App Store apps do not install properly on a fresh install of High Sierra on internal SSD or HDD

Possible workaround found. I still have to understand what the 3rd party app "What's Your Sign" does to the OS, but this workaround is now working for me:

1. From a clean reboot, run in terminal "spctl --assess -v /Applications/YourApp.app"
2. From a Finder window, under Applications, right-click (Ctrl-Click) on your app, and select "Signer Info"
3. Enjoy your app

And I confirm that the 2 CA added manually are not required. So please, try the steps above and report if this works for you.

I've been following this thread and can confirm that this worked for me. At least it's working right now. I've only had problems with the Numbers, Pages apps that I know of. IE. I didn't have this problem with Safari. I will try some other apps that I have gotten from the App Store.

EDIT:

I just tried Hype that would not open and it did open.

FWIW, I only ran the spctl terminal command on Numbers.app and it seems to have fixed the others.

Thank you FrancoisQC!

If something that was launching isn't then it may involve certificates resolution. The article on the official Apple Developer Documentation feed may be a clue to the cause of apps not launching:

https://support.apple.com/guide/deployment-reference-ios/preparing-your-infrastructure-apdda9e027d2/web

==START QUOTE

Preparing your infrastructure to deploy in-house apps

Certificate validation

The first time a user opens an app, the distribution certificate is validated by contacting Apple’s OCSP server. If the certificate has been revoked, the app won’t launch. To verify the status, the device must be able to reach ocsp.apple.com.

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently, between 3 and 7 days. The validity of the certificate isn’t checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app won’t launch.

WARNING: Revoking a distribution certificate invalidates all of the apps you’ve signed with it. You should revoke a certificate only as a last resort—if you’re sure the private key is lost or you think the certificate has been compromised.

==END QUOTE

The OCSP protocol is used by sites and especially in commerce to validate certificates.

As a preliminary action-test on a temporary basis do the following:

• Block all connections to ocsp.apple.com in your hosts file (/private/etc/host). Use any Unix editor of your choice such as vim or nano (simpler). This file is used by network administrators to control access of the managed users to certain hosts and domains. Add the entry 0.0.0.0 ocsp.apple.com to this file. Test if the apps launch.
• If the previous step didn't help disable System Integrity Protection. But first, check if it's enabled (it's safe to assume that for the overwhelming majority it is):

csrutil status 

If the output ends with "enabled" System Integrity Protection is enabled. Disable it booting from Recovery partition. Launch Terminal (search for it in Spotlight) and run the following command which is the automated reboot to Recovery without holding the combination ⌘-R:

sudo nvram -recovery-boot-mode=RecoveryModeDisk ; sudo reboot

You'll be prompted to enter your Mac password which you won't see while typing.

• In Recovery, from the menu bar, choose Utilities-->Terminal. Type the following command:

csrutil disable ; nvram -d recovery-boot-mode ; reboot

You'll be brought back to your Desktop screen. Now launch the apps. If they don't launch remove 0.0.0.0 ocsp.apple.com from /private/etc/hosts and enable System Integrity Protection. To enable, enter the same 2 last commands but replace disable with enable in the second one cited.

Here's the fix! Scroll to the bottom if you don't want to read my ramblings!

My Son has just had the same or similar problem, it seems the last security update affects some users differently to others, intrinsically they all have the same outcome. It screws your system!

My Son's rig is a mid 2011 Mac Mini Server running High Sierra, he uses it for music recording/editing in his studio. The outcome after he updated was a dead computer! For those that don't know, the Mac Mini Server ran a raid array, in a nutshell it's basically a system of saving your data in multiple places so if anything crashes nothing is lost, as it is available elsewhere. The update removed the ability to recognise the raid 0, effectively making it useless! Combined with his BT Broadband (business) being next to useless too this last week, it has taken a few days between us to rebuild the drive after buying a new 1TB external for transfer work, to get him up and running again! Then he finds that his copy of Logic Pro X will not work, which means he cannot access any of the projects he is working on currently! Went to the app store to re-download a fresh copy only to be told it wasn't available to High Sierra! On checking further, it seems no apps are available for High Sierra or before! It seems Apple were looking to fix a hole in security and inadvertently caused this problem!

There is a fix though, at least it has worked for my son. He now has Logic ProX working again as it should, and immediately after opening Logic Pro X, it went to the App Store and updated itself with no ill effects (so far!). Here's the link to the page but i've included the fix expanded below.

The following is the fix we used, read the quote (from Logic Pro Help page) first it is important to do it right as it uses Terminal to run code.

