nwjs/nw.js

ARM64 Error | “app” is damaged and can’t be opened. You should move it to the Trash.

bedirhanmanim opened this issue · 12 comments

Issue Type

Before opening an issue, please search and see if it has already been raised.

  • Bug Report

  • Feature Request

  • Successfully reproduced against the latest version of NW.js?

Please use our mailing list or Gitter chatroom to ask questions. The issue tracker is only for bugs and feature requests, in English only. Please note that issues without a repro or code snippet are less likely to be resolved.

Current/Missing Behavior

Its arm64 app.

“myapp” is damaged and can’t be opened. You should move it to the Trash.
Screenshot 2024-01-11 at 20 29 22

After run this command its work but how can i distribute my app?
xattr -cr /Users/bedirhansamsa/myapp.app

Expected/Proposed Behavior

Open app with no warning

Additional Info

  • Operating System: MacOS Sonoma
  • NW.js Version: 0.83.0
  • Repro Link:
  • Code snippet:
  • Crash report:

The issue persists. The warning for damaged apps should not occur. macOS allows unsigned apps to run. To run unsigned apps, right-click and select 'open' from the context menu. However, this is not possible with NWJS, which should be considered a bug. It shows this 'damaged' warning instead even if you select open from context menu.

Other issues suggest running xattr commands, but this solution does not persist across systems when you package the app in a dmg.

I am also experiencing this issue on v0.84.0; it warns that the app is damaged instead of prompting that it is from an unknown source. Running the x64 build through Rosetta 2 gives the proper security prompt. Ironically, this issue makes it more convenient to use a binary for a different architecture.

Not an NW.js issue .. it's an Arm64 build and Gatekeeper issue. If you create a native Silicon app with NW.js, Electron (whatever), it's required to be signed and notarised if you're going to distribute it - without the user getting that error notice?

If you create the app locally for yourself and it works ... don't expect it to distribute across a network? There's plenty of discussions online going back several years: Not a recent issue, or just related to NW.js builds?

Ad-hoc signing may not even be enough anymore ... but some reckon it will reduce the notice to the less serious one (like you'd get with x64).

Fetch an (unsigned) arm64 .zip/.pkg download, using an alternative Download Manager app, and it will open normally (a simple double-click!). It's your Mac's browser that's doing the checks .. and adding the Quarantine flags?

Me, I just use: xattr -cr.

Yes, I confirm that ad hoc signing removes the "damaged" message, but ad hoc does not provide any cryptographic guarantees be mindful of that.

The way Gatekeeper works is that as long as you build and distribute the application internally (lan, samba, usb flash drive, etc), it will not show you a message, but as long as you or your users download the application from the internet, MacOS will automatically add an attribute to the file as "quarantined" and GK will be triggered. For the experience to be seamless you need to pay apple to notarize your app.

Same problem for me in v0.85.0

After building your application, simply sign it:

codesign --force --deep -s - yourApp.app

detailed information: https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS#Ad_hoc_signing

If you don't have macOS you can use a virtual machine for this:
https://github.com/kholia/OSX-KVM
https://github.com/sickcodes/Docker-OSX

I also see an alternative but I not sure about it: https://github.com/zhlynn/zsign

It says "the specified item could not be found in the keychain."

It says "the specified item could not be found in the keychain."

Install Xcode

After building your application, simply sign it:

codesign --force --deep -s - yourApp.app

detailed information: https://wiki.lazarus.freepascal.org/Code_Signing_for_macOS#Ad_hoc_signing

If you don't have macOS you can use a virtual machine for this: https://github.com/kholia/OSX-KVM https://github.com/sickcodes/Docker-OSX

I also see an alternative but I not sure about it: https://github.com/zhlynn/zsign

I signed with my certificate but says damaged.