[macOS 13] Firefox fails to launch due to policies.json breaking macOS 13 codesign checks
Categories
(Firefox :: Enterprise Policies, defect, P5)
Tracking
()
People
(Reporter: haik, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
251.09 KB,
image/png
|
Details |
Firefox launch error screenshot
With macOS 13, Firefox will fail to launch if a policies.json file has been copied to the .app bundle which is one of the methods of applying an enterprise policy on Mac per our instructions.
In the WWDC 2022 macOS What’s new in privacy presentation, Apple announced they are changing the notarization and signing checks in macOS 13 to be more strict and occur each time the application is run. On bug 1781111, we found that the presence of a policies.json file in the .app bundle breaks the codesign check and prevents downloaded Firefox bundles from launching.
Steps to reproduce*:
- On an Intel Mac running macOS 13 Beta
- Download Firefox and copy it out of the DMG to the desktop, but do not launch it
- Copy a policy file to
Firefox.app/Contents/Resources/distribution/policies.json - Launch Firefox by double-clicking on the icon on the desktop
Excepted results:
Firefox launches normally
Actual result:
Firefox fails to launch and an error is displayed "Firefox.app" is damaged and can't be opened. You should move it to the Trash. See attached screenshot.
*Note:
I have only reproduced this problem on an Intel Mac on macOS 13 Beta 22A5295i with a freshly downloaded version of Firefox. macOS does some level of caching of Notarization/codesigning checks and adding a policy file to an instance of Firefox I already had installed and had used prior to installing macOS 13 did not trigger the problem.
|
Reporter | |
Updated•2 years ago
|
|
||
Comment 1•2 years ago
|
||
If you remove the quarantine bit, does it work?
https://support.mozilla.org/en-US/kb/deploying-firefox-customizations-macos
|
|
Reporter | |
Comment 2•2 years ago
|
||
Yes, in my test on Intel, Firefox cleanly launched after clearing the quarantine attribute. Sorry, I didn't know we recommended clearing the quarantine after adding the policies file. We might be OK here, but we should keep an eye on this or be proactive about moving the policies file. The WWDC presentation included the text below saying the checks will now apply to apps that are not quarantined.
From https://developer.apple.com/videos/play/wwdc2022/10096/ :
Gatekeeper checks the integrity of newly-downloaded apps. In macOS Ventura, Gatekeeper will now check the integrity of all notarized apps, not just quarantined apps.
First, apps need to be properly signed. Starting with macOS Ventura, if your notarized app is no longer validly signed, it will be blocked by Gatekeeper on first launch. You should sign all your executables and bundles and ensure that their signatures stay valid when you make changes to your apps. In addition to an integrity check, Gatekeeper will also prevent your app from being modified in certain ways.
|
|
||
Comment 3•2 years ago
|
||
I definitely thought this would stop working at some point, so yeah, worth keeping an eye on.
|
||
Comment 4•2 years ago
|
||
The severity field is not set for this bug.
:mkaply, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Comment 5•2 years ago
|
||
I'm marking as S4 because of the workaround
|
|
||
Updated•2 years ago
|
Description
•