[R-SIG-Mac] R 4.2.1-arm64 pkg is signed and notarized but refuses to install

Kieran Healy kjhe@|y @end|ng |rom gm@||@com
Fri Jul 1 03:10:11 CEST 2022 

Hello all,

Not sure at what point along the complex signing/ notarization/ checking/
installation process things fail, but on an M1 MacBook Pro running Monterey
12.4, with security options set to Allow Apps from the App Store and
Identified Developers, I am finding that attempting to install
R-4.2.1-arm64.pkg from CRAN fails with the GUI error:

“R-4.2.1-arm64.pkg” cannot be opened because it is from an unidentified
developer. macOS cannot verify that this app is free from malware.

The SHA-1 is good and when I verify the package with pkgutil
--check-signature, everything seems fine too:

Package "R-4.2.1-arm64.pkg":
>    Status: signed by a developer certificate issued by Apple for
> distribution
>    Notarization: trusted by the Apple notary service
>    Signed with a trusted timestamp on: 2022-06-24 10:57:20 +0000
>    Certificate Chain:
>     1. Developer ID Installer: Simon Urbanek (VZLD955F6P)
>        Expires: 2027-02-01 22:12:15 +0000
>        SHA256 Fingerprint:
>            B5 E8 8C 9D 46 50 74 03 6E 27 98 AB 8B 38 08 89 84 CF 60 C3 90
> C1
>            8F 6F 5A 9F 0F D4 9B D8 89 FC
>
> ------------------------------------------------------------------------
>     2. Developer ID Certification Authority
>        Expires: 2027-02-01 22:12:15 +0000
>        SHA256 Fingerprint:
>            7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D
> 03
>            F2 9C 88 CF B0 B1 BA 63 58 7F
>
> ------------------------------------------------------------------------
>     3. Apple Root CA
>        Expires: 2035-02-09 21:40:36 +0000
>        SHA256 Fingerprint:
>            B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E
> 2C
>            68 C5 BE 91 B5 A1 10 01 F0 24


However, spctl refuses to proceed and gives an error:

spctl -a -vv -t install R-4.2.1-arm64.pkg
> R-4.2.1-arm64.pkg: rejected
> origin=Developer ID Installer: Simon Urbanek (VZLD955F6P)


I can of course just tell mac os to go ahead anyway. But I thought I'd
report it here just in case it was some more general wrinkle in 12.4 or
hiccup in the toolchain somewhere.

Kieran

--
Kieran Healy :: https://kieranhealy.org

	[[alternative HTML version deleted]]

More information about the R-SIG-Mac mailing list