Giter VIP home page Giter VIP logo

osx-sign's Introduction

@electron/osx-sign npm Build Status

Codesign Electron macOS apps

About

@electron/osx-sign minimizes the extra work needed to eventually prepare your apps for shipping, providing the most basic tools and assets. Note that the bare necessities here are sufficient for enabling app sandbox, yet other configurations for network access etc. require additional work.

NB: Since @electron/osx-sign injects the entry com.apple.security.application-groups into the entitlements file as part of the pre-signing process, this would reportedly limit app transfer on iTunes Connect (see #150). However, opting out entitlements automation opts['preAutoEntitlements'] === false may result in worse graphics performance.

The signing procedure implemented in this package is based on what described in Code Signing Guide.

Installation

# For use in npm scripts
npm install --save @electron/osx-sign
# yarn
yarn add @electron/osx-sign
# For use from CLI
npm install -g @electron/osx-sign
# Yarn
yarn global add @electron/osx-sign

Note: @electron/osx-sign is a dependency of @electron/packager as of 6.0.0 for signing apps on macOS. However, feel free to install this package globally for more customization beyond specifying identity and entitlements.

Usage

Code Signing

From the API

const { signAsync } = require('@electron/osx-sign')
signAsync({
  app: 'path/to/my.app'
})
  .then(function () {
    // Application signed
  })
  .catch(function (err) {
    // Handle the error
  })
opts - Options

Required

app - String

Path to the application package. Needs file extension .app.

Optional

binaries - Array

Path to additional binaries that will be signed along with built-ins of Electron. Default to undefined.

optionsForFile - Function

Function that receives the path to a file and can return the entitlements to use for that file to override the default behavior. The object this function returns can include any of the following optional keys.

Option Description Usage Example
entitlements String specifying the path to an entitlements.plist file. Will default to built-in entitlements files. Can also be an array of entitlement keys that osx-sign will write to an entitlements file for you. 'path/to/entitlements'
hardenedRuntime Boolean flag to enable the Hardened Runtime when signing the app. Enabled by default. false
requirements Either a string beginning with = which specifies in plain text the signing requirements that you recommend to be used to evaluate the code signature, or a string specifying a path to a text or properly encoded .rqset file which contains those requirements. '=designated => identifier com.github.Electron'
or
'path/to/requirements.rqset'
signatureFlags List of code signature flags. Accepts an array of strings or a comma-separated string. ['kSecCodeSignatureRestrict']
timestamp String specifying the URL of the timestamp authority server. Defaults to the server provided by Apple. Please note that this default server may not support signatures not furnished by Apple. Disable the timestamp service with none. 'https://different.timeserver'

Note: Only available via the JS API

identity - String

Name of certificate to use when signing. Default to be selected with respect to provisioning-profile and platform from keychain or keychain by system default.

Signing platform mas will look for 3rd Party Mac Developer Application: * (*), and platform darwin will look for Developer ID Application: * (*) by default.

identityValidation - Boolean

Flag to enable/disable validation for the signing identity. If enabled, the identity provided will be validated in the keychain specified. Default to true.

keychain - String

The keychain name. Default to system default keychain.

ignore - RegExp|Function|Array.<(RegExp|Function)>

Regex, function or an array of regex's and functions that signal skipping signing a file. Elements of other types are treated as RegExp. Default to undefined.

platform - String

Build platform of Electron. Allowed values: darwin, mas. Default to auto detect by presence of Squirrel.framework within the application bundle.

preAutoEntitlements - Boolean

Flag to enable/disable automation of com.apple.security.application-groups in entitlements file and update Info.plist with ElectronTeamID. Default to true.

preEmbedProvisioningProfile - Boolean

Flag to enable/disable embedding of provisioning profile in the current working directory. Default to true.

provisioningProfile - String

Path to provisioning profile.

strictVerify - Boolean|String|Array.

Flag to enable/disable --strict flag when verifying the signed application bundle. If provided as a string, each component should be separated with comma (,). If provided as an array, each item should be a string corresponding to a component. Default to true.

type - String

Specify whether to sign app for development or for distribution. Allowed values: development, distribution. Default to distribution.

version - String

Build version of Electron. Values may be like: 1.1.1, 1.2.0. Default to latest Electron version.

It is recommended to utilize this option for best support of specific Electron versions. This may trigger pre/post operations for signing: For example, automation of setting com.apple.security.application-groups in entitlements file and of updating Info.plist with ElectronTeamID is enabled for all versions starting from 1.1.1; set preAutoEntitlements option to false to disable this feature.

