App Store apps do not install properly on a fresh install of High Sierra on internal SSD or HDD

Please file bugs for this issue here:

https://feedbackassistant.apple.com

The issue is with code signing, and the specific error is CSSMERR_TP_CERT_REVOKED . I filed a bug report yesterday but there's been no update on it yet. A bunch of duplicate bug reports might make them take it more seriously.

Same same same. I had Catalina before downgrading. I had too many libraries and various package systems and it's just a chaos.

Was doing a fresh install using Shift-Option-Cmd-R and it gave me High Sierra (2018 MacBook Pro 15'').

First I thought maybe the installation was just corrupted. After doing 3 times install of High Sierra, I now believe it's an issue from apple. I upgraded to Mojave and Catalina with the renewed App Store and apps downloaded and opened fine.

I've tried different methods across the internet, including resetting NVRMP, disable SIP, different disk formats, Command lines, etc. and no luck.

I have also submitted the feedback and awaiting 48hrs respond.

Some how I think Apple is doing it intentionally, to discourage people from using the old OS although it is still officially supported. I decide not to upgrade to Big Sur due to concern on stability. Apple's software quality has been going down and they are continuously removing features that are small in sizes and nice to have.

Both a local copy downloaded from the App Store and from the internet recovery. Both installation sources gave me the same result. I only managed to open and use the apps if I don't sing in to my Apple ID at the setup screen and after I get to the desktop, then sing in and download my apps and avoid the updates. Logic, iMove, Pages, etc. All works fine if I don't install the updates. Same result after two days of reinstalling the os and apps.

Yes, after the clean install, I skipped the sing in process on the setup screen, then when I got to the desktop I opened the App Store singed in, downloaded the apps, and they started up whit no problem, after that I ignored the security updates and used the apps whit no issues. As soon as I install the updates, after the machine restarts, the apps stop working again. Tested the method for 2 days straight, always the same result.

Sorry. I see the file was written in my login folder. But, I've found a fix for my problem.

Since I have a functioning system on my mac's internal HHD, I just did a restore from my Time Machine back up of that disk to the SSD using the HDD's MacOS Recovery utility. At start the SSD drive was empty, formatted as an APFS volume. After the restore the SSD appears as a exact copy of my internal hard drive ... and the App Store apps run just like they should. In the recovery process the SSD drive was formatted MacOS Extended (Journaled).

I would very happy to know if other people can reproduce the problem on a High Sierra installed before Novembre 11th.

To reproduce the problem quit every apps, launch terminal and type :

sudo killall -9 trustd; sudo rm /Library/Keychains/crls/valid.sqlite3

Then reboot and wait a few minutes before trying to launch apps from the Mac App Store.

Use this command to check the size of a complete database :

ls -l /Library/Keychains/crls/valid.sqlite3

Should return :

-rw-r--r--  1 root  wheel  17293312 29 nov 16:29 /Library/Keychains/crls/valid.sqlite3

@softmusic, thanks for a pointer to the source, this is what I was looking for.

Flag 16 is "1u << 5", which is kSecValidInfoNoCACheck, and has the definition "set if this entry does not require an OCSP check to accept (deprecated)"

The certificate that I delete, "Apple Mac OS Application Signing", serial number ox04CA81F77D5E33F7, has its flag set to 0, which is "set if we have all revocation info for this issuer group"

So by setting the value to 16, it would technically mean "don't do OCSP check", which I agree would be a cleaner fix that deleting the row.

And it looks like someone found a bit more, documented at https://eclecticlight.co/2020/11/25/macos-has-checked-app-signatures-online-for-over-2-years/. Not only have Jhonno found the same revoked certificate, but he also found another one:

CN: Mac App Store and iTunes Store Receipt Signing

Serial: 0x0EEB5787E79E098D.

And guess what, deleting the row in serials for that second certificate allows "Display Menu" to launch. Since both certificates belong to the same groupID (issuer) then I assume that changing the flag to 16 should allow all apps to launch.

I need to run some tests from fresh, see if that would be the best workaround. But I expect this change to be reverted back after a while, like we have seen happening so far.

This is what I have been using:

sudo sqlite3 /Library/Keychains/crls/valid.sqlite3 "update groups set flags=16 where groupid = (select groupid from serials where hex(serial) = \"04CA81F77D5E33F7\")"

The change did survive a reboot, but for how long? And it did allow me to reinstall (and launch!!) Display Menu.

So I would recommend this update over my previous suggestion of deleting the row.

Kudos go to @softmusic !

