Hello Everyone,
I had this same problem on an install I did back on 23rd November, but wasn't aware of this thread.
I did a fair bit of investigation and can shed some light into what's going on though a lot of that information is already in this thread so sorry if I'm repeating that as I didn't see this thread until today.
The issue is not that the apps are installed incorrectly, they're installed fine I believe.
I say this as I upgraded a system and so many apps were already installed.
The problem is to do with how the OS validates that the apps are good.
In essence it validates two things that are relevant here:
1) Has an app that's on your system been tampered with ?
2) Did you buy it ?
What this means is that there are signatures inside each application that sign it to answer yes to both of those questions.
These signatures are there, but the OS needs to know they are good and it needs some files known as certificates to help it do that. It's a bit more complex than that as there need to be certificates which prove other certificates are good resulting in a chain of them.
a) There is a different certificate used to sign the answer to the 2 questions above.
b) There is a 3rd certificate that proves these first two are good.
c) There is a 4th certificate that proves the 3rd one is good. This is where it all stops as this 4th one is from Apple and will be installed on most computers (Macs or not) all around the world.
There can be more than 4 in total since some apps were signed years ago with older certificates.
People with this problem may well find ancient apps from the Apps Store like one called 'Snap' will still work for example.
In this case though first 3 certificates have not been seen by the new OS installation.
None of them are revoked in the real world or even on anybody's Mac.
The OS is incorrectly reporting them as revoked but that's a red herring I believe but the fix does involve checking that they're not revoked so the jury could still be out there a little bit perhaps.
The trick is to make the OS see and verify them all. Some people in the thread have noted that a tool called WhatsYourSign helps. Indeed it does but it doesn't cover certificates for receipts (did you buy it).
There is a tool out in the wild called "RB App Checker Lite" which does however.
This fix does not unfortunately appear to be permanent and only lasts for a few hours at least for me.
1. If you start with a fresh install and haven't made too many other changes to try and fix things (especially those that involve Key Chain Access) then installing this app and dragging one a non launching App Store app to it may be all you need to do to fix the problem. The other apps should work to but if one on the off chance is signed differently try dragging it too.
2. If you started with an upgrade from Sierra or lower then step 1 may also be all you'd need to do. However if you've been developing your own Apps in the past then make sure there are no expired copies of the "Apple Worldwide Developer Relations Certification Authority" in your login or system keychain. Having this there was what made some certs show as revoked vs not verified and led me to doing all the other stuff mentioned in this thread like clearing CRL caches etc which I don't think made any difference after all.
Most people can ignore the rest of this post and use RB App Checker Lite, but to do it from the shell something like which is shown below should do the trick I think. I've used an example app that was not working on my machine. Again you only need to do this for one app. I could just post the 2 certs that were involved but they are not mine to post and this is more portable and shows what's going on.
cd /tmp
mkdir fix-mac
cd fix-mac
curl https://developer.apple.com/certificationauthority/AppleWWDRCA.cer --output AppleWWDRCA.cer
codesign -dvvvv --extract-certificates '/Applications/Compare Folders.app'
security verify-cert -r AppleWWDRCA.cer -c codesign0 -R ocsp
# diff AppleWWDRCA.cer codesign1 if you like and they should be the same file - could be clever and just use codesign1
openssl pkcs7 -inform der -in '/Applications/Compare Folders.app/Contents/_MASReceipt/receipt' -print_certs -out receipt-chain.pem
openssl x509 -in receipt-chain.pem -outform der -out receipt.cer
security verify-cert -r AppleWWDRCA.cer -c receipt.cer -R ocsp
Hint: Since the fix is not permanent, you can of course just keep the files AppleWWDRCA.cer, codesign0, and receipt.cer and write a cronjob which runs security verify-cert every few hours in the meanwhile