From the Command Line

electron-osx-sign app [embedded-binary ...] [options ...]
Examples

Since electron-osx-sign adds the entry com.apple.developer.team-identifier to a temporary copy of the specified entitlements file (with the default option --pre-auto-entitlements) distribution builds can no longer be run directly. To run the app codesigned for distribution locally after codesigning, you may manually add ElectronTeamID in your Info.plist and com.apple.security.application-groups in the entitlements file, and provide the flag --no-pre-auto-entitlements for electron-osx-sign to avoid this extra bit. Note that "certain features are only allowed across apps whose team-identifier value match" (Technical Note TN2415).

The examples below assume that --pre-auto-entitlements is enabled.

  • To sign a distribution version by default:

    electron-osx-sign path/to/my.app

    For distribution in the Mac App Store: Have the provisioning profile for distribution placed in the current working directory and the signing identity installed in the default keychain. The app is not expected to run after codesigning since there is no provisioned device, and it is intended only for submission to iTunes Connect. For distribution outside the Mac App Store: Have the signing identity for distribution installed in the default keychain and optionally place the provisioning profile in the current working directory. By default App Sandbox is not enabled. The app should run on all devices.

  • To sign development version:

    electron-osx-sign path/to/my.app --type=development

    For testing Mac App Store builds: Have the provisioning profile for development placed in the current working directory and the signing identity installed in the default keychain. The app will only run on provisioned devices. For testing apps for distribution outside the Mac App Store, have the signing identity for development installed in the default keychain and optionally the provisioning profile placed in the current working directory. The app will only run on provisioned devices. However, you may prefer to just go with signing a distribution version because the app is expected to launch properly after codesigned.

  • It is recommended to place the provisioning profile(s) under the working directory for electron-osx-sign to pick up automatically; however, to specify provisioning profile to be embedded explicitly:

    electron-osx-sign path/to/my.app --provisioning-profile=path/to/my.provisionprofile

  • To specify custom entitlements files you have to use the JS API.

  • It is recommended to make use of --version while signing legacy versions of Electron:

    electron-osx-sign path/to/my.app --version=0.34.0

Run electron-osx-sign --help or see electron-osx-sign-usage.txt for CLI-specific options.

electron-osx-flat

From the API

const { flatAsync } = require('@electron/osx-sign')
flatAsync({
  app: 'path/to/my.app'
})
  .then(function () {
    // Application flattened
  })
  .catch(function (err) {
    // Handle the error
  })
opts - Options

Required

app - String

Path to the application bundle. Needs file extension .app.

Optional

identity - String

Name of certificate to use when signing. Default to be selected with respect to platform from keychain or keychain by system default.

Flattening platform mas will look for 3rd Party Mac Developer Installer: * (*), and platform darwin will look for Developer ID Installer: * (*) by default.

identityValidation - Boolean

Flag to enable/disable validation for signing identity. If enabled, the identity provided will be validated in the keychain specified. Default to true.

install - String

Path to install the bundle. Default to /Applications.

keychain - String

The keychain name. Default to system default keychain.

platform - String

Build platform of Electron. Allowed values: darwin, mas. Default to auto detect by presence of Squirrel.framework within the application bundle.

pkg - String

Path to the output the flattened package. Needs file extension .pkg.

scripts - String Path to a directory containing pre and/or post install scripts.

From the Command Line

electron-osx-flat app [options ...]

Example:

electron-osx-flat path/to/my.app

Run electron-osx-flat --help or see electron-osx-flat-usage.txt for CLI-specific options.

Debug

As of release v0.3.1, external module debug is used to display logs and messages; remember to export DEBUG=electron-osx-sign* when necessary.

Test

The project's configured to run automated tests on CircleCI.

If you wish to manually test the module, first comment out opts.identity in test/basic.js to enable auto discovery. Then run the command npm test from the dev directory.

When this command is run for the first time: @electron/get will download macOS Electron releases defined in test/config.json, and save to ~/.electron/, which might take up less than 1GB of disk space.

