[SmartcardServices-Users] Smart Card Services Update v2.0.b2-MtLion -> downloaded package treated as damaged

Fri May 17 12:46:04 PDT 2013

Just a correction, I verified this is an extended attribute com.apple.quarentine issue that gets tagged by browser downloads, but not some command line downloads.  It appears to not be consistent on all machines so something else might be involved in this instance.

I wanted to clarify that quarantine extended attribute appears to be where the misleading this package is damaged message is from, since it occurs with that extended attribute with or without the proper PKI chains for the Application signing.  I tried it both ways and the error from quarantine happens first no matter if the PKI trust is present or not, and only occurs if the quarantine flag is present.  Hope that helps anyone else getting that particular message.

-Ridley

On May 17, 2013, at 1:19 PM, Ridley DiSiena <ridley.disiena at nasa.gov> wrote:

> 
> BTW: downloading from terminal with curl on the same machine will work even with Gatekeeper settings on:
> curl -O http://smartcardservices.macosforge.org/files/installers/SmartCardServices_2.0.b2_\(MtLion\).zip
> 
> -Ridley
> 
> On May 17, 2013, at 1:00 PM, Ridley DiSiena <ridley.disiena at nasa.gov> wrote:
> 
>> 
>> I have verified it is definitely not the PKI issue.  OS X downloaded files are being tagged by gatekeeper independent of browser used, and tracked even if moved -> always not allowed to open even if the Trust is proper and Gatekeeper is on.
>> 
>> If I download the same file from another OS, and move it to the OS X machine, it opens and runs as expected even if gatekeeper is set to "Mac App Store".
>> 
>> Not sure when this started by sometime after OS X 10.8 was released as it used to work fine.   I searched Google and it appears to be a widespread issue, we just noticed it with this package and verified it independently so I'll drop it from this list as its an OS X issue not an issue with OS X Forge packages.  I'll file a bug report for gatekeeper, but I'm sure there is one already open.  Downloading outside of the instance to be run on seems the only mitigation that won't drop the Gatekeeper settings to off.
>> 
>> -Ridley
>> 
>> On May 17, 2013, at 12:38 PM, Ridley DiSiena <ridley.disiena at nasa.gov> wrote:
>> 
>>> 
>>> Greetings,
>>> 
>>> I was wondering if there is a current Gatekeeper bug that I am not fully aware of.  I am trying to download -> (1)  **NEW** Smart Card Services Update v2.0.b2-MtLion (Sep 18, 2012)
>>> 
>>> Even with the signing certificate present on the system, unless the settings for Gatekeeper in Security and Privacy are set to "Anywhere", the package will not run.  It always gets:
>>> "“Smart Card Services Update 2.0b2-ML-signed” is damaged and can’t be opened. You should move it to the Trash."
>>> 
>>> The reason I believe this to be a Gatekeeper issue is because this only happens if the package was obtained recently from the internet via OS X.  I have a local copy which I had backed up from some time before this started occurring, I assume an OS X update.  The backed up version has the same SHA-256 hash as the downloaded package.  I can install that package on any setting in Gatekeeper even "Mac App Store" which is odd.
>>> 
>>> Any comments or suggestions on this issue?  Is there a bug report already open?
>>> 
>>> -Ridley
>> 
> 