recipes
recipes copied to clipboard
autopkg
Praat.download: CodeSignatureVerifier fails due to outdated designated requirement string
Describe the problem When running the com.github.autopkg.munki.Praat recipe, I noticed that it fails due to an error occuring when running the CodeSignatureVerifier which is defined in the com.github.autopkg.download.Praat recipe.
AutoPkg output CodeSignatureVerifier
{'Input': {'input_path': '/Users/<redacted>/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/downloads/Praat.dmg/Praat.app',
'requirement': 'anchor apple generic and identifier '
'"org.praat.Praat" and (certificate '
'leaf[field.1.2.840.113635.100.6.1.9] /* exists */ '
'or certificate 1[field.1.2.840.113635.100.6.2.6] /* '
'exists */ and certificate '
'leaf[field.1.2.840.113635.100.6.1.13] /* exists */ '
'and certificate leaf[subject.OU] = J9C6R9XA5W)'}}
CodeSignatureVerifier: Mounted disk image /Users/setup/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/downloads/Praat.dmg
CodeSignatureVerifier: Verifying code signature...
CodeSignatureVerifier: Deep verification enabled...
CodeSignatureVerifier: Strict verification not defined. Using codesign defaults...
CodeSignatureVerifier: /private/tmp/dmg.ub8NMh/Praat.app: valid on disk
CodeSignatureVerifier: /private/tmp/dmg.ub8NMh/Praat.app: satisfies its Designated Requirement
CodeSignatureVerifier: test-requirement: code failed to satisfy specified code requirement(s)
Expected behavior
The code signature has been changed with the newest version of Praat (release date: October 8, 2022).
Running now returns:
designated => identifier "org.praat.Praat" and anchor apple generic and certificate leaf[subject.CN] = "Apple Development: Paul Boersma (99U28X6B6F)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */
When changing the recipe locally to use this string, the recipe runs as expected again.
Version (please complete the following information):
- OS version: 12.4
- AutoPkg Version: 2.7
I'm not able to reproduce the issue. Either when running the Praat.download recipe via AutoPkg or by downloading Praat 6223 manually, I'm getting an app with the same code signature as what currently exists in the download recipe. Could you post your whole verbose run of the download recipe? Here's mine:
% autopkg run -vv Praat/Praat.download.recipe
Processing Praat/Praat.download.recipe...
WARNING: Praat/Praat.download.recipe is missing trust info and FAIL_RECIPES_WITHOUT_TRUST_INFO is not set. Proceeding...
URLTextSearcher
{'Input': {'re_pattern': 'a href="?(praat\\d+_mac.dmg)"?',
'result_output_var_name': 'dl_filename',
'url': 'http://www.fon.hum.uva.nl/praat/download_mac.html'}}
URLTextSearcher: Found matching text (dl_filename): praat6223_mac.dmg
{'Output': {'dl_filename': 'praat6223_mac.dmg'}}
URLDownloader
{'Input': {'filename': 'Praat.dmg',
'url': 'http://www.fon.hum.uva.nl/praat/praat6223_mac.dmg'}}
URLDownloader: No value supplied for prefetch_filename, setting default value of: False
URLDownloader: No value supplied for CHECK_FILESIZE_ONLY, setting default value of: False
URLDownloader: Storing new Last-Modified header: Mon, 10 Oct 2022 12:27:17 GMT
URLDownloader: Storing new ETag header: "190d99a-5eaad47b77340"
URLDownloader: Downloaded ~/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/downloads/Praat.dmg
{'Output': {'download_changed': True,
'etag': '"190d99a-5eaad47b77340"',
'last_modified': 'Mon, 10 Oct 2022 12:27:17 GMT',
'pathname': '~/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/downloads/Praat.dmg',
'url_downloader_summary_result': {'data': {'download_path': '~/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/downloads/Praat.dmg'},
'summary_text': 'The following '
'new items were '
'downloaded:'}}}
EndOfCheckPhase
{'Input': {}}
{'Output': {}}
CodeSignatureVerifier
{'Input': {'input_path': '~/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/downloads/Praat.dmg/Praat.app',
'requirement': 'anchor apple generic and identifier '
'"org.praat.Praat" and (certificate '
'leaf[field.1.2.840.113635.100.6.1.9] /* exists */ '
'or certificate 1[field.1.2.840.113635.100.6.2.6] /* '
'exists */ and certificate '
'leaf[field.1.2.840.113635.100.6.1.13] /* exists */ '
'and certificate leaf[subject.OU] = J9C6R9XA5W)'}}
CodeSignatureVerifier: Mounted disk image ~/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/downloads/Praat.dmg
CodeSignatureVerifier: Verifying code signature...
CodeSignatureVerifier: Deep verification enabled...
CodeSignatureVerifier: Strict verification not defined. Using codesign defaults...
CodeSignatureVerifier: /private/tmp/dmg.APGAi1/Praat.app: valid on disk
CodeSignatureVerifier: /private/tmp/dmg.APGAi1/Praat.app: satisfies its Designated Requirement
CodeSignatureVerifier: /private/tmp/dmg.APGAi1/Praat.app: explicit requirement satisfied
CodeSignatureVerifier: Signature is valid
{'Output': {}}
Receipt written to ~/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/receipts/Praat.download-receipt-20221010-084541.plist
The following new items were downloaded:
Download Path
-------------
~/Library/AutoPkg/Cache/com.github.autopkg.download.Praat/downloads/Praat.dmg
I talked to the authors of Praat and they fixed their uploads. This should work again.
I agree with @octomike, it seems that the Uploads had been fixed in the meantime