How to solve 'This application is damaged" problem for my Java .app on macOS Ventura

I have a macOS application written in Java, you can try it from here:

http://www.eazycnc.com/downloads/EazyCNC-2.0.38.dmg

When I try to launch the application I get a

“EazyCNC-2.0.38.app” is damaged and can’t be opened. You should move it to the Bin error dialog.

This is in Ventura 13.3 (22E252) on M2 MacBook Pro 15" 32 GB 2TB mac.

A friend tried this and with the same result on an Intel MBP with Ventura.

I have tried to remove the quarantine attribute (a trick that used to work on my old Intel MBP Monterey) with:

xattr -rc /Applications/EazyCNC-2.0.38.app

This did not help.

An other friend on the Ventura version that I am using but on a M1 MacBook was able to get the application to launch with:

xattr -rc /EazyCNC-2.0.38.dmg

The OS still complained about the app being damaged but it would allow launching it anyway.

Doing

xattr -rc /Applications/EazyCNC-2.0.38.app/Contents

removed the error altogether for him, none of that worked for me.

I tried to add the app to Developer Tools in System Settings / Privacy & Security but this did not help.

I have tried to 'right click' / Open the file twice which was a requirement for non signed / un-registered application in the past. Did not work.

I do get the Open Anyway button in System Settings with the text "EazyCNC-2.0.38.app was blocked because it is not from an identified developer but clicking that button gets me to the application is damaged dialog.

I have also tried to disable the 'assesment' (what ever it is) with:

sudo spctl –-global-disable
spctl --status                                                        
assessments disabled

At some point the Allow applications downloaded from (o) Anywhere option appeared in the System Settings.

This was not there to begin with, but having it there helps none.

Nothing helps.

[edit] for full disclosure this Mac is remotely manage (I have Admin rights) protected :( by Cortex XDR), in case that makes a difference.

As a last clue I just did:

 spctl --assess /Applications/EazyCNC-2.0.38.app 
/Applications/EazyCNC-2.0.38.app: code has no resources but signature indicates they must be present

Don't know if that is related.

I have no problems running the JVM and my code from Eclipse.

I don't think this is a Java related problem as such because I think it is the native launcher in .app/Contents/ that it is blocked by the macOS. I believe the native launcher (created with jpackage) is Intel (and Get Info on the file says that it is recognised as such). The actual JVM (from temurin-11.jdk) is also Intel.

As this is a hobby project with no income I would hate to pay for Apple Developer registration.

Correction:

 java --version
openjdk 18.0.2 2022-07-19
OpenJDK Runtime Environment Temurin-18.0.2+9 (build 18.0.2+9)
OpenJDK 64-Bit Server VM Temurin-18.0.2+9 (build 18.0.2+9, mixed mode)

Solution

The code signature is invalid:

% codesign --verify EazyCNC-2.0.38.app 
EazyCNC-2.0.38.app: code has no resources but signature indicates they must be present

The binary in Contents/MacOS is signed as if it were a standalone binary, not an app. There is no Contents/_CodeSignature/CodeResources, and codesign -dv reveals that there is no Info.plist bound to the signature.

After running xattr -rc, I was able to get the app to launch by first dumping its entitlements with

codesign -d --entitlements - --xml EazyCNC-2.0.38.app/Contents/MacOS/EazyCNC >ent.plist

And then re-signing it with:

codesign -f -s - --entitlements ent.plist EazyCNC-2.0.38.app

Notes:

You'll want to specify the entire .app bundle, not the binary within.
Using -s - only works for non-quarantined files, so for files that users will download from the internet, you'll need a real code signing identity.
If you previously tried to launch the app while it had an invalid code signature, then that old signature will be cached on the vnode and will prevent the app from launching. To get around this, either copy the entire app to a new location and delete the old files, or reboot your machine.