Opened 5 years ago

Closed 5 months ago

#14523 closed defect (outdated)

wxPython OSX binaries won't install on MacOS 10.8 Mountain Lion - need signing

Reported by: Marginal Owned by: robind
Priority: high Milestone:
Component: wxPython Version:
Keywords: Cc:
Blocked By: Blocking:
Patch: no

Description

MacOS 10.8 Mountain Lion has a new "feature" called GateKeeper which, on it's default setting, prevents installation / running of unsigned packages / apps.

All of the wxPython packages available from http://www.wxpython.org/download.php fall foul of this; when the user double-clicks on an installer package he gets a dialog:
"“wxPython2.9-osx-cocoa-py2.7.pkg” is damaged and can’t be opened. You should eject the disk image."

And using the spctl tool:
$ spctl -a -v -t install /Volumes/wxPython2.9-osx-2.9.4.0-cocoa-py2.7/wxPython2.9-osx-cocoa-py2.7.pkg
/Volumes/wxPython2.9-osx-2.9.4.0-cocoa-py2.7/wxPython2.9-osx-cocoa-py2.7.pkg: bundle format unrecognized, invalid, or unsuitable

Change History (14)

comment:1 follow-up: Changed 5 years ago by csomor

Robin, do you have a cert for codesigning ?

as a short time measure, this should help:

http://www.toolfarm.com/blog/entry/installing_osx_10.8_mountain_lion_please_read

comment:2 in reply to: ↑ 1 Changed 5 years ago by Marginal

The workaround of temporarily turning off Gatekeeper does work (but obviously not ideal).

I don't know why the user sees "... is damaged and can’t be opened. You should eject the disk image." instead of the more usual "... can't be opened because it is from an unidentified developer".

FYI some notes on the user experience of Gatekeeper at http://support.apple.com/kb/HT5290 .

comment:3 Changed 5 years ago by robind

  • Owner set to robind
  • Status changed from new to accepted

Well considering that I'm using a script that even predates PackageMaker to assemble the package from scratch I guess we should be amazed that it lasted this long before having problems. :-)

comment:4 Changed 5 years ago by bbum

Workaround; go to Terminal and use the installer command line tool directly:

sudo installer -pkg /Volumes/wxPython2.9-osx-2.9.4.0-cocoa-py2.7/wxPython2.9-osx-cocoa-py2.7.pkg -target /
installer: Package name is wxPython2.9-osx-cocoa-py2.7
installer: Upgrading at base path /
2012-08-12 07:54:13.385 installer[68950:5b03] Package /Volumes/wxPython2.9-osx-2.9.4.0-cocoa-py2.7/wxPython2.9-osx-cocoa-py2.7.pkg uses a deprecated pre-10.2 format (or uses a newer format but is invalid).
installer: The upgrade was successful.

comment:5 Changed 5 years ago by csomor

even better, thanks for the workaround, Bill

comment:6 Changed 4 years ago by abarnert

Since this has been open for 18 months, and the 3.0 release still has the same problem, it might be worth explaining the problem and the workarounds on the download page.

comment:7 Changed 3 years ago by vyakunin

Is this going to be fixed?

comment:8 Changed 3 years ago by vadz

  • Component changed from build to wxPython
  • Priority changed from critical to high

Any suggestions for fixing the problem or, better, patches doing it would be welcome. In the meanwhile I can only recommend using the workaround above.

comment:9 Changed 3 years ago by eco

Just hit this with Yosemite.

I'd consider this critical. It affects endusers, not just developers (who are used to and understand how to run root Terminal commands).

Robin, maybe put the workaround on the download page of wxPython until a proper fix comes out (or include the workaround as a script in the download).

comment:10 Changed 10 months ago by vadz

I have no idea what to do about this, but this is definitely by far the most often reported wxPython bug, we had half a dozen reports in wxTrac alone (and more elsewhere). It would be great if somebody could at least explain what needs to be done here.

comment:11 Changed 10 months ago by TcT

An outline of the necessary steps for OS X code signing of wxPython:

  1. The legacy package format used by wxPython .pkg can not be code signed
  2. It could probably be packaged in the modern (single file) format when using pkgbuild and productbuild.
  3. Create a wxWidgets developer team at https://developer.apple.com/developer-id/ (about $99/Year, maybe there is an open source discount? but probably not this is apple after all)
  4. Create an OS X Distribution Certificate
  5. Use that certificate to sign the .pkg (and/or .dmg) using productsign --sign "Developer ID Installer: wxWidgets"

With the .pkg signed with that it would simply be installed without changing the settings.

The team account can have different access levels for different members (members are added with their apple id, you can be a member of different teams with a single apple id).

comment:12 Changed 10 months ago by phillman5

The work around mentioned by bbum doesn't seem to work for El Capitan or later. However Stephane Laouche, an Python developer of OpenFilters says:

A working installer for Mac El Capitan seems to be available in pre-release (it worked for me):

https://groups.google.com/forum/#!topic/wxpython-dev/TMnoeAgf2Wg

The developer of wxpython should mention this here as a solution.

comment:13 Changed 7 months ago by jralls

I downloaded wxPython3.0-osx-3.0.2.0-cocoa-py2.7.dmg and ran codesign -vvvd on the contents. The result was
/Volumes/wxPython3.0-osx-3.0.2.0-cocoa-py2.7/wxPython3.0-osx-cocoa-py2.7.pkg: bundle format unrecognized, invalid, or unsuitable

So the problem isn't signing but rather that the .pkg is malformed, probably because Robin is using tools which are too old.

http://matthew-brett.github.io/docosx/flat_packages.html has some information on so-called "flat packages" along with a skeleton procedure for creating and examining them.

comment:14 Changed 5 months ago by robind

  • Resolution set to outdated
  • Status changed from accepted to closed

Closing old Phoenix tickets...

If this is still an issue in wxPython 4.0.0a1 then please open a new issue (or PR) at the wxPython-Phoenix project page on Github: https://github.com/wxWidgets/Phoenix

Note: See TracTickets for help on using tickets.