/deploying to no avail. I removed the app from the subject machine, restarted it and re-installed from scratch. No joy.

Eventually I tried installing exactly the same package using Apple Remote Desktop, and this worked perfectly.

So - can anyone think of a reason why I would be able to install a package using ARD, but installing the same package with MobiControl would result in an un-openable application?

MobiControl is cloud version 15.6.3.1018

Hope someone can help, thank you.

2 years ago
SOTI MobiControl
ANSWERS
RC
Raymond Chan Diamond Contributor
2 years ago

Your problem is related to  Apple apps development and should be discussed in developer's forum such as

    https://developer.apple.com/

rather than in here.  I spent a few minutes there and found many threads discussing problems with the same exception message as yours, e.g.

   https://developer.apple.com/forums/thread/706442 

JK
James Knight
2 years ago

OK thank you Raymond, I will read the articles.

However, since the problem ONLY happens when I deploy with MobiControl, and NOT when I deploy using an alternative tool, I would suggest that MobiControl is doing something different, and therefore the discussion also belongs here.

If I find a solution, I shall post it here in case someone else has a similar problem.

Thanks again for taking the trouble to search the Apple developer forum.

James

RC
Raymond Chan Diamond Contributor
2 years ago

MDM software will not modify MacOS program binary.   The runtime problem ls likely related to what development tool/license and /or tool options used to generate the binary.   Many discussion threads in the Apple developer's forum with similar runtime error mentioned nothing about MDM deployment.

It is possible that  Apple's Operating System considers your app deployed with an MDM software to be a "managed" app for enterprise, and thus have extra requirements for the binary.  Previously, I had governmental customer using a standard Apple developer license to generate the binary intended for "enterprise" app deployment via Soti MobiControl.  That just failed and their developers just had to upgrade their developer's license and had the same source code re-compiled before the new binary generated could be deployed/run as "managed app" with MobiControl or any other MDM solution. 

JK
James Knight
2 years ago

thanks Raymond

The exact same package was deployed successfully with ARD, but failed with MobiControl.

I will investigate further this evening when the device in question is not in constant use.

The OS on the Mac has not changed, and the app previously (as recently as 10 days ago) deployed using MobiControl without a hitch.

I have also not changed or updated my development environment. So, at the moment, it's a mystery.

Thank you

RC
Raymond Chan Diamond Contributor
2 years ago

In the case I mentioned earlier,  the developer had no problem running the binary generated with standard license on his own test device, but had problem getting the same binary to be deployed/run on production device managed by MDM software.

In your case,  I can't rule out the possibility that when you deploy/run your binary via ARD, the machine O/S considers that your machine is a developer's test machine and allows the software to run (for test/debug), but when the same binary is deployed/run via an MDM solution, it is considered a production software and has more requirements.  The logic is in line with the trusted execution model mentioned in    https://developer.apple.com/forums/thread/706442.

JK
James Knight
2 years ago

Thanks Raymond, yes that does make sense.

I have tested on another device, and have the same issue. But I cannot think of anything which has changed in between deployments. Same development environment, same certificates, same OS versions on the target devices.

I will submit a question to the forum for my development software.

Thanks again.

RC
Raymond Chan Diamond Contributor
2 years ago

You are welcome.

My gut feeling tells me the problem has to do with some subtle change(s) in either the OS system software or the development tool (e.g. some new compiler option[s]).

If you find anything interesting from the other forum, or any black magic or tips,  please share them here.  Thanks in advance.

JK
James Knight
2 years ago

My testing now leads me back to the possibility that Soti have changed something in their deployment process.

I built my application, and packaged it as a pkg. 

I deployed it through an app policy to my target Macs, MobiControl installed the package successfuly, but the app refused to open, with the invalid code signature error.

So I created and signed a dmg using DMG Canvas, with the pkg on board the dmg. I deployed in the same way, MobiControl installed the package from the dmg, but once again I got the invalid code signature crash.

Then I watched the deployment process - MobiControl downloaded a plist named "711594d9-a7d3-4644-b887-b628253486af.macplist" to Users/Shared/MobiControl, followed by a package named "711594d9-a7d3-4644-b887-b628253486af.pkg". This package then installed the application.

This package doesn't have the same name as the original package, which makes me wonder whether it has been tampered with at the MDM end, breaking the code signing?

So I airdropped the original pkg to another computer, and ran it. As expected, I had to bypass the initial warning about potentially malicious software (as it isn't notarised, and shouldn't need to be) and the application installed, and opened without a hitch.

So, it seems clear that the package as pushed out to the target Macs by MobiControl is different to the package which was received by Airdrop.

My final test was to duplicate the installer before it disappeared from the MobiControl folder, and run it manually. Interestingly, I did not get the gatekeeper warning about potentially malicious software - the installer opened, and I was able to install the application using it.

The application then crashed as before with the invalid code signature error.

This tells me that MobiControl must be notarizing (and perhaps signing) the pkg before sending it to the target devices, and something is wrong with it. This would explain why it has suddenly started happening with no changes at my end.

Any thoughts?

Thank you

JK
James Knight
2 years ago

Well here's a thing.

Wednesday: uploaded the package to MobiControl for deployment to Macs, the package downloaded and installed successfully but the deployed app crashed with a code signing error. On multiple Macs, and with multiple deployment attempts.

Today (Friday): uploaded the identical package (not re-built or changed in any way) to MobiControl for deployment to the same Macs. It downloaded and installed an app which opened without any problem.

So I manually ran a copy of the package which had been pushed out on Wednesday (the package downloaded by MobiControl as part of the deployment process, which I had kept for analysis) and the app crashed again. Then I manually ran a copy the package which was pushed out today and it was fine.

So MobiControl somehow mangled the package a couple of days ago, and this has now been fixed.

Which is obviously a good thing, but it has cost me hours of time trying to figure it out.

I've asked Soti what they did.

J
JEMOD@SOTI
2 years ago

Hi James,

Thank you for posting on SOTI Pulse! 

I did see that you mentioned you would reach out to us regarding the issues with package installation, were you able to acquire a response or solution? Let us know! 

Kind regards,

Technical Support Specialist | SOTI | +1 905.624.9828 | SOTI.net lDiscussion Forum | Log a Case Online l Facebook l LinkedIn l Twitter 

JK
James Knight
2 years ago

I spoke to your tech support team today and they have asked me to send the packages via FTP for analysis.

Last Wednesday, I uploaded the pkg to MobiControl, and the package which it deployed to the target Macs gave a defective installation. I also tried placing the pkg on a dmg and deploying that way, with the same result. Analysis showed that the package deployed by MobiControl was different to the one uploaded, and was half the size (about 320MB instead of 650MB).

The same package deployed through Apple Remote Desktop to the same Macs installed and ran without a problem, and the same package sent via AirDrop also installed and ran perfectly.

2 days later, I tried again to install the identical package and all was fine. The package deployed to the target Macs was identical to the one I uploaded to MobiControl.

I can only assume that MobiControl mangled the package and deployed a much smaller version, which was still capable of installation, but which had a code signing error on launch.

It's a mystery, really, but it is working ok again now.

Solution

Similar Discussions