Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error: MacDown is damaged and can’t be opened #1106

Closed
fowse42 opened this issue Nov 19, 2019 · 66 comments
Closed

Error: MacDown is damaged and can’t be opened #1106

fowse42 opened this issue Nov 19, 2019 · 66 comments

Comments

@fowse42
Copy link

fowse42 commented Nov 19, 2019

Apple official says that macOS10.15.1 is not compatible with 32-bit version programs.
Does MacDown provide 64-bit versions in the future?
1015

@FranklinYu
Copy link
Member

FranklinYu commented Nov 19, 2019

There seems to be some issue with signature. I’ll discuss with @uranusjr about this.

Sorry I missed this bug before releasing. macOS won’t check signatures unless it is downloaded from Internet (“untrusted source”).

@uranusjr
Copy link
Member

Can someone confirm whether this happens on 10.14 (Mojave), or only on 10.15?

@rschiang
Copy link
Contributor

rschiang commented Nov 19, 2019

@uranusjr v0.7.2 (4cd12ce) is shown as corrupted on 10.14.6 as well.

@FranklinYu
Copy link
Member

I can reproduce with v0.7.1. I have stronger sense that this is due to SIP.

@noestreich
Copy link

Can confirm. 10.14.6 is prompting me to delete the (manually dowloaded) App. Auto-Update also exits with an error.

Error after manual download:

Bildschirmfoto 2019-11-19 um 11 02 45

Error after auto-update:

Bildschirmfoto 2019-11-19 um 11 03 46

@FranklinYu
Copy link
Member

@noestreich Could you please try v0.7.1?

@noestreich
Copy link

noestreich commented Nov 19, 2019

@FranklinYu No Problem with 0.7.1

Regarding 0.7.2: It's the quarantine-flag, as you already suspected. if one removes it via terminal, version 0.7.2 just starts fine.

Edit: Nice toolbar guys!

Bildschirmfoto 2019-11-19 um 11 06 45

@gamebits
Copy link

Similar problems here in 10.13.6.

macdown-update

macdown-execute

@ncluff
Copy link

ncluff commented Nov 19, 2019

I'm getting the same issue 😢
Version: 10.14.6

image

@uranusjr forgot to add you. It is happening on 10.14.x too

@nickyfoto
Copy link

@FranklinYu
Copy link
Member

I think I finally reached a conclusion.

about quarantine flag

I can’t do anything about the quarantine flag. It’s added by the browser. To verify, download the zip file (either 0.7.1 or 0.7.2, it doesn’t matter) with wget. For your convenience following command can be used:

wget https://github.com/MacDownApp/macdown/releases/download/v0.7.2/MacDown.app.zip

Then double click the zip file to extract the app as usual. You should be able to run extracted MacDown without further steps.

another factor

The “application source” preference is also related. Please check this preference on your computer. Navigation path: “System Preferences” -> “Security & Privacy” section -> “General” tab -> “Allow apps downloaded from”. For details, see this blog.

solutions

Two possible solutions:

  1. Ask everyone to allow apps downloaded from anywhere.
  2. I go and pay $99/year to join the developer program. This would also reveal my legal name since I don’t own a company.

@fowse42
Copy link
Author

fowse42 commented Nov 20, 2019

The macOS has become more and more hateful.

@alexkaessner
Copy link
Collaborator

alexkaessner commented Nov 20, 2019

@FranklinYu When does the notarization process reveal the legal name?

PS: I had no problem updating to 0.7.2 via Sparkle on macOS 10.15.1 (security option is on "App Store and trusted developers")

PS 2: I've edited the title of this issue that others can find it more easily…

@alexkaessner alexkaessner changed the title can't be used in macOS 10.15.1 Error: MacDown is damaged and can’t be opened Nov 20, 2019
@gamebits
Copy link

My MacOS preference was already set to allow apps downloaded from "App Store and identified developers" when I encountered this problem.