Best of luck to everyone with this problem, I haven't done the update on my Mini yet, I will hold off for now in the hope Apple see sense and sort the problem. This is very bad form on Apples part! All because they want us to upgrade systems, especially since this silicon watsit and Big Sur coming online!

Take care all, keep safe and stay sane!

Doug

This worked for me yesterday - in Terminal:

sudo codesign --deep -fs - /Applications/Logic\ Pro\ X.app

It seems to allow some (but not all) apps from the High Sierra app store to launch. Happily both Logic and FCPX seem to work.

Note, it didn't work initially which I suspect was because I'd tried so many things previously that I'd probably broken stuff along the way. Making a fresh HS install yesterday and running the above worked.

Need to copy'n'paste the command exactly, as the numbers and positions of the hyphens and backslashes is critical.

Chris

But yet again, the strange thing is that once I can get the app to start, I can no longer log in to the discussions.apple.com communities, as Safari then can't connect to the server I get redirected to for authentication!

No idea if this means anything… I'm researching this on behalf of a client whose laptop I just upgraded to High Sierra. I'm doing this research on my own High Sierra computer. Last night I was reading this very thread and even posted, using Safari. This morning when I logged back in I had to do the authentication thing as a new device using a six digit security code. Maybe Apple did something on their end?

What command are you talking about? spctl turns off Gatekeeper which isn't enough to disable validation checks. To do that you need to disable System Integrity Protection with csrutil using the method I described in detail in the post https://discussions.apple.com/thread/252037712?answerId=253963482022#253963482022

Reposting, as my typos have confused some people:

1- Do a clean, normal reboot.

2- Get and install What's Your Sign from https://objective-see.com/

1. 1. Full disclosure, I have no idea why this is required. However the thing it does when checking the signature info seems to have an impact on the next steps

3- In terminal, run

spctl --assess -v /Applications/YourApp.app

4- From a Finder window, under Applications, right-click (Ctrl-Click) on your app, and select "Signer Info"

Sure, re-signing the app with codesign may apply a new signature using some self-signed certificate. But I would not recommend this as a viable secure solution.

This worked yesterday, but, sadly, I had to run the command again this morning to get the apps to open.

spctl --assess -v /Applications/Numbers.app

and right click on one of the Numbers.app and choose Signing Info

It worked again though.

I don't reboot this machine and it doesn't sleep. I use one of the built in screensavers and the monitor sleeps after an hour. When I wake the monitor, the screensaver asks for my password again.

I ran the spctl command using sudo this morning, but I don't see how that would make a difference.

Extracting all certs out of the download app (MS Remote Desktop) using

codesign --verify --extract-certificates ...

shows the same 3 CA certificates as mentioned previousl. But here is something new:

As you can see from the screenshot above, the app downloaded from Apple Store, embeds the issuer CA, which has been revoked.

So that is why all apps fail to run.

Now, where did KeyChain get this status? From a CLR or from OCSP, this is still left to know.

And why is the workaround with "What's Your Sign" working? I have no clue. Yet.

Has anyone heard of Apple revoking this certificate?

hey @steven, thanks for the info. Can you try running those commands, and see if you get the same CAs:

codesign --verify --extract-certificates yourapp.app
openssl x509 -inform DER -in codesign0 -out codesign0.cer
openssl x509 -inform DER -in codesign1 -out codesign1.cer
openssl x509 -inform DER -in codesign -out codesign2.cer
openssl x509 -in codesign0.cer -noout -subject -serial -fingerprint
openssl x509 -in codesign1.cer -noout -subject -serial -fingerprint
openssl x509 -in codesign2.cer -noout -subject -serial -fingerprint

For codesign0, this is what I have:

subject= /CN=Apple Mac OS Application Signing/O=Apple Inc./C=US
serial=04CA81F77D5E33F7
SHA1 Fingerprint=B9:3B:DA:AA:F1:A8:84:6B:34:BA:32:33:26:35:CB:2B:84:85:3D:A8

codesign1

subject= /C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
serial=01DEBCC4396DA010
SHA1 Fingerprint=FF:67:97:79:3A:3C:D7:98:DC:5B:2A:BE:F5:6F:73:ED:C9:F8:3A:64

codesign2

subject= /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA
serial=02
SHA1 Fingerprint=61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60

I expect that codesign1 and codesign2 will be identical, and that codesign0 will be different for you. If it is, please post the full output of

openssl x509 -in codesign0.cer

... or your apps are signed without including the full CA chain / cert bundle, and the newly downloaded apps embeds the full CA chain?

I'm checking the CAs, see if they have a CRLdp / AIA extension. The hunt is on to see who's flagging that cert as revoked.