MAS validate receipt (macosLib) problems with 10.9.x

I use this function (from macosLib) in my apps:

#If not DebugBuild then
dim f as FolderItem = App.ExecutableFile.Parent.Parent.Child("MASReceipt").Child(“receipt”)
dim appBundleID as String = “macappID” // put the Bundle ID here that you registered in iTunes Connect for this app
if not CertTools.IsValid (CertTools.DeviceGUID, CertTools.ReadReceipt(f), appBundleID) then
declare sub exit
lib “System” alias “exit” (code as Integer)
exit_ (173)
end
#endif

This works fine until 10.8.x, but with Mac OS X 10.9.x it doesn’t work. After starting the app it will be quit automatically without any error. Is there anyone that has the same problem or has it resolved?

I have the same problem but I thought I understood that only the version of my App distributed by the MAS will be properly signed and accepted by the CertTools.
Meaning that there are no way to test if this routine works unless one submit it to Apple. Which was not possible for me because of the QTkit problem.

You can sign an app and run it without submitting it to Apple… The OP post seems to refer to a Mavericks incompatibility more than anything…

Sure, I can sign it with my Developper ID. But if I sign it with my MAS signature then I cannot run it. I do not know if it is expected.
Alo, if I do use the MacOSLib function quoted above to check for receipt, the application start and quit automatically without running (MacOSX 10.9) as mentioned by Horst.
I do not know if it will occur when it will be received from the MAS

If you start your app with Mac OS X lower than 10.9 it will be open a window to login to the AppStore to download and validate the receipt. To test if it works, you must create a “test user” on itunesconnect. Enter the “test user” name and password in the window and you get the receipt file from MAS into your “application folder/Contents/_MASReceipt”

Thanks. That’s a very useful information. I tried on another Mac (10.7) and it worked with a test user. Thanks again.

But what will happen if a user is using 10.9 ?

There is an issue with the App Store Agent on 10.9, the only workaround is to break the security framework. Check the ADF for the workaround.

Link?

You’re gonna make me go and dig it out! Pah!

https://devforums.apple.com/thread/203126?start=60&tstart=0

Now I have read the Apple forum. I have done the following test:
• activate the MAS receipt check in source code
• build new updates from 3 different applications
• build these update with R2014R1b1
• signed these apps with AppWrapper 2.5 BETA

Check these apps with
sudo spctl --verbose=4 --assess --type execute ‘MyApp.app’
MyApp.app: accepted
override=security disabled

I have done this check with all 3 apps. When I start theses apps it will be quickly quitting without any error message. In the Apple forum I read that the store agent should be kill. So I have done this also with
sudo killall -9 storeagent

A new start of all 3 application shows, that the problem was not solved. So I have copied these apps to a virtual machine with a installation of Mavericks 10.9.0, but these apps would not be startet. I opened a terminal and restart the store agent
sudo killall -9 storeagent

I have started one app and the iTunesStore login window was prompted. After enter my iTunes test userid and password, the app is starting without any problem. I have started app no. 2 but it doesn’t start. After I have killed the store agent, the iTunesStore login window was prompted. After enter my iTunes test userid and password, the app is also starting without any problem. So I repeat this with app no. 3, but I doesn’t start. After a check in the system console I saw this error message:

07.02.14 18:05:50,099 MyApp[288] objc[288]: Class QTMovieLayer is implemented in both /System/Library/Frameworks/QTKit.framework/Versions/A/QTKit and /Users/appuser/Desktop/My App.app/Contents/Frameworks/dtPlugins.rbx_0.dylib. One of the two will be used. Which one is undefined.
07.02.14 18:05:50,100 MyApp[288] objc[288]: Class QTMovie is implemented in both /System/Library/Frameworks/QTKit.framework/Versions/A/QTKit and /Users/appuser/Desktop/My App.app/Contents/Frameworks/dtPlugins.rbx_0.dylib. One of the two will be used. Which one is undefined.
07.02.14 18:05:50,332 com.apple.launchd.peruser.501[141] (de.pps4me.MyApp.54240[288]) Exited with code: 17

So I checked my app with “QT Dependency Checker”:

dtPlugins.rbx_0.dylib -> OK
MBS Xojo Barcode Plugin.xojo_plugin_0.dylib -> OK
MBS Xojo MacOSX Plugin.xojo_plugin_16.dylib -> OK
MBS Xojo MacOSXCF Plugin.xojo_plugin_11.dylib -> OK
MBS Xojo MacOSXCF Plugin.xojo_plugin_15.dylib -> OK
MBS Xojo MacOSXCF Plugin.xojo_plugin_6.dylib -> OK
MBS Xojo Main Plugin.xojo_plugin_4.dylib -> OK
MBS Xojo Picture Plugin.xojo_plugin_23.dylib -> OK
MBS Xojo Util Plugin.xojo_plugin_1.dylib -> OK
MBS Xojo Util Plugin.xojo_plugin_26.dylib -> OK
MBS Xojo Util Plugin.xojo_plugin_37.dylib -> OK
MBS Xojo Util Plugin.xojo_plugin_9.dylib -> OK
MBS Xojo Win Plugin.xojo_plugin_31.dylib -> OK
RBInternetEncodings.xojo_plugin_0.dylib -> OK
XojoFramework.framework -> OK

