Packaging Drag & Drop Apps with Composer broken on Ventura

chelm
New Contributor III

I am simply trying to repackage some drag and drop apps as flat packages using Composer. We do this so we can use them in our provisioning workflows via Jamf Pro.  Note: I have tried composer 10.44 to 10.48 and get the same results. 

Using FileZilla as an example:

Screenshot 2023-07-12 at 2.11.20 PM.png

 That is pretty much it. No postinstall, but I am signing with my developer installer ID.  

Screenshot 2023-07-12 at 2.15.57 PM.png

 I have tried to notarize and staple the .pkg's, but Apple does not like something in the .app file so I get "Invalid Package".  

Screenshot 2023-07-12 at 2.18.07 PM.png

 I have tried all kinds of things to try and clear any security flag, but nothing seems to work.  The only thing that does work is control clicking and selecting Open, then open anyway.   That does not work when attempting to deploy to thousands of computers.  Our help desk will get overwhelmed with calls.  

I have tried all of the following to fix the issue via script (kitchen sink from various how to's I found):  

 

# disable gatekeeper
sudo spctl --master-disable

# The applications final destination, should always be used. 
problemApp='/Applications/Filezilla.app'

# chown app to root 
sudo chown -R root:wheel $problemApp

# chmod permissions to correct
sudo chmod -R 755 $problemApp
sudo chmod +x $problemApp

# remove quarantine attribute
sudo xattr -r -d com.apple.quarantine $problemApp
sudo xattr -c $problemApp
sudo xattr -cr $problemApp

# touch the file
sudo touch -m $problemApp

# open the file
sudo open $problemApp

# enable gatekeeper
sudo spctl --master-enable

 

I have about a dozen drag and drop apps that I can no longer install via a pkg for redistribution on 13.4.1 because they all trigger a security flag and ask to be moved to the trash.  My biggest headache is Mathematica, which requires I insert a license file within the drag and drop .app for lab distribution.  

Any advice?

15 REPLIES 15

jamf-42
Valued Contributor

is there a reason you are signing? I use this for DMG / non pkg apps.. https://github.com/rtrouton/Simple-Package-Creator

 

chelm
New Contributor III

Thanks.  I will give this a shot, but a quick read and it appears to be doing the exact same thing I am already doing.

 

Most of the packages we create here are also made available on our intranet to all faculty, students and staff.  If they are not signed they will get the same type of message and have to bypass Gatekeeper to get the software installed. That was deemed unacceptable by our leadership, so we sign and notarize all packages. 

sdagley
Esteemed Contributor II

@chelm Some applications contain files that have extended attributes which are required for the app to function. AFAIK Composer still doesn't retain any extended attributes when it builds a .pkg, so you might want to check out Packages to create your installers instead.

Also be aware that if you're adding a license file inside the app package (as you mention for Mathematica) macOS Ventura will consider the app damaged. You should consult with the vendor on how to inject a license file in a manner that will allow the app to run on macOS Ventura.

chrisB
Contributor II

We got some apps behaving the same way (e.g. Metashape Pro, MAXQDA, OpenShot, VueScan Pro).

 

1) Install the original disk image (.dmg file) to /private/tmp: 

maxqda_dmg_pkg.png

 

 

2) Then copy the app to /Applications with a postinstall script:

 

#!/bin/zsh


# Set Variables (manually) - please note: the (original) DMG file must be installed in /private/tmp

appName="PRODUCT.app"
dmgName="PRODUCT.dmg"
volName="PRODUCT"


### Do not edit below ###


# Unmount volume with the same name

echo "\nUnmounting volume '$volName', if available..."
sudo hdiutil detach "/Volumes/$volName"
echo "Done."


# Open disk image & mount volume

echo "\nOpening '$dmgName' & (invisibly) mounting '$volName'..."
sudo hdiutil attach "/private/tmp/$dmgName" -nobrowse -noverify
echo "Done."


