Wire won't open on MacOS 11 due to codesigning

[fmccann]

Wire version: 3.26.4145 (4145) Operating system: macOS 11.6 (20G165) Which antivirus software do you have installed: ClamXAV

What steps will reproduce the problem?

1. Launch application

What is the expected result?

Wire should open

What is the actual result?

Fails to open with dialog "You do not have permission to open the application “Wire”."

Please provide any additional information below. Attach a screenshot if possible.

Hardware Model: MacBookPro12,1 Process: Wire [3798] Path: /Applications/Wire.app/Contents/MacOS/Wire Identifier: com.wearezeta.zclient.mac Version: 3.26.4145 (4145) Code Type: X86-64 (Native) Role: Foreground Parent Process: launchd [1] Coalition: com.wearezeta.zclient.mac [1373]

Date/Time: 2021-10-09 12:09:20.9637 -0400 Launch Time: 2021-10-09 12:09:20.9498 -0400 OS Version: macOS 11.6 (20G165) Release Type: User Report Version: 104

Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: CODESIGNING; [1]

[noaho]

I have this issue too from yesterday, also I got this scary message.

Installed from Homebrew, since I don't log on to mac app store on this computer.

[Githubmoses]

Same problem. Different message: "Wire quit unexepectedly. Click Report to see more detailed information and send a report to Apple." PROBLEM: "Termination Reason: Namespace CODESIGNING, Code 0x1"

PROBLEM DETAILS:

Process: Wire [65668] Path: /Applications/Wire.app/Contents/MacOS/Wire Identifier: com.wearezeta.zclient.mac Version: ??? Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: Wire [65668] User ID: 501

Date/Time: 2021-10-11 22:29:46.164 -0500 OS Version: Mac OS X 10.15.7 (19H2) Report Version: 12 Bridge OS Version: 4.6 (17P6610) Anonymous UUID: 0DD36AE0-CE74-4119-AA7E-0F91CA1C20E2

Time Awake Since Boot: 110000 seconds

System Integrity Protection: disabled

Crashed Thread: 0

Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY

Termination Reason: Namespace CODESIGNING, Code 0x1

kernel messages:

VM Regions Near 0 (cr2): --> __TEXT 000000010704c000-0000000107074000 [ 160K] r-x/r-x SM=COW

Thread 0 Crashed: 0 ??? 0x0000000113db3000 _dyld_start + 0

Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffee8bb3c70 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x0000000113db3000 rfl: 0x0000000000000200 cr2: 0x0000000000000000

Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0

Binary Images: 0x10704c000 - 0x107073ff3 +??? (0) <78B92786-16F2-3C2B-86DC-F633B22A7F09> (null) 0x113db2000 - 0x113e43f47 +??? (750.6) <1D318D60-C9B0-3511-BE9C-82AFD2EF930D> (null)

External Modification Summary: Calls made by other processes targeting this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by all processes on this machine: task_for_pid: 62852 thread_create: 0 thread_set_state: 0

VM Region Summary: ReadOnly portion of Libraries: Total=996K resident=0K(0%) swapped_out_or_unallocated=996K(100%) Writable regions: Total=8404K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8404K(100%)

                            VIRTUAL   REGION 

REGION TYPE SIZE COUNT (non-coalesced) =========== ======= ======= STACK GUARD 56.0M 1 Stack 8192K 1 DATA 232K 3 DATA_CONST 20K 1 LINKEDIT 256K 3 TEXT 744K 2 shared memory 8K 2 =========== ======= ======= TOTAL 65.2M 13

[Githubmoses]

Forgot to mention: I also install from homebrew. Don't use apple logins. Updated homebrew, updated/installed/reinstalled wire in brew. Same problem persists.

[StormPooper]

Quit Wire and when I re-opened it today I get the same permission error dialogue. I've done the same as Githubmoses with no luck, as well as installed it manually from GitHub, no change.

Here's the relevant section from the Report log:

Exception Type:        EXC_CRASH (Code Signature Invalid)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x1

Also tried a couple of suggestions online to no avail (manually using codesign broke it even worse, removing the com.apple.quarantine xattr did nothing.

[core-code]

this happens because the code signature has been revoked

com.wearezeta.zclient.mac/Payload/Wire.app: CSSMERR_TP_CERT_REVOKED

[tomaaron]

Does anybody found a workaround for this? I've tried to use older wire version but without luck

[Aersoftler]

You can use the web app instead: https://app.wire.com/

[noaho]

Web app means I lose all my message history..

