Error: MacDown is damaged and can’t be opened

[fowse42]

Apple official says that macOS10.15.1 is not compatible with 32-bit version programs. Does MacDown provide 64-bit versions in the future？

[FranklinYu]

There seems to be some issue with signature. I’ll discuss with @uranusjr about this.

Sorry I missed this bug before releasing. macOS won’t check signatures unless it is downloaded from Internet (“untrusted source”).

[uranusjr]

Can someone confirm whether this happens on 10.14 (Mojave), or only on 10.15?

[rschiang]

@uranusjr v0.7.2 (4cd12ce50ae29195e262ed92bfa4f748ff26dde2) is shown as corrupted on 10.14.6 as well.

[FranklinYu]

I can reproduce with v0.7.1. I have stronger sense that this is due to SIP.

[noestreich]

Can confirm. 10.14.6 is prompting me to delete the (manually dowloaded) App. Auto-Update also exits with an error.

Error after manual download:

Error after auto-update:

[FranklinYu]

@noestreich Could you please try v0.7.1?

[noestreich]

@FranklinYu No Problem with 0.7.1

Regarding 0.7.2: It's the quarantine-flag, as you already suspected. if one removes it via terminal, version 0.7.2 just starts fine.

Edit: Nice toolbar guys!

[gamebits]

Similar problems here in 10.13.6.

[ncluff]

I'm getting the same issue 😢 Version: 10.14.6

@uranusjr forgot to add you. It is happening on 10.14.x too

[nickyfoto]

Found an article talked about the quarantine issue.

https://eclecticlight.co/2019/05/03/serious-flaw-in-macos-quarantine-can-stop-you-from-opening-documents/

[FranklinYu]

I think I finally reached a conclusion.

about quarantine flag

I can’t do anything about the quarantine flag. It’s added by the browser. To verify, download the zip file (either 0.7.1 or 0.7.2, it doesn’t matter) with wget. For your convenience following command can be used:

wget https://github.com/MacDownApp/macdown/releases/download/v0.7.2/MacDown.app.zip

Then double click the zip file to extract the app as usual. You should be able to run extracted MacDown without further steps.

another factor

The “application source” preference is also related. Please check this preference on your computer. Navigation path: “System Preferences” -> “Security & Privacy” section -> “General” tab -> “Allow apps downloaded from”. For details, see this blog.

solutions

Two possible solutions:

1. Ask everyone to allow apps downloaded from anywhere.
2. I go and pay $99/year to join the developer program. This would also reveal my legal name since I don’t own a company.

[fowse42]

The macOS has become more and more hateful.

[alexkaessner]

@FranklinYu When does the notarization process reveal the legal name?

PS: I had no problem updating to 0.7.2 via Sparkle on macOS 10.15.1 (security option is on "App Store and trusted developers")

PS 2: I've edited the title of this issue that others can find it more easily…

[gamebits]

My MacOS preference was already set to allow apps downloaded from "App Store and identified developers" when I encountered this problem.

But thanks to the tip in this thread, I was able to download the file via wget, though I had to add the --no-check-certificate flag. The resulting app runs without issue. 👍

[FranklinYu]

But thanks to the tip in this thread, I was able to download the file via wget, though I had to add the --no-check-certificate flag. The resulting app runs without issue.

The --no-check-certificate shouldn’t be needed and brings security concern. I would recommend to show error here and I may be able to help.

[FranklinYu]

PS: I had no problem updating to 0.7.2 via Sparkle on macOS 10.15.1 (security option is on "App Store and trusted developers")

If I understand correctly, Sparkle would bypass this issue because it’s not downloading with browser.

When does the notarization process reveal the legal name?

According to this forum thread legal name is exposed unless I create a legal company. Do you have first-hand experience, or know someone with first-hand experience to verify? If I can hide my legal name from user (no need to hide from Apple) then it would be great.

[alexkaessner]

@FranklinYu I can agree that the legal name is exposed when distributing via Mac App Store. Though I'm not sure if the developer account name will be shown somewhere when only using it to notarize apps. But I only have experience releasing on the MAS, so I'm not 100% sure.

[harp79]

as far as I know it is not publicly shown, but can be dumped in Terminal with spctl -a -vv e.g.:

harp% spctl -a -vv BetterTouchTool.app/
BetterTouchTool.app/: accepted
source=Notarized Developer ID
origin=Developer ID Application: Andreas Hegenberg (DAFVSXZ82P)

harp% spctl -a -vv Carbon\ Copy\ Cloner.app/
Carbon Copy Cloner.app/: accepted
source=Notarized Developer ID
origin=Developer ID Application: Bombich Software, Inc. (L4F2DED5Q7)

[FranklinYu]

Can confirm what @harp79 said.

~ % spctl --assess -vv '/Applications/KeyStore Explorer.app'
/Applications/KeyStore Explorer.app: accepted
source=Developer ID
origin=Developer ID Application: Kai Kramer (BKXPBP395L)

[FranklinYu]

Sadly this can’t be bypassed by Homebrew Cask. See Homebrew/homebrew-cask#70798

[nambot]

I tried installing v.0.7.2 (on Mojave, 10.14.6) both via browser download and homebrew cask, and both yielded the, "Macdown is damaged and can't be opened..." error message. I'm used to troubleshooting the Privacy "Open Anyway" error, but this is different. I downloaded v.0.7.1 and it worked perfectly, so I'm using that.

Love the app! Also, there is a blatant clone of Macdown in the App store called MarkEditor.

[alexkaessner]

Also, there is a blatant clone of Macdown in the App store called MarkEditor.

Oh no and they even charge $0,99 for it! I think it would make sense to distribute MacDown via Mac App Store as well, but sure that doesn't fix the problem with the name reveal.

[FranklinYu]

@alexkaessner We can do nothing as long as they abide by the MIT license. This is expected. If @uranusjr didn’t want this he would have chosen something like MPL.

I have been looking for ways to signing open source software with shared developer account. There is no existing service like this. I would contact various foundations to see whether they are interested in such services.

[uranusjr]

Yeah, and the reason is I’m actually totally fine with people selling this code on App Store (as long as the license is honoured, of course).

That said, many of those entries on App Store don’t actually honour the license. I haven’t checked this MarkEditor in particular, but I have submitted multiple claims to Apple for unattributed code reuse.

[richardsprague]

I was able to get it to run using the wget trick described above: wget https://github.com/MacDownApp/macdown/releases/download/v0.7.2/MacDown.app.zip

But I have two issues:

1. the preview pane refreshes on each keystroke, causing an annoying flicker.
2. I like the idea of the new insert image feature, but it appears to insert a full-size binary string version of the image, rather than a simple link. Is it possible to drag/drop an image and have it insert just the link?

Overall this is an excellent app -- my favorite for markdown editing on Mac. Thanks again for all you do.

[FranklinYu]

@richardsprague first one is #1104. Please create an issue for second one and we would track it there.

[tempelmann]

This still has the "help wanted" tag. Is there something we can help with? The download issue (which affects both Sparkle download and manual download with a web browser) should get fixed ASAP. I'd happy to help, I have published several Mac apps and can provide assistance.

[subdigital]

If you do decide to setup a company and pay to join the Apple Developer program I'm happy to donate to this cause. I've been using MacDown for years and it's still my favorite quick markdown editor.

[tempelmann]

I agree with @subdigital - if @uranusjr has trouble setting up an account or accepting (Paypal) donations due to his location, and if @FranklinYu can do it more easily from CA, I'd be happy to support you in any way, too. Also, I could offer to sign (and notarize) the tools for you, although for uploading it to the Mac App Store (which I recommend, and then ask for $2 or $5 for it) it's better if one of the authors has control over it.

[CoryFoy]

~@FranklinYu If you are US based, setting up an LLC is incredibly easy. You basically create an EIN and then register with the state, which for CA looks like is here and typically is pretty inexpensive. You can then use that as your name for filing for the Apple programs or anything else. Happy to walk you through it if it's helpful as I love MacDown and always happy to contribute back however I can.~ (Removing because Franklin noted he may live in CA but isn't a resident. Nothing is ever as simple as it seems. Sorry Franklin!)

[FranklinYu]

@CoryFoy @tempelmann It's less about the money. I'm not a permanent resident (in legal sense) here and there is some visa issue for me to own a company.

I would be talking to my lawyer about this, but for now I cannot guarantee anything. Even if it turn out to be possible, it would not be that fast. I have to be careful not to offend either USCIS or my employer (who sponsors my visa).

I'm also considering about 501(c)(3) as another option, which may or may not be easier than Single Member LLC as mentioned above.

[youngd24]

Reporting the manual wget worked for me on Catalina 10.15.1, good luck with the long-term fix. Love this thing!

[fowse42]

Thank you all. I am a writer and I do not know much about code. But the CLI download can work normally except brew install, Thank you again for your work.

[nickyfoto]

I don't think we should close this issue unless we have other thread to track down specific problems that caused this damage.

The reason is that other users may report the same problem without looking our discussing here. (I suppose most users use and update this app with GUI.)

Since the title and the description is not specific to the cause of this problem. If we decide to close this one I suggest maintainers may open other thread to track more specific issue that causes this problem.

[FranklinYu]

1115 proves what @nickyfoto said.

[edrozenberg]

I see the same "Damaged" issue with the official download Version 0.7.2 (1008) MacDown.app.zip (md5sum cf541ca7d283f15faad484c796ba4e84). Mojave 10.14.6 (18G1012)

Issue seen when unzipping with default MacOS Archive Utility.

Issue NOT seen/issue fixed when unzipping with another utility (Archiver.app in my case). Could be other 3rd party unzip utilities would also work, haven't tried.

[tempelmann]

The reason why the issue only occurs with Apple's unzip tool is probably because that's the only one that adds the quarantine flags to the unzipped app, and only if these flags are set, GateKeeper will check the signature of the app when it gets launched the first time. Which means: The app is incorrectly code signed.

[FranklinYu]

@tempelmann Please read through the thread to see why it wasn't signed.

[tempelmann]

@FranklinYu I believe you're wrong: If it were not signed, then we'd not see these issues - instead, macOS would simply say it's not signed, and users would have to open it with a right-click. However, the app has a bad signature, which causes more problems, because now macOS tries to check it and finds it being incorrect. You can tell that it has a (bad) signature by looking at the app's package contents: You'll find a _CodeSignature folder in there - if you were right, then there would be no such folder.

[OutsourcedGuru]

I'm getting similar problems attempting any of the following:

• When prompted in MacDown to update, indicating yes (fails in a GUI/friendly way)
• Visiting the website, clicking the download link and trying to run it from Downloads (Apple dialog indicates that it's corrupt and suggests to move to Trashcan)
• From a terminal brew cask install macdown (Apple dialog indicates that it's corrupt and suggests to move to Trashcan)

Fortunately, I chose to copy/paste in Finder from Applications -> MacDown to the Desktop and was able to reverse this for the win. At least I have a working version.

macOS Mojave 10.14.5 Working MacDown version: 0.7.1

[FranklinYu]

@tempelmann Technically you’re correct, but Apple treats “not signed” similar to “signed incorrectly” (which is understandable). I removed the signature by following steps:

1. Download the Zip file and unzip it.
2. Remove the code signature folder _CodeSignature.
3. Open Info.plist and remove the key-value pair CFBundleSignature. I did this with Vim but you can use Xcode as a GUI editor.

When I open MacDown, macOS still prompts me with the same message. Please comment if you observe different behavior or believe that code signature can’t be removed this way.

[tempelmann]

@FranklinYu

1. The CFBundleSignature in the Info.plist has a totally different purpose and is not relevant for this topic.
2. You are partially correct, since I made a mistake before: It's is not enough to remove the _CodeSignature folder to remove all code signing. If you then test the app with RB App Checker Lite, it'll tell you that it still finds a signature. So, it's necessary to remove the signature from the executables (MacOS/MacDown, SharedSupport/bin/macdown and Sparkle) as well. I did that with this tool: https://stackoverflow.com/a/26320600/43615
3. After that, I was able to run the app, even after zipping it, upload it to a server, and download again with Safari (it then says the app is from an unidentified developer and not any more that it's damaged).

This concludes that it's just the bad signing, as I said before. Instead of signing it with a personal cert, it should not be signed at all, and we're good. Or, just have someone with a paid Mac developer account perform the signing. I could do that (including Notarization for Catalina) if no one else volunteers.

Also, the Sparkle.framework is incorrectly embedded: It must use symlinks for the items in its root dir, but instead it duplicates the tool and resources multiple times, wasting space. And it also has a code signature that should not be there.

[hernanBeiza]

I got MacDown ver 0.7.1 (870). I tried to update today I get this error: By the way, I close everything and the app opened again, with the previus ver 0.7.1 (870).

PD: I am using macOS Sierra (10.12.6)

[wayneage]

I installed via brew and got this issue, but running sudo xattr -r -d com.apple.quarantine /Applications/MacDown.app solved the problem for me, similar to what you mentioned @FranklinYu about the downloaded dmg.

[Wildchild9]

I installed Macdown using Homebrew with the command:

brew cask install macdown

I got this issue upon trying to open Macdown after its installation. This also appeared during an earlier attempt to download Macdown as a dmg. Running the following command got rid of the issue:

sudo xattr -r -d com.apple.quarantine ~/../../Applications/MacDown.app

Note: if you downloaded Macdown as a dmg, be sure to move Macdown to your Applications folder before running the command.

Now I am able to open and use Macdown. Thanks to @noestreich for the fix!

[tempelmann]

The proper fix would be that someone re-uploads the zip file, making sure it's not signed at all. Then people should be able to update it without troubles and those who download it manually could open it with right-clicking the app, then choosing "Open".

[Morane]

Hi,

Still impossible to update to 0.7.2 ! The file downloaded is always corrupted (says OS X) 😩! I’m under High Sierra. Do you plan to fix it soon ? Thanks.

Alain

[edrozenberg]

Hi,

Still impossible to update to 0.7.2 ! The file downloaded is always corrupted (says OS X) 😩! I’m under High Sierra. Do you plan to fix it soon ? Thanks.

Alain

Either use a different unzip tool (not the Apple default one) - this will prevent the quarantine flag being added to the unzipped app. Or use one of the suggestions earlier in this thread to remove quarantine flag from the app and be able to run it.

[FranklinYu]

Hi everybody. Sorry for the delay.

I revisited the issue today. Xcode would only archive (Apple’s term for “build and export”) an application with a signature, be it signed with a local (self-signed) certificate, or a valid certificate from Apple. Luckily, a hidden flag of codesign seems to work. I would upload a version this weekend (don’t have too much time Monday to Friday) with signature removed this way.

After this mess, we would still need a long-term solution since this hidden flag trick is unreliable.

[tempelmann]

@FranklinYu instead of using the Archive command you could also add a second target, and set its scheme to build for Release instead of Debug. Also, in the build settings for this target, remove all code sign settings. Then you could just build the app for that target, and then zip it manually afterwards. That's what I do with several tools I make. If you need help with that, let me know and I'll do a pull request with the changes.