Opened 6 years ago
Closed 14 months ago
#14523 closed defect (outdated)
wxPython OSX binaries won't install on MacOS 10.8 Mountain Lion - need signing
| Reported by: | Marginal | Owned by: | robind |
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | wxPython | Version: | |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Patch: | no |
Description
MacOS 10.8 Mountain Lion has a new "feature" called GateKeeper which, on it's default setting, prevents installation / running of unsigned packages / apps.
All of the wxPython packages available from http://www.wxpython.org/download.php fall foul of this; when the user double-clicks on an installer package he gets a dialog:
"“wxPython2.9-osx-cocoa-py2.7.pkg” is damaged and can’t be opened. You should eject the disk image."
And using the spctl tool:
$ spctl -a -v -t install /Volumes/wxPython2.9-osx-2.9.4.0-cocoa-py2.7/wxPython2.9-osx-cocoa-py2.7.pkg
/Volumes/wxPython2.9-osx-2.9.4.0-cocoa-py2.7/wxPython2.9-osx-cocoa-py2.7.pkg: bundle format unrecognized, invalid, or unsuitable
Change History (14)
comment:1 follow-up: ↓ 2 Changed 6 years ago by csomor
comment:2 in reply to: ↑ 1 Changed 6 years ago by Marginal
The workaround of temporarily turning off Gatekeeper does work (but obviously not ideal).
I don't know why the user sees "... is damaged and can’t be opened. You should eject the disk image." instead of the more usual "... can't be opened because it is from an unidentified developer".
FYI some notes on the user experience of Gatekeeper at http://support.apple.com/kb/HT5290 .
comment:3 Changed 6 years ago by robind
- Owner set to robind
- Status changed from new to accepted
Well considering that I'm using a script that even predates PackageMaker to assemble the package from scratch I guess we should be amazed that it lasted this long before having problems. :-)
comment:4 Changed 6 years ago by bbum
Workaround; go to Terminal and use the installer command line tool directly:
sudo installer -pkg /Volumes/wxPython2.9-osx-2.9.4.0-cocoa-py2.7/wxPython2.9-osx-cocoa-py2.7.pkg -target /
installer: Package name is wxPython2.9-osx-cocoa-py2.7
installer: Upgrading at base path /
2012-08-12 07:54:13.385 installer[68950:5b03] Package /Volumes/wxPython2.9-osx-2.9.4.0-cocoa-py2.7/wxPython2.9-osx-cocoa-py2.7.pkg uses a deprecated pre-10.2 format (or uses a newer format but is invalid).
installer: The upgrade was successful.
comment:5 Changed 6 years ago by csomor
even better, thanks for the workaround, Bill
comment:6 Changed 4 years ago by abarnert
Since this has been open for 18 months, and the 3.0 release still has the same problem, it might be worth explaining the problem and the workarounds on the download page.
comment:7 Changed 4 years ago by vyakunin
Is this going to be fixed?
comment:8 Changed 4 years ago by vadz
- Component changed from build to wxPython
- Priority changed from critical to high
Any suggestions for fixing the problem or, better, patches doing it would be welcome. In the meanwhile I can only recommend using the workaround above.
comment:9 Changed 3 years ago by eco
Just hit this with Yosemite.
I'd consider this critical. It affects endusers, not just developers (who are used to and understand how to run root Terminal commands).
Robin, maybe put the workaround on the download page of wxPython until a proper fix comes out (or include the workaround as a script in the download).
comment:10 Changed 19 months ago by vadz
I have no idea what to do about this, but this is definitely by far the most often reported wxPython bug, we had half a dozen reports in wxTrac alone (and more elsewhere). It would be great if somebody could at least explain what needs to be done here.
comment:11 Changed 19 months ago by TcT
An outline of the necessary steps for OS X code signing of wxPython:
- The legacy package format used by wxPython .pkg can not be code signed
- It could probably be packaged in the modern (single file) format when using pkgbuild and productbuild.
- Create a wxWidgets developer team at https://developer.apple.com/developer-id/ (about $99/Year, maybe there is an open source discount? but probably not this is apple after all)
- Create an OS X Distribution Certificate
- Use that certificate to sign the .pkg (and/or .dmg) using productsign --sign "Developer ID Installer: wxWidgets"
With the .pkg signed with that it would simply be installed without changing the settings.
The team account can have different access levels for different members (members are added with their apple id, you can be a member of different teams with a single apple id).
comment:12 Changed 19 months ago by phillman5
The work around mentioned by bbum doesn't seem to work for El Capitan or later. However Stephane Laouche, an Python developer of OpenFilters says:
A working installer for Mac El Capitan seems to be available in pre-release (it worked for me):
https://groups.google.com/forum/#!topic/wxpython-dev/TMnoeAgf2Wg
The developer of wxpython should mention this here as a solution.
comment:13 Changed 16 months ago by jralls
I downloaded wxPython3.0-osx-3.0.2.0-cocoa-py2.7.dmg and ran codesign -vvvd on the contents. The result was
/Volumes/wxPython3.0-osx-3.0.2.0-cocoa-py2.7/wxPython3.0-osx-cocoa-py2.7.pkg: bundle format unrecognized, invalid, or unsuitable
So the problem isn't signing but rather that the .pkg is malformed, probably because Robin is using tools which are too old.
http://matthew-brett.github.io/docosx/flat_packages.html has some information on so-called "flat packages" along with a skeleton procedure for creating and examining them.
comment:14 Changed 14 months ago by robind
- Resolution set to outdated
- Status changed from accepted to closed
Closing old Phoenix tickets...
If this is still an issue in wxPython 4.0.0a1 then please open a new issue (or PR) at the wxPython-Phoenix project page on Github: https://github.com/wxWidgets/Phoenix
Robin, do you have a cert for codesigning ?
as a short time measure, this should help:
http://www.toolfarm.com/blog/entry/installing_osx_10.8_mountain_lion_please_read