When you download Minecraft on a default-configured Mac (Gatekeeper on) and try to open it, the system will report that the application is "damaged" and cannot be opened. This cannot be overridden by using Finder's Open contextual menu item, as is possible with unsigned applications. This is because the launcher is signed, but the code signature is incorrect:
$ codesign -vv Minecraft.app
Minecraft.app: invalid Info.plist (plist or signature have been modified)
In architecture: i386
The solution to this issue is for Mojang to re-sign Minecraft.app after making any changes in the .app bundle. Disabling Gatekeeper (as the official support article recommends: http://help.mojang.com/customer/portal/articles/901687-error-minecraft-is-damaged) is only a workaround and leaves systems significantly more vulnerable to malware.
Relevant docs:
Linked issues
relates to 1
Attachments
Comments 13
At the very least, you should be able to remove the invalid signature which will allow people to launch the app without turning off gatekeeper first. But I would of course prefer the code signature to be correct.
Still broken with 1.5.1. You should note that this makes Mojang look pretty unprofessional and doesn't create much trust that you know your job, especially since the fix is easy. Basically "if they don't get such a simple thing fixed, what about security of their server architecture and other online services" ...
As a side note: Broken or missing code signatures are something that I can bear with in the context of open source projects done by people which have a "real" job besides. That's not the case here. It creates the impression of "they are doing this just as some side thingy".
The new launcher appears not to be signed at all, which is an improvement over the previous state of affairs but still not ideal. I've attached the dialog that appears on my machine (and would appear on any other Mac running 10.8 still on the default security configuration) when you try and open the new launcher. The workaround is to right click the app and click "Open" which will give me the option to circumvent the security check.
The only way to get a program to launch without hassle on OS X is to sign it with a developer key. (see http://support.apple.com/kb/ht5290 for more explanation of this OS X feature) It looks like the docs linked above may already be out of date, this appears to be the most relevant documentation on how to sign your code to avoid this dialog: https://developer.apple.com/library/ios/#documentation/IDEs/Conceptual/AppDistributionGuide/DistributingApplicationsOutside/DistributingApplicationsOutside.html#//apple_ref/doc/uid/TP40012582-CH12-SW2
There are no issues with the latest launcher.
If there are, something else is up.
$ codesign -vvv /Applications/MinecraftDev.app/
/Applications/MinecraftDev.app/: valid on disk
/Applications/MinecraftDev.app/: satisfies its Designated RequirementAlso; the old launcher (the 1.5.x and earlier) will not get fixed.
This (the attached screenshot unidentifieddeveloper.png) is what I get when opening the launcher downloaded from http://s3.amazonaws.com/Minecraft.Download/launcher/MinecraftDev.dmg today.
There's no way you can argue away reality with some codesign output 😉
Anyhow.
$ codesign -dvvv -r- MinecraftDev.app/
Executable=/Volumes/MinecraftDev/MinecraftDev.app/Contents/MacOS/JavaApplicationStub
Identifier=com.Mojang Specifications.Minecraft.Minecraft
Format=bundle with Mach-O universal (i386 ppc x86_64)
CodeDirectory v=20100 size=214 flags=0x0(none) hashes=3+3 location=embedded
Hash type=sha1 size=20
CDHash=ea30c3a5abe5552bb7b96c53c2e06b3734a4bdc3
Signature size=4330
Authority=3rd Party Mac Developer Application: Mojang AB
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=25.04.2013 17:09:21
Info.plist entries=17
Sealed Resources rules=4 files=3
designated => identifier "com.Mojang Specifications.Minecraft.Minecraft" and anchor apple generic and certificate leaf[subject.CN] = "3rd Party Mac Developer Application: Mojang AB" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */
z
$ spctl -a -vv MinecraftDev.app/
MinecraftDev.app/: rejected
origin=3rd Party Mac Developer Application: Mojang ABYou are using the wrong certificate. "3rd Party Mac Developer Application:" is for submission to the app store google tells me. You need to use your "Developer ID Application:"
I hate this stuff. Trivial fix though!
Consider this properly fixed for the next release of the bootstrap (which will happen likely this week).
$ spctl -a -vv /Applications/MinecraftDev.app/
/Applications/MinecraftDev.app/: accepted
source=Developer ID
origin=Developer ID Application: Mojang ABAlso thanks for pointing it out Eike, documentation on this issue is .... stupidly vague 🙂
This is pretty aggravating. It's also not very fun to tell people who I recommend Minecraft to that after they buy and install it they're going to get a scary message. It's also easy to fix.