.app signature (recently) was not trusted

generalKenobi

Hello, long time user. I came to post because when running pkgutil --check-signature Flux.app (after installing Flux on a new machine sometime last year) the signature was not trusted, and I forgot to post about it here. However, I just checked my Flux installations on all my machines and now and it correctly shows Status: signed by a certificate trusted by macOS with an expiration in 2027-02.
Did anyone else notice previously the Flux certificate was not trusted?

Thanks

herf

@generalKenobi we have been using notarization since it was first announced. But f.lux was around for a decade before that, so the most likely thing is that you had an old build that was pre-notarization?

generalKenobi

@herf Hello, sorry about the late reply!

Yes, I have been using Flux since sometime in the early 2010s, and always keep automatic updates on, so I don't think it's from running any old builds

Interestingly, since I made the post above, I downloaded it on another Mac today (and updated Flux when prompted, which reminded me to reply to this post) and still see the same message about the certificate not being trusted:

 Status: signed by untrusted certificate
   Certificate Chain:
    1. Developer ID Application: Michael Herf (VZKSA7H9J9)
       SHA256 Fingerprint:

Thought I would bring it to your attention in case there are any cert issues. Thanks!

generalKenobi

@herf Huh, this is curious (I have another reply queued up above):

1. When I checked the signature when it was in the downloads folder, I saw the following:

Downloads % pkgutil --check-signature ~/Downloads/Flux.app 
Package "Flux":
   Status: signed by untrusted certificate
   Certificate Chain:
    1. Developer ID Application: Michael Herf (VZKSA7H9J9)
       SHA256 Fingerprint:
           B2 75 2C 3C 11 3F AB F5 5D 96 4A 51 DF 44 30 5E 75 51 04 2C C8 3D 
           56 AF 52 31 E2 0F 3F 95 A6 D1
       -----------------------------------

However, I ran it sometime later (minutes) after dragging it into the /Applications directory. I don't remember for sure, My guess is the only thing that changed was Flux prompted to install an update. I re-ran the command and see the following:

 Downloads % pkgutil --check-signature /Applications/Flux.app 
Package "Flux":
   Status: signed by a certificate trusted by macOS
   Certificate Chain:
    1. Developer ID Application: Michael Herf (VZKSA7H9J9)
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           D7 A2 2E F0 04 81 51 7A 98 74 6F 5C 4F 46 D0 3D 95 48 70 D4 24 7C 
           17 05 13 E0 05 92 4C D7 DA 9F

Is there something missing from the download on the website? It may not have been up to date if it prompted me for an update immediately.

herf

@generalKenobi thanks - the first one is 42.1 and the second is 42.2 - the untrusted certificate is quite unexpected but now appears to affect all builds from 2022 and before - must be some new security changes in macOS.

We've updated the website to point to 42.2, so builds going forward will have proper signatures.