CODEWITHSUNDEEP
electronelectron-builderelectron-notarize
user15380685
user15380685

Reputation: 61

Electron app notorizing. Notorized electron app cannot be opened on other machines

Currently I'm working on notorizing electron app for Mac using electron-builder ("electron-builder": "^22.9.1") and electron-notorize ("electron-notorize": ^1.0.0) packages. Build successfully passes. Checking app signing and notorizing statuses with

pkgutil --check-signature /Path_to_App/My_App.app


   Package "XXXXXXX":
   Status: signed by a certificate trusted by macOS
   Certificate Chain:...

and

spctl -a -t exec -vvv /Path_to_App/My_App.app 

/Applications/XXXXXX.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXXXXXXX

tells that app was signed and notarized. But when I open it on another machine I get popup with a message that app cannot be opened because the developer cannot be verified. I've tried different options in build config and plist files, but still can't understand the cause of this issue. My build config in package.json

"build": {
    "appId": "com.XXXX.XX",
    "productName": "XXXXXXX",
    "afterSign": "electron/notarize.js",
    "extends": null,
    "buildDependenciesFromSource": true,
    "files": [
      "build/**/*"
    ],
    "directories": {
      "buildResources": "assets"
    },
    "mac": {
      "category": "public.app-category.productivity",
      "icon": "build/icon.icns",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist",
      "electronLanguages": [
        "en"
      ],
      "target": ["dmg"]
    },
    "dmg": {
      "sign": false
    },

And entitlements.mac.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <!-- https://github.com/electron/electron-notarize#prerequisites -->
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <!-- https://github.com/electron-userland/electron-builder/issues/3940 -->
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>

    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>

    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>

    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.automation.apple-events</key>
    <true/>
    <key>com.apple.security.device.audio-input </key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.device.microphone</key>
    <true/>
    <key>com.apple.security.device.bluetooth</key>
    <true/>
  </dict>
</plist>

Upvotes: 4

Views: 2069

Answers (1)

Cjs
Cjs

Reputation: 71

I got it working by doing:

Inside package.json, add under "mac":

"asarUnpack": "**/*.node"

This will tell the builder to unpack those node native binaries so that the notarization can examine these libraries.

And in the entitlements file used for signing, REMOVE:

<key>com.apple.security.cs.disable-library-validation</key> <true/>

Then, it should work as expected.

Upvotes: 2

Related Questions