App Store apps do not install properly on a fresh install of High Sierra on internal SSD or HDD

Hope this helps everyone:

1. Open a terminal
2. run the following command

sudo rm -f /Library/Keychains/crls/valid.sqlite3

I haven't tested, but I think a reboot is not even necessary. And this does survive a reboot.

It looks like this file may be used by "trustd". So worse case scenario, this will rebuid trustd's cache, so that should not affect the security of your system.

Enjoy!

If something that was launching isn't then it may involve certificates resolution. The article on the official Apple Developer Documentation feed may be a clue to the cause of apps not launching:

https://support.apple.com/guide/deployment-reference-ios/preparing-your-infrastructure-apdda9e027d2/web

==START QUOTE

Preparing your infrastructure to deploy in-house apps

Certificate validation

The first time a user opens an app, the distribution certificate is validated by contacting Apple’s OCSP server. If the certificate has been revoked, the app won’t launch. To verify the status, the device must be able to reach ocsp.apple.com.

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently, between 3 and 7 days. The validity of the certificate isn’t checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app won’t launch.

WARNING: Revoking a distribution certificate invalidates all of the apps you’ve signed with it. You should revoke a certificate only as a last resort—if you’re sure the private key is lost or you think the certificate has been compromised.

==END QUOTE

The OCSP protocol is used by sites and especially in commerce to validate certificates.

As a preliminary action-test on a temporary basis do the following:

• Block all connections to ocsp.apple.com in your hosts file (/private/etc/host). Use any Unix editor of your choice such as vim or nano (simpler). This file is used by network administrators to control access of the managed users to certain hosts and domains. Add the entry 0.0.0.0 ocsp.apple.com to this file. Test if the apps launch.
• If the previous step didn't help disable System Integrity Protection. But first, check if it's enabled (it's safe to assume that for the overwhelming majority it is):

csrutil status 

If the output ends with "enabled" System Integrity Protection is enabled. Disable it booting from Recovery partition. Launch Terminal (search for it in Spotlight) and run the following command which is the automated reboot to Recovery without holding the combination ⌘-R:

sudo nvram -recovery-boot-mode=RecoveryModeDisk ; sudo reboot

You'll be prompted to enter your Mac password which you won't see while typing.

• In Recovery, from the menu bar, choose Utilities-->Terminal. Type the following command:

csrutil disable ; nvram -d recovery-boot-mode ; reboot

You'll be brought back to your Desktop screen. Now launch the apps. If they don't launch remove 0.0.0.0 ocsp.apple.com from /private/etc/hosts and enable System Integrity Protection. To enable, enter the same 2 last commands but replace disable with enable in the second one cited.

ok, so here is another update. After extracting all certs from the .app, and looking at codesign0 (Apple Mac OS Application Signing), the cert does not have a CRLdp, so CRL revocation is not the issue. But it does have a AIA extension which points to the OCSP server at http://ocsp.apple.com/ocsp03-wwdr08.

Using "openssl ocsp" to verify the certificate, the OCSP server responds with a "good" response, meaning the certificate is indeed valid. Looking at the network trace of this OCSP request, we can see that the OCSP response is signed (ok, the response is secure), but extracting the signing certs from the pcap, the cert who signed the response is like this:

• • Common Name: WWDR OCSP Responder MG2
  • Issued by: Apple Worldwide Developer Relations Certificate Authority
    • the one expiring on Feb 7, 2023
  • Valid from: November 4, 2020 at 5:03:29 PM GMT-5:00
  • Valid until: December 16, 2020 at 5:03:29 PM GMT-5:00

This is strangely close to when people seem to have started experiencing issues...

Both the OCSP response signer and its issuer are not in the default System Roots keychain. And manually adding them to the System keychain does not help, the Apple Mac OS Application Signing certificate remains detected as revoked.

I don't want to block OCSP requests by modifying /etc/hosts, this is a bad security practice and does not address the real issue.

That is exactly the same problem I experienced with my MacBook Pro. I have two internal drives (SSD and HDD) for years now, don't think that's the point. I think it is on Apple to fix something with their App Store servers.

Apps from Mac App Store crash when started (CODESIGNING error)

Okay, I submitted a bug report so hopefully they can address the issue soon. Seems like may other threads are experiencing the same issue as well:

https://discussions.apple.com/thread/252030900

https://discussions.apple.com/thread/252032870

I had wiped my SSD several times now and reinstalled a clean version of High Sierra, shortly after completing the install and getting past the "setting up your Mac" screen, the apps work initially once installed from the App Store (this is right after your screen boots up after the install process), and then they begin to crash shortly after and I get the same code signing error. This is definitely something on Apples end which I cannot seem to fix myself, and it seems that many of you continue to have the same issue, and do the same process as me. Anyways, take home message here, we just have to wait for apple to acknowledge the error and correct the situation. I highly suggest you all report this error as well so they can get the message quickly! Here is the link: https://www.apple.com/feedback/

Cheers

My copy of macOS High Sierra 10.13.6 was download directly from Apple https://support.apple.com/en-us/HT211683 the macOS High Sierra link provided in this page will redirect you to download High Sierra from the AppStore. Once you download it from the AppStore you can make a bootable USB drive.

