[Bug]: macOS client code signature broken

[macguru]

⚠️ Before submitting, please verify the following: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server and Desktop Client are up to date. See Server Maintenance and Release Schedule and Desktop Releases for supported versions.
• I agree to follow Nextcloud's Code of Conduct

Bug description

The macOS client application seems to break its code signature from time to time, causing macOS to refuse to open the app. The user-visible error looks like this, not adding much detail:

The issue is reported from the system log like so:

default	11:07:51.506216+0100	amfid	/Applications/nextcloud.app/Contents/MacOS/nextcloud not valid: Error Domain=AppleMobileFileIntegrityError Code=-420 "The signature on the file is invalid" UserInfo={NSURL=file:///Applications/nextcloud.app/Contents/MacOS/nextcloud, NSLocalizedDescription=The signature on the file is invalid}
default	11:07:51.513887+0100	kernel	AMFI: Check-fix enabled for binary '/Applications/nextcloud.app/Contents/MacOS/nextcloud' with TeamID 'NKUJUXUJ3B', identifier 'com.nextcloud.desktopclient': broken signature treated as unsigned without privileges. This workaround will not work for software built on or after 10.12.
default	11:07:51.513940+0100	kernel	proc 46007: load code signature error 4 for file "nextcloud"
default	11:07:51.514600+0100	kernel	ASP: Security policy would not allow process: 46007, /Applications/nextcloud.app/Contents/MacOS/nextcloud

Checking the signature in detail reveals the following:

% codesign --verify nextcloud            
nextcloud: invalid Info.plist (plist or signature have been modified)
In architecture: arm64

Steps to reproduce

I have no steps to reproduce, the issue happened to me multiple times, at seemingly random moments. I guess this might be linked to either the auto-update mechanism, or a device reboot.

Since the app was working at some point before, the code signature seems to have become broken at some point. This issue does not happen with a clean install, which is also the workaround. I've re-installed the nextcloud client at least a dozen times over the past couple of months.

Expected behavior

The Info.plist not getting modified, I guess?

Which files are affected by this bug

nextcloud.app

Operating system

Mac OS

Which version of the operating system you are running.

macOS 13.2.1

Package

Appimage

Nextcloud Server version

25.0.2

Nextcloud Desktop Client version

3.7.4git

Is this bug present after an update or on a fresh install?

Updated from a minor version (ex. 3.4.2 to 3.4.4)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

Are you using an external user-backend?

• Default internal user-backend
• LDAP/ Active Directory
• SSO - SAML
• Other

Nextcloud Server logs

No response

Additional info

No response

[macguru]

I've just run my workaround – reinstalling nextcloud from the website via https://github.com/nextcloud/desktop/releases/download/v3.7.4/Nextcloud-3.7.4.pkg, and checked the new binary as well. It seems that even a freshly installed nextcloud is reported as shipping with an invalid signature:

% codesign --verify nextcloud.app 
nextcloud.app: a sealed resource is missing or invalid
% codesign --verify nextcloud.app/Contents/MacOS/nextcloud
nextcloud.app/Contents/MacOS/nextcloud: invalid Info.plist (plist or signature have been modified)
In architecture: arm64

[macguru]

I've done one more test, deleting the nextcloud.app binary first, and then running the said installer again. This time, it seems the code signature is, in fact, fine. The issue seems to be resolved for me, for the time being.

I guess my local install must have been corrupted by some means and neither the auto-update nor the regular installer were able to fix this.

At this point I am not sure, if you consider this a bug or user error. My gut feeling would be that the installer should always install a clean binary, namely first deleting the current install and then replacing it with a fresh one. But you may have your reasoning for doing things differently.

[joshtrichards]

Not sure offhand why you're experiencing this. If it was systemic I'd expect us to get a lot of reports about it. That doesn't seem to be the case.

Not my area of expertise, however. We did recently change the building/signing for macOS (#6830), but that wasn't in response to bunch of bug reports as far as I can tell.

Refs:

• https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues
• https://stackoverflow.com/questions/30001330/os-x-gatekeeper-codesign-signature-not-valid

[macguru]

It might have been just my setup, after all. Any stray file inside an app bundle will make the signature invalid. I didn't diff it, but that's most likely the cause. From my side, you can consider this case closed. Should somebody else ever face a similar problem, maybe this ticket already helps.