A successful testing should look something like:

$ npm test

> [email protected] pretest electron-osx-sign
> rimraf test/work

> [email protected] test electron-osx-sign
> standard && tape test

Calling @electron/get before running tests...
Running tests...
TAP version 13
# setup
# defaults-test:v7.0.0-beta.3-darwin-x64
ok 1 app signed
# defaults-test:v7.0.0-beta.3-mas-x64
ok 2 app signed
# defaults-test:v6.0.3-darwin-x64
ok 3 app signed
# defaults-test:v6.0.3-mas-x64
ok 4 app signed
# defaults-test:v5.0.10-darwin-x64
ok 5 app signed
# defaults-test:v5.0.10-mas-x64
ok 6 app signed
# defaults-test:v4.2.9-darwin-x64
ok 7 app signed
# defaults-test:v4.2.9-mas-x64
ok 8 app signed
# defaults-test:v3.1.2-darwin-x64
ok 9 app signed
# defaults-test:v3.1.2-mas-x64
ok 10 app signed
# teardown

1..10
# tests 10
# pass  10

# ok

osx-sign's People

Contributors

agalwood avatar amilajack avatar cacheflow avatar chasestubblefield avatar ckerr avatar cliftonh avatar dependabot[bot] avatar develar avatar dsanders11 avatar electron-roller[bot] avatar erickzhao avatar felixrieseberg avatar ffflorian avatar jdp avatar malept avatar marshallofsound avatar okhoshi avatar onaips avatar outofambit avatar quanglam2807 avatar rajivshah3 avatar salomvary avatar savanain avatar seanchas116 avatar sethlu avatar shiqi avatar stefansundin avatar tatgean avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

seanchas116 sethlu pombredanne develar mcfedr amilajack savanain skellock cucygh charliehess salomvary emorikawa fredguth joseph-hurtado dinneo javimosch resilientred maurice-schuppe cacheflow vischub relsqui ngartisanmd chinmoy-globalids rajivshah3 cacherapp freeyourmusic agalwood nasty007007 nicktikhonov hhy5277 malept ngnguyen1 shiqi harikvpy netop johntendik outofambit toshi-saito satorumpen kieuthang telefuel ccrocc chokeslam46 ccszwg msgpo lcheunglci isabella232 thibaut-adx axfelix tomdixon standardgalactic hackape xszh russ93 motrixapp samowolabi helojo acidburn0zzz mehdikazi whxleemdddd txbrown workduck-io classicvalues capesepias ajunlonglive abuhtoyarov thatkiddslash soundar-m tobspr-games zimkaru i-obraztsov jyd519 armbiant chasestubblefield skirsdeda wilf312 baro77 rvetere alex-paterson rickymohk amiller-gh mwakizaka magic-pod quanglam2807 new-carrot ethicalsecurity-agency madtechservices pbk-b a1985j09 cliftonh qz1543706741

osx-sign's Issues

the identity of the developer cannot be confirmed

hi, all

i need codesign app with 'Develop ID Application' certificate. first i set the the Certificate's Trust to 'Use System Defaults' codesign will fine pass, and i verifying it with 'spctl -a -vvvv' and it's also fine, but when i download the app from my local test webserver and the os's gatekeeper promote the error 'the identity of the developer cannot be confirmed'

later i set the Certificate's Trust of Item 'Code Signing' to 'Always Trust' and it's will in cli with ' nested code is modified or invalid'.

anyone can help me, thks.

whitescreen after signing the app

Hi, I am using the very last version of electron and electron-osx-sign. Everything works like expected when not signing the app with electron-osx-sign, but when signing I have a whitescreen (with loading cursor). How to debug?

Command Line Won't Accept Provisioning Profile Argument

Greetings,
I hope this isn't a duplicate, I searched the issues and nothing jumped out.

I'm trying to run electron-osx-sign via cli after building my electron app with electron-packager. I'm doing this because it doesn't seem like electron-packager is properly assigning the provisioning profile when signing the app (this may be a separate issue so just focusing on cli usage for now).

Issue:
However I try to pass the --provisioning-profile argument the CLI outputs: Path to provisioning profile should be a string or a ProvisioningProfile object. I tried wrapping the path in single quotes, double quotes, no quotes, escaping command characters that need escaping (/,.,-,(,),), and pretty much every variation of quoting, escaping, etc but still just get Path to provisioning profile should be a string or a ProvisioningProfile object.. The only way I was able to not get that output was to pass empty quotes but then the command runs without using the provisioning profile.

Background:
I'm trying to release an alpha version of my app to my company, I'd prefer to have it signed so that no one has to turn off their security preferences when installing applications. If I choose not to sign the app when running electron-packager everything works great and the app opens as expected. When I do sign the application, upon opening it nothing load (white screen) and you get a spinning beachball of death.

