App Store apps do not install properly on a fresh install of High Sierra on internal SSD or HDD

@ FrancoisQC

I tried the codesign extract command on all four of my apps but could not find any extracted certificates. I searched the working directory I used, my home directory, the Contents subdirectory within each app bundle, and the root directory but could not find them. Obviously trying to run the openssl commands gave up "file not found" type errors. So, unless these extracted certificates are being slyly hidden in some other directory, the extraction command may have not extracted anything.

edited for grammar

... or your apps are signed without including the full CA chain / cert bundle, and the newly downloaded apps embeds the full CA chain?

I'm checking the CAs, see if they have a CRLdp / AIA extension. The hunt is on to see who's flagging that cert as revoked.

softmusic, I think you're on to something, but here is a twist.

I have 2 machines that both have High Sierra. Neither one is a recent install of High Sierra, but the problem occurred with an update to 10.13.6. On the Macbook Pro (that doesn't have this problem) I updated to 10.13.6 using the app store updates. With the desktop machine (that has this problem) I downloaded the combo installer/updater and used that to update from an earlier version of High Sierra to 10.13.6.

@FrancoisQC

I instead ran this command

sudo mv /Library/Keychains/crls/valid.sqlite3 /Library/Keychains/crls/valid-***.sqlite3

and a new 0 byte valid.sqlite3 file was immediately created.

ls -l /Library/Keychains/crls/

shows

-rw-r--r-- 1 root wheel 17293312 Nov 24 20:17 valid-***.sqlite3

-rw-r--r-- 1 root wheel 0 Nov 26 07:58 valid.sqlite3

Now we'll see what happens tomorrow morning.

EDIT

lol

The forum won't post the three letters which are doubleyou Tee Eff

We're probably in autopsy territory now, but I wanted to add a data point.

In addition to launch failure, my problem system would not download any iWork apps via the App Store. It would offer me the older compatible versions but then threw up an error message before the actual download started. So I ran What's Your Sign on the App Store app itself (This was in Safe Boot mode, but that probably doesn't matter). Now the downloads are working fine.

I'm not sure if this would be helpful or not, but before deleting the .sqlite3 file I tried downloading Tweetbot 3 for Twitter from the Mac App Store, the app was just updated yesterday so it is not an old app or an old version of the app. When I launched the app it crashed immediately then I deleted .sqlite3 and the app worked, then I restarted the computer and tried launching the app, but it crashed so I removed .sqlite3 again and tried launching the app again and it worked.

So as a temporary solution you can delete .sqlite3 every time you want to run an app that has been downloaded from the Mac App Store.

oh, and even with the newer app install, once valid.sqlite3 is rebuilt, I still can't launch it...

It is somewhat strange that deleting this file allows you to download more recent versions of an app that may not have been meant for this macOS version.

OK, I'm not a terminal jockey so could you explain this a little more? What does it do?—as long as you leave Terminal open it repeatedly deletes that database?

I need to find some solution for my client, who is non-technical, and which won't require undoing something when Apple finally fixes this. That's why I haven't wanted to try any solutions that involve turning off SIP, or messing with the Hosts file.

If you delete valid.sqlite3 from an old working High Sierra, app will not launch.

Indeed, valid.sqlite3 from the old working High is much smaller.

New file :

-rw-r--r--  1 root  wheel  17293312 26 nov 16:16 /Library/Keychains/crls/valid.sqlite3

Old file :

-rw-r--r--  1 root  wheel  7794688 26 nov 18:06 /Library/Keychains/crls/valid.sqlite3

So I replaced the new valid.sqlite3 from the new High Sierra with the old valid.sqlite3 from the old High Sierra.

sudo killall -9 trustd; sudo cp /path_to_old_file/valid.sqlite3 /Library/Keychains/crls/valid.sqlite3

It seems to work even after reboot.

Old file, just unzip before copying :

http://www.mediafire.com/file/m2ky3mrnon6jy49/valid.sqlite3.zip/file

@cavenewt: ok. ok. that was just to have a bit of fun.

After I took upon myself to not be lazy, here is the command that will remove the offending revoked certificate from the trustd database:

sudo sqlite3 /Library/Keychains/crls/valid.sqlite3 'delete from serials where hex(serial) = "04CA81F77D5E33F7"'

Now what is left to see is if the certificate serial number will be added back after a reboot.

I'll know soon.

With "sudo cp" it gives "-rw-r--r--  1 root  wheel" so it feels all right.

I just don't understand why old High Sierra file is so much smaller than new High Sierra. Does it mean that with a smaller file the system is less secure ?

I didn't have any luck with the terminal command (later: my fault, typo). So instead, I opened up the folder using command-shift-G and just dragged the new file into there (after prefixing the old file's name with a couple of xx so it would remain as a backup).

Applications are now launching even after a reboot. Cross fingers.

I am curious what might happen the next time that database is written to — if Apple makes a change, or if another application is downloaded from the App Store…?

But my client wants her computer back so we'll go with this for now! Thank you guys for all your hard work.

FrancoisQC wrote:

I don't want to block OCSP requests by modifying /etc/hosts, this is a bad security practice and does not address the real issue.

Have you tried doing that and disabling SIP like I suggested? It maybe a "bad security practice" but a good practical measure, at least for now. If that proves to be a temporary workaround that works until Apple fixes the issue then what's the grief of having your apps up and running? If it doesn't that's understandable.

Also, modifying hosts by blocking OCSP is not going to do any harm. This protocol is used by the "trustd" process which makes queries every time you open Mac App Store. You may experience issues with MAS connectivity at best but it's not going to compromise your computer and invite hackers to steel your bank account info immediately after you modify hosts and disable SIP.