Did you see this???

stephán193

Nov 18, 2020 10:31 AM in response to GrenadeBait

I was introduced a solution that works with some apps. 

Open terminal and type:

sudo codesign —deep -fs - /Applications/Pages.app

After typing -fs - you can drag your desired application. I tried it with pages. While it now opens and gives me the option to either create a new document or open an existing one, it closes again after I chose one of said options. But with some other apps it actually worked.  

https://discussions.apple.com/thread/252030900?answerId=253912973022#253912973022

Might try this from Viking OSX...

https://discussions.apple.com/thread/252062728?answerId=253923443022#253923443022

Click the Update panel in your Mac App Store, and apply all available updates. Then reboot your Mac, and just once, press the shift key while launching Pages, so it will not attempt to use its last (crashed) application state.

Reposting what I said in another thread, as this one here seems more alive...

---

Same issue for me. iMac 27, late 2009. Fresh re-install in the last 2 weeks, not sure when. HDD erased prior to reinstall. I had been struggling with the reinstall-from-USB as the first reboot after reinstall kept getting me the grey-progress-bar that never gets to the login screen, which is the reason why I attempted a clean reinstall. I once had issues with the GPU, which I resurrected few years ago by baking it (yes, it worked!!), and booting in safe mode after that clean reinstall allowed me to move forward and kept applying all High Sierra security patches up to 2020-006. Since I could only boot in safe mode and had GPU issues in the past, I tried the trick to move the .kext out so they won't get loaded. Bingo! I could now boot in normal mode (with slow graphics, but that is a start).

Then I ran into the issue discussed here. Only one app downloaded from the App Store: MS Remote Desktop. Same error, because of EXC_CRASH (Code Signature Invalid). ok.

Looking at a MBP running Mohave, 2020-005 not yet installed, I ran into something interesting.

On the MBP, running "codesign -d -vvv /Application/Microsoft\ Remote\ Desktop.app" will show

Authority=Apple Mac OS Application Signing

Authority=Apple Worldwide Developer Relations Certification Authority

Authority=Apple Root CA

But running the same on the faulty High Sierra will show this:

Authority=(unavailable)

If the app can't validate to a trusted CA, that is one possible cause of the code signing error. Moving on, looking at KeyChain on High Sierra, "Apple Root CA" is present. However "Apple Worldwide Developer Relations Certification Authority" is missing, while it is present on Mohave. I was hoping that downloading and installing the missing CA from https://www.apple.com/certificateauthority/ on High Sierra would get things to work again. It didn't. codesign still shows unavailable.

Another odd thing. "Apple Mac OS Application Signing" is not found in KeyChain on Mohave. So how does codesign builds the CA trust chain? Does a .app include signer / CA certificates?

If someone has a working High Sierra setup, I would be curious to look at the codesign output of any app installed from the AppStore, so I can see the Authority being listed.

Users with access to an functioning startup disk or Time Machine backup may be interested trying what I did yesterday. I used the migration assistant (https://support.apple.com/en-us/HT203981) to migrate the system, applications and user files on my internal HDD to an external SSD. I had done a clean-install of High Sierra to that SSD. It had the problem described above, i.e., downloaded App Store apps failed to run. This problem disappeared after the migration. I deleted Keynote and reinstalled from the AppStore. It launched and ran without problem.

Previously, I reported that installing to a SSD using the Recovery to restore from a Time Machine backup reformatted the drive to MacOS extended. The Migration Assistant did not change the format of the SSD which was formatted APFS.

The down side is that my SSD installation is not "clean" anymore. All those legacy files I hoped to loose by doing a clean install, got installed anyways, along with whatever file(s) corrected the problem.

At least now my 2011 iMac is noticeably more responsive running from the SSD connected to the thunderbolt port.

I can sign into this forum in Safari. The link gives me a "Page Not Found" error. Even after I remove the comma at the end.

EDIT.

I can get to the idmsa.apple.com address if I use this

https://idmsa.apple.com/IDMSWebAuth/signin?path=%2F%2Fthread%2F252037712%3Flogin%3Dtrue&language=US-EN&instanceId=EN&appIdKey=529eb2b096d5a3d54162171f0f29ba797e602812660013123243e58bc7bedf56&rv=1

OK guys, which to try first?

• The spctl [spctrl is a typo, right?] from https://discussions.apple.com/thread/252037712?answerId=253962571022#253962571022

or

• The codesign from https://discussions.apple.com/thread/252037712?answerId=252037712021#252037712021

What command are you talking about? spctl turns off Gatekeeper which isn't enough to disable validation checks. To do that you need to disable System Integrity Protection with csrutil using the method I described in detail in the post https://discussions.apple.com/thread/252037712?answerId=253963482022#253963482022