DIskImage Corruption Issue With Web App on Mac

Hey all,

I’m seeing a very strange problem I can’t figure out and I don’t know if it’s my Mac, OS X or what.

I have a Xojo Web App that I build and using DMGCanvas, I put into a DMG file. I can mount that DMG file and run the app from within the DMG file no problem. However, as soon as I put the DMG file onto my website and download the app from there, when I open the DMG file and try to run the app I get a message that the app is damaged and that I should eject the disk image.

Is this some sort of funky new security issue in OS X? I’ve tried signing the DMG file but that makes no difference. The app is not signed as AppWrapper wasn’t able to sign console apps until recently. I think it may be notarized. But it doesn’t matter.

This seems to be a new issue. I’ve never had this problem before. Again, the DMG I create works fine, but as soon as it get downloaded from the Web, Apple complains it is corrupted.

Thoughts?

Are the DMGs in fact identical?

How would I tell otherwise? The same happens if I upload the DMG to Dropbox and download it from there.

Ah, you hadn’t mentioned Dropbox. I’d still suggest doing an MD5 or SHA1 hash to make sure that they are. That’d tell you if the file ia truly corrupt or if it’s just Apple complaining about something else.

Could you take a screenshot of the error message and post that?

Is the DMG signed and notarized?

The DMG is signed. It can’t be notarized because the internal contents are signed. But that should be a different error. Not that it’s corrupt.

OK. I can try hashing it.

If I pull it off Dropbox in a browser I get the corrupt version. If I pull off Dropbox via the Dropbox app in the finder, it works fine.

I’ve tried both Chrome and Safari.

Um… you should check on that again. We sign the IDE and all of its contents and then notarize the DMG.

2 Likes

Yes. I did a hash on my local file and on a file I just downloaded from my website. So the files are identical.

I am wondering if something is up with OS X or if something is happening in my notarization process or something. I use Kaju for updates and today I had a report that my latest release is saying the downloaded zip file is corrupted. Now that one, everything is fully signed and the zip file notarized. I need to make sure the zip file is OK, but I am pretty certain it is.

The corruption error message usually means that your hash is wrong. Nothing to do with notarisation at all.

You can use the free ArchiChect (32-bitCheck & ArchiChect – The Eclectic Light Company) to check your (downloaded) files. It looks for notarization, hashes, quarantine bit etc.

The Kaju corruption error ended up being an incorrect path on my website holding the update files! That was actually an easy fix.

1 Like

I will look into this. Thank you.

OK. It appears this issue has to do with how the app is signed. This morning I tried the whole process again. The app successfully signed and the zip file notarized just fine in app wrapper. But when I tried to make a DMG of it using DMG Canvas, notarization failed. I got an error that there was an invalid signature on the executable. Not notarizing the DMG works, but as as soon as the DMG is downloaded over the web, the app won’t run as OS X says it is corrupted.

Now I just tried things again except I didn’t sign the web app. I just compiled it and then created a signed DMG. It works just fine now except I get the security prompts. That’s better than a corrupted file error.

So something is not right when AppWrapper signs this. I’ll have to work with @Sam_Rowlands to figure this out. I already sent Ohanaware a help email…