[StormPooper]

I installed from the app store as a workaround and it kept my chat history.

[Githubmoses]

No snark intended: it's obvious that many do not use the "app" store. I am sure that the reasons why would also be obvious. It is pretty clear to everyone that the code signature has been revoked. We are wanting to know WHY this happened and WHEN it will be fixed. While the web work around is okay as a temp fix, it's not an idea solution. I suspect this is an issue related to the developers assuming code signing will not be checked after first run. Clearly apple is attempting to force people to be tracked at the app level by logging into the mothership with an apple ID in order for a mac to be fully operational. This should be fought on every level. And if you don't know why, you are most definitely part of the problem.

[StormPooper]

Completely agree that using the app store version isn't a fix, hence my calling it a workaround. I only suggested it because it works better than using the web app, if people have the option until this is fixed.

[core-code]

We are wanting to know WHY this happened

especially because the signature is usually only revoked when Apple learns that a developer has done something so malicious that they don't want Mac users to be able to use their apps anymore...

[chriseomi]

Like others here, after upgrading to macOS Montery, Wire.app would not launch without crashing.

After playing around earlier with removing codesigning, I was able to launch the non-MAS version of Wire.app

The command used is as follows:

find /Applications/Wire.app -name "*" -execdir sudo codesign --force --deep --sign - {} \;

This enumerates the main app bundle and all sub-bundles and replaces the faulty codesign with a self signed machine signature.

Perhaps this will work for you, until we have an official solution.

[suhancz]

I'm not sure if it's the same issue, but I'm getting the following error message when trying to start Wire 3.26.4145 installed by homebrew on MacOS Monterey 12.0.1:

$ open /Applications/Wire.app
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600002324ea0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

Trying the workaround @chriseomi suggested breaks it even more, not even getting any error message.

[Githubmoses]

@chriseomi - thanks! your solution totally worked for me on iOS.

The command used is as follows:

find /Applications/Wire.app -name "*" -execdir sudo codesign --force --deep --sign - {} \;

[core-code]

we've now removed support for updating 'wire' from #MacUpdater due to their revoked certificate.

[tlebon]

Some context from the Wire side: We do not support or maintain this homebrew version.

Certificates do change (or expire) from time to time, and the mac store version is always signed using the correct certificate.

We can't verify the legitimacy or security of the homebrew version.

If you prefer not to use the Mac store, please just use the web client @ https://app.wire.com.

You can export your history from the first page in settings.

I will close this for now.

[core-code]

there is no "homebrew version", this bug report concerns you official binaries!

homebrew cask always installs apps from their official download site, so it doesn't matter if the app has been installed using HBC or installed manually.

if you only want to support the Mac App Store version and the macOS binaries from the GitHub release page are not meant to be used, please remove them.

[tlebon]

thanks for the insight on that. ill follow up more.

[tlebon]

Can someone confirm this issue is still affecting them? When I download the binary from github it works fine on my computer.

[core-code]

the issue is still present in the latest download ( https://github.com/wireapp/wire-desktop/releases/download/macos%2F3.29.4477/Wire.pkg ) though the details have changed slightly.

previously Wire could not be launched because your certificate was revoked. now the app cannot be launched because you are using the wrong certificate for signing.

trying to launch the app still fails unless gatekeeper is disabled or circumvented:

why does the app fail to launch?

codesign -dvv /Applications/Wire.app 
Executable=/Applications/Wire.app/Contents/MacOS/Wire
Identifier=com.wearezeta.zclient.mac
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=477 flags=0x0(none) hashes=4+7 location=embedded
Signature size=4869
Authority=Apple Distribution: Wire Swiss GmbH (EDF3JCE8BC)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=11 Oct 2022 at 15:30:10
Info.plist entries=35
TeamIdentifier=EDF3JCE8BC
Sealed Resources version=2 rules=13 files=8
Internal requirements count=1 size=192

you've used a "Apple Distribution" certificate. this is only valid for uploading software to Apple's Mac App Store. to distribute downloadable software to end-users you need to use your "Developer ID" certificate

[tlebon]

ah incredible, thanks for the info! this will take a little work but that makes perfect sense.