I've tried passing passing the identity and provisioning-profile option to electron-packager but I never see any output that the provisioning-profile is being used when signing the app by passing DEBUG=electron-osx-sign or DEBUG=electron-packager but do that the identity is being used.

Versions:
[email protected]
[email protected]
[email protected]
[email protected]

electron-package config

/**
 * Packages the application into executable .app and .exe files.
 * For more info, see https://github.com/electron-userland/electron-packager.
 */
var argv = require('minimist')(process.argv.slice(2))
var packager = require('electron-packager')
var appManifest = require('../app/package.json')
var devManifest = require('../package.json')
var config = require('../config')

function getElectronVersion () {
  var v = config.release.electronVersion ||
    (devManifest.devDependencies || {})['electron-prebuilt'] ||
    (devManifest.dependencies || {})['electron-prebuilt']

  if (v) {
    return v.replace(/^\D+/, '')
  } else {
    console.log(
      'No electron version was found in config.js or package.json.'
    )
  }
}

var packagerConfig = {
  dir: config.build.outputRoot,
  out: config.build.releasesRoot,
  name: appManifest.productName,
  'app-version': appManifest.version,
  version: getElectronVersion(),
  platform: argv.platform || config.release.platform,
  arch: argv.arch || 'all',
  prune: true,
  overwrite: true,
  ignore: Object.keys((appManifest.devDependencies || {})).map(function (name) {
    return '/node_modules/' + name + '($|/)'
  }),
  'osx-sign': {
    identity: 'Developer ID Application: New Media Solutions Inc (A456A838HF)',
    'provisioning-profile': '/Users/dbondy/Library/MobileDevice/Provisioning Profiles/472d4411-dc27-4f8e-bc2f-cd11d75d380b.provisionprofile'
  }
}

packager(packagerConfig, function (err, appPath) {
  if (err) {
    console.error(err)
    process.exit(1)
  }

  console.log('packaged to ' + appPath)
})

I also tried moving provisioning-profile out of the osx-sign object

/**
 * Packages the application into executable .app and .exe files.
 * For more info, see https://github.com/electron-userland/electron-packager.
 */
var argv = require('minimist')(process.argv.slice(2))
var packager = require('electron-packager')
var appManifest = require('../app/package.json')
var devManifest = require('../package.json')
var config = require('../config')

function getElectronVersion () {
  var v = config.release.electronVersion ||
    (devManifest.devDependencies || {})['electron-prebuilt'] ||
    (devManifest.dependencies || {})['electron-prebuilt']

  if (v) {
    return v.replace(/^\D+/, '')
  } else {
    console.log(
      'No electron version was found in config.js or package.json.'
    )
  }
}

var packagerConfig = {
  dir: config.build.outputRoot,
  out: config.build.releasesRoot,
  name: appManifest.productName,
  'app-version': appManifest.version,
  version: getElectronVersion(),
  platform: argv.platform || config.release.platform,
  arch: argv.arch || 'all',
  prune: true,
  overwrite: true,
  ignore: Object.keys((appManifest.devDependencies || {})).map(function (name) {
    return '/node_modules/' + name + '($|/)'
  }),
  'osx-sign': {
    identity: 'Developer ID Application: New Media Solutions Inc (A456A838HF)'
  }
  'provisioning-profile': '/Users/dbondy/Library/MobileDevice/Provisioning Profiles/472d4411-dc27-4f8e-bc2f-cd11d75d380b.provisionprofile'
}

packager(packagerConfig, function (err, appPath) {
  if (err) {
    console.error(err)
    process.exit(1)
  }

  console.log('packaged to ' + appPath)
})

neither create an app that will open, just produces a spinning beachball of death.