# Copy app from volume to applications directory

echo "\nCopying '$appName' from '$volName' to '/Applications'..."
sudo cp -Rp "/Volumes/$volName/$appName" "/Applications/$appName"
echo "Done."


# Apply correct owner & group to app file

echo "\nApplying correct owner & group to '$appName'..."
sudo chown -R root:admin "/Applications/$appName"
echo "Done."


# Remove quarantine flags from app file

echo "\nRemoving quarantine flag from '$appName'..."
sudo xattr -r -d com.apple.quarantine "/Applications/$appName"
echo "Done."


# Unmount volume

echo "\nUnmounting volume '$volName'..."
sudo hdiutil detach "/Volumes/$volName"
echo "Done."


# Remove disk image

echo "\nRemoving '$dmgName'..."
sudo rm -f "/private/tmp/$dmgName"
echo "Done."


echo "\nInstallation of '$appName' completed [Exit Status = 0].\n"


exit 0

 

 

 

 

chelm
New Contributor III

Thank you.  This worked for about 1/2 the apps I am having trouble with.  It does not work for all of them unfortunately.  

 

chrisB
Contributor II

The Mathematica 13.x (network) license can be installed in /Library/Mathematica/Licensing/mathpass

mathematica_network_license.png

 

chelm
New Contributor III

The license location does solve one problem.  How are you deploying the app?  Even using the DMG like suggested above I get a damaged file warning.  I still have to control click on every install of the .app and click open or I get the corrupt file warning. 

 

mm2270
Legendary Contributor III

And this problem is happening even after installing the app and running the xattr -dr com.apple.quarantine command against the application bundle itself? Because in my experience, that typically resolves those issues. If it's still throwing that error after that, then something is very screwy with it.

Do you only have Ventura in your environment? If not, has this been tested against Monterey to see if you get the same issue? It's not impossible it's some issue with Ventura getting in the way here.

chelm
New Contributor III

I think it is definitely something new in Ventura causing the issue.  The packages work on Monterey.  They just do not work on Ventura, which is what all machines on campus are supposed to be on for the fall.  

Ventura has added additional "protections" via xattr:

https://eclecticlight.co/2023/03/13/ventura-has-changed-app-quarantine-with-a-new-xattr/

 

mm2270
Legendary Contributor III

Well then, thanks for that link. Interesting read. Thanks once again to Apple for adding some other "check" that probably wasn't really needed, failing to thoroughly document it, and causing more issues in the process. I wonder some days what goes on over there.

Have you had a chance to try removing this new "provenance" flag on the app and see if that resolves it? I'd be very curious to hear your results.

chrisB
Contributor II

I packaged Mathematica just as usual:

mathematica_13.3.0.png

 

But I always open apps first (to confirm gatekeeper messages) before dragging them to Composer.app.

jonw
Contributor

I'm seeing this behavior as well lately, but I've yet to find any consistency to the problem.  Opening the app once before adding to Composer doesn't always revolve the issue, nor does 'not opening' always resolve it.  In fact I'm seeing the same package having different results (broken vs. not) on nearly identical lab stations (both Intel & Silicon, all macOS 13.5).

jchen1225
New Contributor III

I had this same problem with Mathematica deployment, on Ventura machines pre 13.5. Where it keeps saying the app is damaged and can't be opened. I just tried it on a few 13.5.1 machines and so far they deployed successfully without error. I am going to upgrade a group of machines to 13.5.1 and see the results.

virtasupport
New Contributor II

Such a pain. We have a couple of apps that I have used Composer for years on, even at a different employer. Now, does not work. Latest Composer 11.01 and running Ventura 13.6

Get the error when testing the package Screenshot 2023-11-10 at 4.49.02 PM.pngScreenshot 2023-11-10 at 4.48.07 PM.png

Delete the ".VolumeIcon.icns" file from the package.

You may have to navigate to   "/Library/Application Support/JAMF/Composer/Sources/"   to delete the (invisible) file.