J4Y-M
Reputation: 378
Electron-forge & osx sign app result in "Binary is improperly signed."
I developed an electron app using the following "features":
- Base : Electron-Forge : start, make & publish
- Electron
open-urlfeature [Schemes: xx-note] node-keytar: get & set pwd- Frameless App : transparent windows
- Auto-Update with Nucleus : Working on W10
- Start on login
I have no problem to run the application, and build it if I don't sign it, but to make the auto-update work, I absolutely need to sign it. (and it's better for my customers).
Unfortunately, when I sign it and try to run it on Big Sur I get the following message:
From finder :
You do not have permission to open the application “XX”
Contact your computer or network administrator for assistance.
From terminal :
The application cannot be opened for an unexpected reason,
error=Error Domain=NSOSStatusErrorDomain Code=-10826 "kLSNoLaunchPermissionErr: User doesn't have permission to launch the app (managed networks)"
UserInfo={_LSFunction=_LSLaunchWithRunningboard, _LSLine=2539, NSUnderlyingError=0x7f98fe4166d0 {Error Domain=RBSRequestErrorDomain Code=5 "Launch failed."
UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x7f98fe418060 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153"
UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 153}}}}}
And, in both case I have this message in the Console/system.log :
May 3 11:00:32 XX com.apple.xpc.launchd[1] (application.ai.XX.note-taking.39302547.39303101[25454]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Users/XX/Documents/XX/mr/XX-desktop/out/XX-darwin-x64/XX.app/Contents/MacOS/XX_Taking-Note:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
May 3 11:00:32 XX com.apple.xpc.launchd[1] (application.ai.XX.note-taking.39302547.39303101[25454]): Binary is improperly signed.
Catalina :
My colleague launched it from Catalina and got this error message
System Integrity Protection: enabled
Crashed Thread: 0
Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1
How is my app signed ?
Using [electron-osx-sign][8] & [electron-notarize][8] with forge config :
packagerConfig: {
appBundleId: 'ai.XX.note-taking',
executableName: BUILD_NAME, //XX
name: APP_NAME, //XX
icon: iconPath,
overwrite: true,
asar: true,
extendInfo: './info.extends.plist',
protocols: {
name: 'XX-note',
schemes: ['XX-note'],
},
osxSign: {
identity: OSX_CREDENTIALS.SIGN_ID, // Developer ID Application: TeamName (MYTEAMID)
'hardened-runtime': true,
entitlements: 'entitlements.plist',
'entitlements-inherit': 'entitlements.plist',
'entitlements-loginhelper': 'login.entitlements.plist',
'signature-flags': 'library',
// https://github.com/electron/electron-notarize/issues/54
'gatekeeper-assess': false,
verbose: true,
},
osxNotarize: {
// appBundleId: 'ai.XX.note-taking', // (TESTED WITH & WITHOUT)
appleId: OSX_CREDENTIALS.ID, // [email protected]"
appleIdPassword: OSX_CREDENTIALS.PASSWORD, // app password
// ascProvider: 'MYTEAMID', // (TESTED WITH & WITHOUT)
},
codesign --verify --verbose XX.app
out/XX-darwin-x64/XX.app: valid on disk
out/XX-darwin-x64/XX.app: satisfies its Designated Requirement
My .plist
login.entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
info.extends.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLSchemes</key>
<array>
<string>XX-note</string>
</array>
</dict>
</array>
<key>NSDocumentsFolderUsageDescription</key>
<true />
<key>ElectronTeamID</key>
<string>MYTEAMID</string>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSAllowsLocalNetworking</key>
<true/>
</dict>
</dict>
</plist>
entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
I really hope you can help me, I really tried to give you as much as possible, and it's already been more than three days that I'm looking everywhere without solving my problem.
Already tried
- developer.apple.com/forums/thread/666611?page=5
- github.com/ElmarJ/Waterlooplein3D/issues/86
- bestofreactjs.com/repo/infinitered-reactotron-react-development-tools
- stackoverflow.com/questions/64842819/cant-run-app-because-of-permission-in-big-sur
- github.com/upx/upx/issues/424
- github.com/Squirrel/Squirrel.Mac/issues/204
- github.com/Hardocs/desktop-app/issues/56
- discussions.apple.com/thread/526166
- ... AND MORE
Upvotes: 2
Views: 2460
Answers (1)
J4Y-M
Reputation: 378
I fix this issue using this tutorial : https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/
And this issue https://github.com/electron-userland/electron-builder/issues/3940
My final config is :
osxSign: {
identity: 'Developer ID Application: MyTeam (TEAMID)',
'hardened-runtime': true,
entitlements: 'mac/entitlements.plist',
'entitlements-inherit': 'mac/entitlements.plist',
'signature-flags': 'library',
// https://github.com/electron/electron-notarize/issues/54
'gatekeeper-assess': false,
verbose: true,
},
osxNotarize: {
appleId: 'myemail',
appleIdPassword: 'mypassword',
},
And mac/entitlements.plist is :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
Upvotes: 2
Related Questions
- `electron-builder` failed with code signing error in mac
- Signing Electron build for M1 macs causes renderer to crash
- How to sign electron app using electron forge?
- Asset validation failed (90287) Invalid Code Signing Entitlements when signing an electron app
- Getting Code Signature Invalid when opening signed electron app
- electron: codesigning cripples some features of my app on macOS
- Signed electron app does not start with robotjs on OSX (Unhandled Errpr: no suitable image found)
- Electron app crashes when I sign it on mac
- Why electron-osx-sign fails to produce a signed app recognised by Gatekeeper?
- Electron builder code signing: bundle format unrecognized, invalid, or unsuitable