@Johnno_uk made me remember one thing: Time Machine. ALL Mac users should always have that configured btw!

Let me share what seems to be my most "stable" fix for now.

1. Map your TM sparsebundle so you can browse it with Finder. Extract and copy those two files, for a backup done somewhere in October

/System/Library/Security/Certificates.bundle
/Library/Keychains/crls/valid.sqlite3

Certificate.bundle will be seen by Finder as a file, but it is in fact a folder. Anyway. Copy those on your desktop.

Boot from USB / Recovery. Use Terminal to replace those on your "Machintosh HD" volume.

Reboot.

In my case, valid.sqlite3 was up at version 137.

After reboot, the file did get upgraded to version 142, but without any corruption (no certs ended up being marked as revoked). I could launch installed apps, I was able to download and install Pages and Numbers (had to Unhide past purchases though and try 3-4 times before the install succeeded).

In the end, things seems to be "okay". Next step: see if I can run version 137 and turn off updates using the plist method.

So my assumpion is

• Update from version 42 to 146 gets the DB corrupted.
• Update from version 137 to 146 is "somewhat" ok.

You're not the only one. The issue was fixed (and caused) remotely by Apple.

Apple made corrections to files on web servers which had previously been telling Macs to disable one of Apple's own critical digital certificates that is used to prove if an app from the App Store is allowed to run or not.

These files are fetched in the background automatically without user intervention meaning machines will appear to have just fixed themselves.

One particular file only applies to brand new Installations of High Sierra whilst others are for Macs which have been installed for longer and updated themselves a number of times in the past already. Many of these other files were not incorrect or at least not for such a long time period as the length of this issue.

The erroneous file for new High Sierra Installs from a few days ago has now been archived and since it is also digitally signed by Apple themselves it can definitively show the instruction Apple were sending out to these Macs that was breaking App Store apps though not for how long that was without knowing externally the period for which it was in circulation. Actually more than one update came and went which was erroneous in this way before Apple fixed things.

Part of what's on anybody's machine isn't actually controlled by them, but this part which is basically a database of what can and can't be trusted that is updated from data in these files I've been talking about is best left to Apple even though they can sometimes get things wrong and break aspects of a user's experience in the process.

sudo su -
while true; do rm -f /Library/Keychains/crls/valid.sqlite3; sleep 10; done

a mix of :-) and (facepalm) ...

Should be able to block Apple's OCSP IP in the Hosts file...

https://apple.stackexchange.com/questions/406363/what-is-the-best-way-to-block-ocsp-apple-com-on-mac

Just did a reboot and checked my db version. It is now at 147 and everything seems to be working again. Looks like Apple did push new certs overnight....

ok, so here is another update. After extracting all certs from the .app, and looking at codesign0 (Apple Mac OS Application Signing), the cert does not have a CRLdp, so CRL revocation is not the issue. But it does have a AIA extension which points to the OCSP server at http://ocsp.apple.com/ocsp03-wwdr08.

Using "openssl ocsp" to verify the certificate, the OCSP server responds with a "good" response, meaning the certificate is indeed valid. Looking at the network trace of this OCSP request, we can see that the OCSP response is signed (ok, the response is secure), but extracting the signing certs from the pcap, the cert who signed the response is like this:

• • Common Name: WWDR OCSP Responder MG2
  • Issued by: Apple Worldwide Developer Relations Certificate Authority
    • the one expiring on Feb 7, 2023
  • Valid from: November 4, 2020 at 5:03:29 PM GMT-5:00
  • Valid until: December 16, 2020 at 5:03:29 PM GMT-5:00

This is strangely close to when people seem to have started experiencing issues...

Both the OCSP response signer and its issuer are not in the default System Roots keychain. And manually adding them to the System keychain does not help, the Apple Mac OS Application Signing certificate remains detected as revoked.

I don't want to block OCSP requests by modifying /etc/hosts, this is a bad security practice and does not address the real issue.

Exactly the same situation here. After clean installing High Sierra I got the same updates in the App Store. Security update 2020-005 then Security update 2020-006 and after installing those security updates I got the 004 security update error message. I'm not sure if this issue is related to the wide spread issue with Apple servers that happened on Thursday, but if it is the same issue why hasn't it get fixed for us while it got fixed for others?

Did you try disabling Gatekeeper and installing an app from the AppStore?

Open the Terminal app then enter the following command syntax:

sudo spctl --master-disable

if it didn't solve the issue re-enable Gatekeeper run the following command in the Terminal app

sudo spctl --master-enable