But thanks to the tip in this thread, I was able to download the file via wget, though I had to add the --no-check-certificate flag. The resulting app runs without issue. 👍

@FranklinYu
Copy link
Member

But thanks to the tip in this thread, I was able to download the file via wget, though I had to add the --no-check-certificate flag. The resulting app runs without issue.

The --no-check-certificate shouldn’t be needed and brings security concern. I would recommend to show error here and I may be able to help.

@FranklinYu
Copy link
Member

PS: I had no problem updating to 0.7.2 via Sparkle on macOS 10.15.1 (security option is on "App Store and trusted developers")

If I understand correctly, Sparkle would bypass this issue because it’s not downloading with browser.

When does the notarization process reveal the legal name?

According to this forum thread legal name is exposed unless I create a legal company. Do you have first-hand experience, or know someone with first-hand experience to verify? If I can hide my legal name from user (no need to hide from Apple) then it would be great.

@alexkaessner
Copy link
Collaborator

@FranklinYu I can agree that the legal name is exposed when distributing via Mac App Store. Though I'm not sure if the developer account name will be shown somewhere when only using it to notarize apps. But I only have experience releasing on the MAS, so I'm not 100% sure.

@harp79
Copy link

harp79 commented Nov 20, 2019

as far as I know it is not publicly shown, but can be dumped in Terminal with spctl -a -vv e.g.:

harp% spctl -a -vv BetterTouchTool.app/
BetterTouchTool.app/: accepted
source=Notarized Developer ID
origin=Developer ID Application: Andreas Hegenberg (DAFVSXZ82P)
harp% spctl -a -vv Carbon\ Copy\ Cloner.app/
Carbon Copy Cloner.app/: accepted
source=Notarized Developer ID
origin=Developer ID Application: Bombich Software, Inc. (L4F2DED5Q7)

@FranklinYu
Copy link
Member

Can confirm what @harp79 said.

~ % spctl --assess -vv '/Applications/KeyStore Explorer.app'
/Applications/KeyStore Explorer.app: accepted
source=Developer ID
origin=Developer ID Application: Kai Kramer (BKXPBP395L)

@FranklinYu
Copy link
Member

Sadly this can’t be bypassed by Homebrew Cask. See Homebrew/homebrew-cask#70798

@nambot
Copy link

nambot commented Nov 21, 2019

I tried installing v.0.7.2 (on Mojave, 10.14.6) both via browser download and homebrew cask, and both yielded the, "Macdown is damaged and can't be opened..." error message. I'm used to troubleshooting the Privacy "Open Anyway" error, but this is different. I downloaded v.0.7.1 and it worked perfectly, so I'm using that.

Love the app! Also, there is a blatant clone of Macdown in the App store called MarkEditor.

Screen Shot 2019-11-21 at 10 16 06 AM

@alexkaessner
Copy link
Collaborator

alexkaessner commented Nov 21, 2019

Also, there is a blatant clone of Macdown in the App store called MarkEditor.

Oh no and they even charge $0,99 for it!
I think it would make sense to distribute MacDown via Mac App Store as well, but sure that doesn't fix the problem with the name reveal.

@FranklinYu
Copy link
Member

FranklinYu commented Nov 22, 2019

@alexkaessner We can do nothing as long as they abide by the MIT license. This is expected. If @uranusjr didn’t want this he would have chosen something like MPL.

I have been looking for ways to signing open source software with shared developer account. There is no existing service like this. I would contact various foundations to see whether they are interested in such services.

@uranusjr
Copy link
Member

Yeah, and the reason is I’m actually totally fine with people selling this code on App Store (as long as the license is honoured, of course).

That said, many of those entries on App Store don’t actually honour the license. I haven’t checked this MarkEditor in particular, but I have submitted multiple claims to Apple for unattributed code reuse.

@richardsprague
Copy link

I was able to get it to run using the wget trick described above:
wget https://github.com/MacDownApp/macdown/releases/download/v0.7.2/MacDown.app.zip

But I have two issues:

  1. the preview pane refreshes on each keystroke, causing an annoying flicker.
  2. I like the idea of the new insert image feature, but it appears to insert a full-size binary string version of the image, rather than a simple link.
    Is it possible to drag/drop an image and have it insert just the link?