Various Console Outputs from Different Commands
with DEBUG=electron-osx-sign

node build/package.js

Packaging app for platform linux ia32 using electron v1.1.0
Packaging app for platform win32 ia32 using electron v1.1.0
Packaging app for platform darwin x64 using electron v1.1.0
  electron-osx-sign Signing application... +0ms
  electron-osx-sign > application         /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app +1ms
  electron-osx-sign > platform            darwin +1ms
  electron-osx-sign > entitlements        undefined +0ms
  electron-osx-sign > child-entitlements  undefined +0ms
  electron-osx-sign > additional-binaries undefined +0ms
  electron-osx-sign > identity            Developer ID Application: New Media Solutions Inc (A456A838HF) +0ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper EH.app/Contents/MacOS/Drud Secrets Helper EH +66ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper EH.app +409ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper NP.app/Contents/MacOS/Drud Secrets Helper NP +291ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper NP.app +247ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper.app/Contents/MacOS/Drud Secrets Helper +295ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper.app +251ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +249ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +1s
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +272ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler +448ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework +262ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle +1s
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Mantle.framework +248ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/A/ReactiveCocoa +499ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/ReactiveCocoa.framework +301ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt +291ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel +254ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/Frameworks/Squirrel.framework +251ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app/Contents/MacOS/Drud Secrets +258ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app +283ms
  electron-osx-sign Verifying sign... +283ms
Packaging app for platform linux x64 using electron v1.1.0
Packaging app for platform mas x64 using electron v1.1.0
  electron-osx-sign Signing application... +4s
  electron-osx-sign > application         /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app +0ms
  electron-osx-sign > platform            mas +0ms
  electron-osx-sign > entitlements        /Users/dbondy/sites/secrets-electron/node_modules/electron-osx-sign/default.mas.entitlements +0ms
  electron-osx-sign > child-entitlements  /Users/dbondy/sites/secrets-electron/node_modules/electron-osx-sign/default.mas.inherit.entitlements +0ms
  electron-osx-sign > additional-binaries undefined +0ms
  electron-osx-sign > identity            Developer ID Application: New Media Solutions Inc (A456A838HF) +0ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper EH.app/Contents/MacOS/Drud Secrets Helper EH +59ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper EH.app +265ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper NP.app/Contents/MacOS/Drud Secrets Helper NP +276ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper NP.app +249ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper.app/Contents/MacOS/Drud Secrets Helper +256ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Drud Secrets Helper.app +290ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +261ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +1s
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +276ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/Frameworks/Electron Framework.framework +475ms
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app/Contents/MacOS/Drud Secrets +1s
  electron-osx-sign Signing... /var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app +260ms
  electron-osx-sign Verifying sign... +290ms
  electron-osx-sign Verifying entitlements... +89ms
Packaging app for platform win32 x64 using electron v1.1.0
packaged to /Users/dbondy/sites/secrets-electron/releases/Drud Secrets-linux-ia32,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-win32-ia32,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-darwin-x64,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-linux-x64,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-mas-x64,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-win32-x64

with DEBUG=electron-packager

> node build/package.js

  electron-packager Electron Packager 7.7.0 +0ms
  electron-packager Node v6.6.0 +3ms
  electron-packager Host Operating system: darwin (x64) +1ms
  electron-packager Target Platforms: darwin, linux, mas, win32 +0ms
  electron-packager Target Architectures: ia32, x64 +0ms
  electron-packager Application name: Drud Secrets +0ms
  electron-packager Target Electron version: 1.1.0 +0ms
  electron-packager Ignored path regular expressions:
* /node_modules/electron($|/)
* /node_modules/electron-prebuilt($|/)
* /node_modules/electron-packager($|/)
* /\.git($|/)
* /node_modules/\.bin($|/) +0ms
Packaging app for platform linux ia32 using electron v1.1.0
Packaging app for platform win32 ia32 using electron v1.1.0
  electron-packager Running rcedit with the options {"version-string":{},"product-version":"1.0.0"} +3s
Packaging app for platform darwin x64 using electron v1.1.0
  electron-packager Running electron-osx-sign with the options {"identity":"Developer ID Application: New Media Solutions Inc (A456A838HF)","provisioning-profile":"/Users/dbondy/Library/MobileDevice/Provisioning Profiles/472d4411-dc27-4f8e-bc2f-cd11d75d380b.provisionprofile","platform":"darwin","app":"/var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/darwin-x64/Drud Secrets-darwin-x64/Drud Secrets.app"} +7s
Packaging app for platform linux x64 using electron v1.1.0
Packaging app for platform mas x64 using electron v1.1.0
  electron-packager Running electron-osx-sign with the options {"identity":"Developer ID Application: New Media Solutions Inc (A456A838HF)","provisioning-profile":"/Users/dbondy/Library/MobileDevice/Provisioning Profiles/472d4411-dc27-4f8e-bc2f-cd11d75d380b.provisionprofile","platform":"mas","app":"/var/folders/h0/v4jqhd0x713gyc3w91_y3g5r0000gn/T/electron-packager/mas-x64/Drud Secrets-mas-x64/Drud Secrets.app"} +11s
Packaging app for platform win32 x64 using electron v1.1.0
  electron-packager Running rcedit with the options {"version-string":{},"product-version":"1.0.0"} +7s
packaged to /Users/dbondy/sites/secrets-electron/releases/Drud Secrets-linux-ia32,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-win32-ia32,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-darwin-x64,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-linux-x64,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-mas-x64,/Users/dbondy/sites/secrets-electron/releases/Drud Secrets-win32-x64

I did also run a few of the codesign and security commands to verify the signing of the app and everything looks verified there but if you need me to provide some of those outputs as well let me know.

