connect icon indicating copy to clipboard operation
connect copied to clipboard

Published 20 hours ago verified publisher icon nextgenhealthcare

[BUG] MCAL 1.4 dmg Is Not Code Signed

Open joshmc82 opened this issue 1 year ago • 6 comments

Describe the bug The MCAL 1.4 dmg file for MacOS is not code signed and causes errors trying to launch.

To Reproduce Setup steps (if required). Example:

  1. Download a version of MCAL 1.4 dmg file

Steps to reproduce the behavior:

  1. Double click on downloaded MCAL dmg file (i.e. mirth-administrator-launcher-latest-macos-aarch64.dmg)
  2. Get Error

Expected behavior The dmg file itself should be signed like the underlying app

Actual behavior The dmg is not signed and produces an error from MacOS

Screenshots If applicable, add screenshots to help explain your problem.

Environment (please complete the following information):

  • OS: macOS Monterey (version 12.6.6)

Workaround(s) Hold ctrl key then click the dmg to open it. This bypasses the security check.

Additional context It should be pretty easy to sign the dmg the same way you sign the app itself. Reference: https://stackoverflow.com/questions/23824815/how-to-add-codesigning-to-dmg-file-in-mac

joshmc82 avatar Jun 14 '23 14:06 joshmc82

Notes from Slack:

A user sees this warning when opening the DMG image

The installer app itself is signed, the DMG is not:

10:06:36 with jonathan.bartels in ~/Downloads via ⬢ v16.0.0 via ☕ v11.0.15 
➜ codesign --verify --verbose mirth-administrator-launcher-latest-macos-aarch64.dmg  
mirth-administrator-launcher-latest-macos-aarch64.dmg: code object is not signed at all

10:06:40 with jonathan.bartels in ~/Downloads via ⬢ v16.0.0 via ☕ v11.0.15 
➜ codesign --verify --verbose /Volumes/Mirth\ Connect\ Administrator\ Launcher/Mirth\ Connect\ Administrator\ Launcher\ Installer.app
/Volumes/Mirth Connect Administrator Launcher/Mirth Connect Administrator Launcher Installer.app: valid on disk
/Volumes/Mirth Connect Administrator Launcher/Mirth Connect Administrator Launcher Installer.app: satisfies its Designated Requirement

A sampling of other DMGs from my downloads folder shows some signed and some not:

10:25:35 with jonathan.bartels in ~/Downloads via ⬢ v16.0.0 via ☕ v11.0.15 
➜ find ./ -name "*.dmg" -exec codesign --verify --verbose {} \;
.//Discord.dmg: valid on disk
.//Discord.dmg: satisfies its Designated Requirement
.//mirth-administrator-launcher-latest-macos-aarch64.dmg: code object is not signed at all
.//OpenWebStart_macos-aarch64_1_6_0.dmg: valid on disk
.//OpenWebStart_macos-aarch64_1_6_0.dmg: satisfies its Designated Requirement
.//mirth-administrator-launcher-1.3.0-macos.dmg: code object is not signed at all
.//Brave-Browser.dmg: valid on disk
.//Brave-Browser.dmg: satisfies its Designated Requirement
.//Discord(1).dmg: valid on disk
.//Discord(1).dmg: satisfies its Designated Requirement
.//Docker.dmg: code object is not signed at all
.//Disk Inventory X 1.3.dmg: code object is not signed at all
.//Zed.dmg: code object is not signed at all
.//kse-551.dmg: valid on disk
.//kse-551.dmg: satisfies its Designated Requirement
.//Firefox 102.0.1.dmg: code object is not signed at all
.//mirth-administrator-launcher-latest-macos.dmg: code object is not signed at all
.//LibreCAD-2.2.0.dmg: code object is not signed at all
.//Postgres-2.5.8-14.dmg: code object is not signed at all
.//licecap132.dmg: valid on disk
.//licecap132.dmg: satisfies its Designated Requirement
.//LastPass.dmg: code object is not signed at all

jonbartels avatar Jun 14 '23 14:06 jonbartels

@joshmc82 & @jonbartels Thanks for bringing this up! We have added a note about it to the Upgrade Guide as well so that users will hopefully not have to go looking for this GitHub item to know how to work around it. As that note says, we may be addressing this in our next release. Thanks again!

JackieK5 avatar Jun 16 '23 21:06 JackieK5

Perhaps worth adding that if you download the stand-alone tar.gz file, the launcher executable is not signed in that package and will result in the same security issue.

joshmc82 avatar Jul 03 '23 15:07 joshmc82

@joshmc82 your workaround is not correct. It should be Ctrl-click -> Open and not Cmd-click -> Open https://support.apple.com/guide/mac-help/open-a-mac-app-from-an-unidentified-developer-mh40616

jonbartels avatar Jul 07 '23 14:07 jonbartels

@joshmc82 your workaround is not correct. It should be Ctrl-click -> Open and not Cmd-click -> Open https://support.apple.com/guide/mac-help/open-a-mac-app-from-an-unidentified-developer-mh40616

Good catch. Edited the OP for clarity.

joshmc82 avatar Jul 07 '23 14:07 joshmc82

Previously reported on 1.3.0 https://github.com/nextgenhealthcare/connect/issues/5575

jonbartels avatar Jul 14 '23 20:07 jonbartels