Overall this is an excellent app -- my favorite for markdown editing on Mac. Thanks again for all you do.

@Wildchild9
Copy link

I installed Macdown using Homebrew with the command:

brew cask install macdown

I got this issue upon trying to open Macdown after its installation. This also appeared during an earlier attempt to download Macdown as a dmg. Running the following command got rid of the issue:

sudo xattr -r -d com.apple.quarantine ~/../../Applications/MacDown.app

Note: if you downloaded Macdown as a dmg, be sure to move Macdown to your Applications folder before running the command.

Now I am able to open and use Macdown. Thanks to @noestreich for the fix!

@tempelmann
Copy link

The proper fix would be that someone re-uploads the zip file, making sure it's not signed at all. Then people should be able to update it without troubles and those who download it manually could open it with right-clicking the app, then choosing "Open".

@Morane
Copy link

Morane commented Dec 5, 2019

Hi,

Still impossible to update to 0.7.2 ! The file downloaded is always corrupted (says OS X) 😩! I’m under High Sierra. Do you plan to fix it soon ? Thanks.

Alain

@edrozenberg
Copy link

Hi,

Still impossible to update to 0.7.2 ! The file downloaded is always corrupted (says OS X) 😩! I’m under High Sierra. Do you plan to fix it soon ? Thanks.

Alain

Either use a different unzip tool (not the Apple default one) - this will prevent the quarantine flag being added to the unzipped app. Or use one of the suggestions earlier in this thread to remove quarantine flag from the app and be able to run it.

@FranklinYu
Copy link
Member

Hi everybody. Sorry for the delay.

I revisited the issue today. Xcode would only archive (Apple’s term for “build and export”) an application with a signature, be it signed with a local (self-signed) certificate, or a valid certificate from Apple. Luckily, a hidden flag of codesign seems to work. I would upload a version this weekend (don’t have too much time Monday to Friday) with signature removed this way.

After this mess, we would still need a long-term solution since this hidden flag trick is unreliable.

@tempelmann
Copy link

@FranklinYu instead of using the Archive command you could also add a second target, and set its scheme to build for Release instead of Debug. Also, in the build settings for this target, remove all code sign settings. Then you could just build the app for that target, and then zip it manually afterwards. That's what I do with several tools I make. If you need help with that, let me know and I'll do a pull request with the changes.

@FranklinYu
Copy link
Member

I have uploaded a new build of v0.7.2 replacing the original one. Would be appreciated if everybody in this thread try it out.

@nickyfoto
Copy link

I use the auto update within the app upgrade successfully without problem. I'm on 10.15.1 .

@manngo
Copy link

manngo commented Dec 7, 2019

I can confirm that the application runs once you have ignored the warnings and given it permission. It still flickers, though, so I’m still using 7.1.

@FranklinYu
Copy link
Member

@manngo Yes, v0.7.2 won’t fix #1104. Even if I figure out the cause (which I have not) and fix it, I would do that in v0.7.3. Current priority is to make sure that I’m able to roll out a release.

@hacktrick
Copy link

I have uploaded a new build of v0.7.2 replacing the original one. Would be appreciated if everybody in this thread try it out.

I can open the new macdown build via "right-click open". But "Preferences -> Markdown" looks like
macdown-pref-mardown

If anyone else has this problem, I will file another issue.

@klaas
Copy link

klaas commented Dec 7, 2019

@hacktrick After downloading I get

Screenshot 2019-12-07 at 10 13 38

But works fine after opening/enabling in the Security & Privacy Settings! 👏👏👏

@alexkaessner
Copy link
Collaborator

@FranklinYu I get this error, basically the same as @klaas:
Error
Translated:

"MacDown" can't be opened because it is from an unidentified developer.
macOS can't verify that this app does not contain malware.
Safari created this file on an unknown date.
Move to Trash | Cancel

I can open it with right click to bypass this message though!
Sorry for the German screenshots. I'm on 10.15.1

@hacktrick This is issue is already tracked here #1103

@tempelmann
Copy link

To everyone: It's currently expected behavior that you have to open the app with a right click. No need to mention this as a problem here.