I can’t see the “QTKit” in the Dependency Checker.
I so used a new machine with a clean installation of Mavericks. All 3 apps would not start. I get the error message “exit 173” in the system console. A check with the command

spctl --verbose=4 --assess --type execute ‘MyApp.app’
MyApp.app: rejected

Now I changed the security settings for download to “no restrictions” in the settings, the check look like this:

sudo spctl --verbose=4 --assess --type execute ‘MyApp.app’
MyApp.app: accepted
override=security disabled

But all these 3 apps will not start. I can’t see any different between my virtual machine 1 and machine 2 with the same Mavericks installation. In the system console these is now a message, that the app is an unsigned app, but it is the same app on machine 1 and machine two.
Darwin macbookpro.pps4me 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64

First you need to modify the Security framework, before you kill the store agent.

$ cd /System/Library/Frameworks/Security.framework $ sudo mv PlugIns Versions/Current/PlugIns $ sudo ln -s Versions/Current/PlugIns . $ sudo killall -9 storeagent
I tried various methods (as documented in the forum), with varying success, but modifying the security framework was the only way around this.

I f I had to hazard a guess, I would say that dtPlugins.rbx plug-in has some QTKit calls. IRC, QT Dependency Checker only checks the header of the executable file to see if that executable links against QTKit. The plugin may be linking to Cocoa or another framework, which in toe links to QTKit and therefore giving the plugin access to Apple’s QTKit.

I would contact the author of the plugin and ask him to remove or update his so that it doesn’t reference QTKit or QuickTime.

[quote=63714:@Horst Jehle]spctl --verbose=4 --assess --type execute ‘MyApp.app’
MyApp.app: rejected[/quote]
This is expected if you’re signing with the ‘3rd Party Developer’ (MAS submission certificate) identity, Gate Keeper is designed to only work with ‘Developer ID’ identities.

App Wrapper already verifies the code signature, once the app has been code signed. If you sign with a Developer ID identify, it verifies with Gate Keeper, otherwise it simply verifies with the code sign tool.

Hi,

what is the solution, finally ?
is the MacOSLib routine usable for MacOS10.9 ?
If not, what are people using for the App that are released currently on the MAS ?

thanks a lot,
Franck

I am selling over a dozen apps in the MAS and never had to worry about such thing as a validate receipt. I simply bought App Wrapper Mini on the App Store, and it took care of all the stupid annoyances for me. Thanks to the excellent work Sam Rowlands did with Ohanaware, my consumption of Aspirin remains within reasonable amounts :slight_smile:

My job is to produce apps, not to dive into unnecessary complications. Why make things difficult when they can be kept simple ?

If your app don’t validate the receipt upon start I think they can be “hacked easily” :confused:

Snippet from MDL:

There has always been a choice between spending time and aggravation for protection and using time to sell more. I chose the later. Hackers will always eventually get their way anyway.

I also bought App Wrapper actually, quite a while ago simply to sign my application outside from the MAS. And I now use it to sign my App for the MAS.
But I thought that in the MAS you had to validate the receipt. But you are right Michel, if you don’t people will just be able to copy form one system to another but I am not sure it will be so frequent.

So the general advice is “Do not mind validating the receipt” ?

I am not giving an advice. I am just sharing my experience.

App Store apps are by nature a matter of impulse buy. Customers browse apps and just buy them to use them right away. It’s more important to me that my apps be bought than protected. I also have the feeling that rendering an app impossible to copy from one machine to the other is not very nice. Many customers have a desktop and a laptop. They probably would not like very much having to buy a second time as they remain the sole user. And furthermore, I do not want calls for support because an app works on one machine, and not the other. I want to sell and if possible never get support requests :wink:

Yet another consideration : when I see the difficulties encountered by the OP, I rather have my app right now in the App Store than having nightmares about a painful procedure that all the sudden stops working because Mavericks came to be. It is all the more a reason not to go for receipt validation.

Once again, this is my personal feeling. I sell inexpensive apps that may not be too tempting to hackers. That may also play a role in my decisions…

Thanks. It makes sense.
Just one point : when someone buys an App on the MAS, he can install it on up to 5 machine (re-downloading it). So they would not need to buy a second copy.
But still, I’ve got your point (I was so far only distributing free softwares).

You would be surprised to see how people are happy to buy when they feel software is useful . :slight_smile: