App Store apps do not install properly on a fresh install of High Sierra on internal SSD or HDD

@softmusic - working on my fresh install of iMac 2010 High Sierra. Like others, all App Store apps (e.g. garage band, pages, textwrangler, etc.) would not run. Other non-app store apps ran previously (e.g. audio hijack). Now all run, even on reboot. Thank you!!

"hey @caevnewt, looking at the file your provided, the serial number of the "revoked" certificate is not in it. That is probably why things keeps on working. Thanks for sharing though..."

I posted the file because softmusic was asking for a copy of an older one that does work, for comparison purposes. I'm a little puzzled why mine it doesn't get updated with the broken cert, because the one that you edited the bad cert from, appears to get changed by the system after a few days…

My route was updating a Sierra installation... which by definition seems to be from what we used to call a full installer. EXCEPT even what they were making available a little less than a week go was NOT a combo... because I HAD to separately install security 005 AND 006!

@cavenewt

I had this problem when I upgraded to High Sierra 10.13.6 from an earlier version of High Sierra using the combo updater not the app store update method. I didn't do a full install of High Sierra.

"We can confirm that the issue as seen on new High Sierra clean installs

down after circa November 11 do not exhibit the code signing error."

Sorry, can you please translate this for me? Or maybe there's a typo?

beckersj wrote:

@cavenewt

I had this problem when I upgraded to High Sierra 10.13.6 from an earlier version of High Sierra using the combo updater not the app store update method. I didn't do a full install of High Sierra.

Thanks!

Yes I know and that's what I said : "B can install BBEDit though A's purchased items because A & B are in the same family. "

With solution 1 and 2 I can install BBEdit on High Sierra. What my tests show is :

With solution n°1, I got a "Download Error" very often. I have to try many times to succeed.

With solution n°2, it downloads directly.

Fun fact: Even Apple themselves have suggested clearing this db to fix other issues in the past:

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087725

That might set peoples minds at rest a little with regard to whether fixes are safe etc.

It also suggests that Apple kind of know that this area of the OS can get into a mess also.

Johnno, I'm glad you found your way over here from Howard's blog. Thank you so much for your in-depth information. Most of the stuff is way above my pay grade. And I wouldn't get very far with my clients if I just said "buy a new computer and upgraded versions of your $$software." At least not until that's absolutely necessary, which at some point it will be!

GrenadeBait wrote:

• It's been a few days now and the only solution that is still working without requiring periodic intervention is the third; ie. replacing the valid.sqlite3 with an old copy.

You might want to fix that typo. It's the fourth solution, not the third.

You can probably switch off the updates with:

sudo defaults write /Library/Preferences/com.apple.security.plist ValidUpdateEnabled -string 0

Also it should be possible to make them look at your own machine with:

sudo defaults write /Library/Preferences/com.apple.security.plist ValidUpdateServer -string localhost

For rapid testing having the updates every minute

sudo defaults write /Library/Preferences/com.apple.security.plist ValidUpdateInterval -int 60

This all presumes High Sierra works near enough the same way as whatever version this code is from which is later by a couple of years.

I split up the binary into its components which was 7 binary plists plus the CMS blob.

Here it is as a zip https://drive.google.com/file/d/1l9eUBWrdCobJyNWLKzRBiLUd_4IZGtkC/view?usp=sharing

I haven't taken a look to see what are in the plists yet and and it's late here.

Hopefully we may see something in here. It wouldn't explain why only new installations are clobbered though unless updating from scratch is broken with this particular update presuming this is the one that is being downloaded which it may not be after all as the latest version is https://valid.apple.com/g3/v146 ...

v42 was the number showing in the system cert bundle so probably was the version that was current when the installer was built or that always ships with High Sierra. I have probably wasted my time splitting that up by hand but it will show what the updates look like anyway.

Forget what I just said. I am totally wrong.

When you choose "Restart..." form the Apple menu, trustd starts to rebuild the database.

And when you validate, reboot will stop the database to be filled completely.

So the database was working because it was incomplete.

I should test more before posting.