@FranklinYu Maybe you want to mention this fact on the website (though that's on UranusJr's site - not sure if you have access to that?)

@FranklinYu
Copy link
Member

Maybe you want to mention this fact on the website

How would you like it to be mentioned on the website? Would like some more details. Like updating the release note or what?

@tempelmann
Copy link

tempelmann commented Dec 7, 2019

@FranklinYu Ah right - the Download link on https://macdown.uranusjr.com/ is immediate. I see no good place to add such a note.

How about this instead: Instead of putting only the app into the zip, why not add also a text file there. It could be named "Read me to install MacDown.txt" and would contain text like this:

To run MacDown on your Mac, you need to:

1. Move MacDown.app to your Applications folder
2. Right-click (or ctrl-click) on MacDown.app and choose "Open" from the menu.

If you do not perform step 2, macOS will likely tell you that the app cannot be opened.

Afterwards, you can open MacDown normally with a double click as usual.

@blackketter
Copy link

The traditional way to distribute Mac apps is to use a DMG disk image where you can place documentation and even aliases to the Applications folder to make dragging and dropping easy. You have control over the arrangement of the icons, background images, etc. You can even add instructions in the window that explain how to launch the app safely. It's a bit more work to create but make it easier for users in the long run. A little non-technical background information here with images: https://www.maketecheasier.com/why-does-macos-use-dmg-files/

@FranklinYu
Copy link
Member

FranklinYu commented Dec 7, 2019

@tempelmann I thought by “this fact” you meant “the v0.7.2 release has been re-built and re-uploaded“. If you are talking about “telling users that they need right-click to open the application“ then it has actually been mentioned in https://macdown.uranusjr.com/faq/#unidentified

@Morane
Copy link

Morane commented Dec 8, 2019 via email

@FranklinYu FranklinYu unpinned this issue Dec 12, 2019
@FranklinYu
Copy link
Member

Since no one is reporting binary corruption issue I would assume that this is fixed. While I would still be working on it, my current priority is #1104.

@tempelmann Would appreciate a Pull Request for your solution of removing code signature.

@tiennou
Copy link

tiennou commented Dec 17, 2019

For example, not being codesigned properly will cause LittleSnitch to report a missing signature from the previous version, on each connection. Now I'm wondering why the heck the latest version isn't signed. Sooo, you'll either have to codesign properly, so that Apple can attest that you've only used an Apple-sanctified buildsystem (without some hacked clang version, there has been an occurence 🙄), or not do it, and provide the following workaround/tidbits in the release notes :

"Please either drag the downloaded .app file into /Applications manually, to implicitly consent that you're aware of this application, and allow it to run on your machine, or alternatively, right-click on its icon, choose Open, and choose Allow to make GateKeeper aware that you're explicitly trusting this application."

Please, can we macOS power users, agree to never, ever advise anyone to change the global GateKeeper switch, pretty please ? That's like "Disk Utility > Fix permission problems", but worse, and it does not mean you you think it means — it'll disable all signature checks, on anything you download, even that malwared OpenOffice you've just accidentally hit via some weird Flash ad somewhere. Please.

Keep up the good work tho, I'll just do what I said and explicitly trust your work, but not before sincere kudos from another macOS "developer", banging its head against ever more crazy signing issues 😜.

@FranklinYu
Copy link
Member

Please, can we macOS power users, agree to never, ever advise anyone to change the global GateKeeper switch, pretty please ?

I don’t recall recommending anyone to change the global switch in this issue. In fact, the option is hidden by default since macOS Sierra. If you are concerned about https://macdown.uranusjr.com/faq/, please file an issue (or better yet, a Pull Request) at https://github.com/MacDownApp/macdown-site.

I’m closing this issue since the original problem has been solved temporarily. Long-term solution will be discussed in #1127.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests