Code Signature Invalid or Missing in macOS OpenWebStart javaws.app

[jonlonergan]

Description:

Analyzing OpenWebStart javaws.app with Terminal or an application like Apparency reveals an invalid code signing certificate codesign -dr - /Applications/OpenWebStart/OpenWebStart\ javaws.app Executable=/Applications/OpenWebStart/OpenWebStart javaws.app/Contents/MacOS/JavaApplicationStub designated => always

Steps to Reproduce:

1. Open Applications > Utility > Terminal
2. Run codesign -dr - /Path/To/OpenWebStart\ javaws.app
3. Observe output: designated => always

Expected Behavior:

Expected output should be something like designated => anchor apple generic and identifier "com.OpenWebStart" and (certificate leaf[field.XXXXXXXXXX] /* exists */ or certificate 1[field.XXXXXXXXXX] /* exists */ and certificate leaf[field.XXXXXXXXXX] /* exists */ and certificate leaf[subject.OU] = XXXXXXXXXX)

Actual Behavior:

Output indicates code signature is invalid or unsigned

Environment:

OpenWebStart version: 1.9.1 ARM64 Mac and X64 Mac Operating System: macOS Sonoma 14.4.1

Impact:

Security Risks: The source and integrity of the application cannot be verified. Deployment Issues: It may be impossible for MDM administrators to manage configurations with the Application and OS, causing delays and inefficiencies in the deployment process. For example: Privacy Preferences Policy Control Trust Issues: On macOS, applications with invalid or missing signatures are often flagged by Gatekeeper and are not allowed to run by default. This could lead to trust issues, as users might be reluctant to use an application that their device flags as potentially unsafe.

[jonlonergan]

The issue is resolved with version 1.10.0. Thank you.