Any help would be greatly appreciated!

Use binaries option to sign compiled node addons

How can the binaries option be used to sign compiled node addons? Right now, I have the option specified like this:

{
  binaries: "My App.app/Contents/Resources/app/node_modules/screen-recorder/build/Release/addon.node"
}

The signing and packaging process completes without errors, and can be uploaded to iTunes Connect, but it is later rejected because the addon.node is not signed.

Postinstall scripts not working

I'm trying to include a postinstall script in my pkg but it doesn't seem to work.

electron-osx-flat MyApp.app --identity="3rd Party Mac Developer Installer: BLAHBLAH LTD (******)" --scripts="./scripts/" --install="/Applications"

./scripts/postinstall

mkdir ~/test

I run the install and the ~/test folder is not there. Hoping this is a pebkac; what am I doing wrong?

Wiki: Clarification on codesign acceptance

Only targets (signed) are accepted by signature check:

  • Developer ID Application/Installer: These targets are for distribution outside the Mac App Store only and are paired with Electron darwin builds.
  • Mac App Store: These targets are obtained from the Mac App Store; it's worth noting that these are not equivalent to apps signed with 3rd Party Mac Developer Application/Installer. The signature minded to an app changes somewhere at Apple. In other words, targets signed with 3rd Party Mac Developer Application/Installer will not be accepted by Gatekeeper, which case is different from those with Developer ID Application/Installer.

The check-signature tool from Apple (ref: https://developer.apple.com/downloads/?=SignatureCheck) works in a same way.

More: https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG400

Feature request - additional binary files to sign

For one of my apps, there are additional binary files that the app uses (makes shell calls). These have to be signed in order for the app to be accepted to the MAS. I'm not able to fully use electron-osx-sign for this app because of these binaries. It would be great if there was a parameter to specify additional files that will be signed. Perhaps a comma-delimited list of files?

--additional-binaries=Resources/app/binary1,Resources/app/binary1

no application identifier provided error on boot up

I'm stumped. I package the app with electron-packager, sign with electron-osx-sign. There are no errors, debug is enabled and I can see everything is being signed properly, and all the verifications pass - in fact I can even upload it to iTunes Connect. The thing is, actually loading the app provides the following errors which appear to me to look like the entitlements haven't been applied:

2016-06-08 11:20:59.446 AM taskgated[112]: no application identifier provided, can't use provisioning profiles [pid=73634]

2016-06-08 11:21:04.370 AM sandboxd[122]: ([73634]) MyApp(73634) deny file-read-data /

2016-06-08 11:21:05.139 AM MyApp Helper[73635]: <<<< VTVideoEncoderSelection >>>> VTSelectAndCreateVideoEncoderInstanceInternal: no video encoder found for 'avc1'

(a few more video encoder type errors, which really make no sense)

2016-06-08 11:21:05.368 AM sandboxd[122]: ([73634]) MyApp(73634) deny mach-lookup com.apple.networkd

The entitlements are all there, including the com.apple.security.application-groups.

I've tried reinstalling everything, rerunning electron-rebuild, and I can't get anywhere with this. The one odd thing is is I've noticed a few odd unicode characters preceding the entitlements string dump when debug=electron-osx-sign is set.

The oddest thing - the app was working fine, but I couldn't upload it to iTunes as it was failing the codesign checks in the application loader. Now it passes those codesign checks, but I can't actually run the packaged app on my test system (with the darwin build, rather than the MAS build).

OSX flat packages dont install app to /Applications

When I create a package with electron-packager (or electron-osx-flat + signing), the installer pkg will run fine and contain all of the app's data—but it will not get installed to the /Applications folder. Why is this, and how can I make sure to produce working (Non-MAS) installer bundles?

Code sign failed; please retry manually. Error: No identity found for signing.

Hi,

Not sure if this is the correct place for this issue, however I'm getting the following error when attempting to build electron.

Is this a configuration issue, or perhaps a bug?

Installing production dependencies into Electron Build Package
[email protected] tmp/electron-build-tmp/node_modules/electron-debug
├── [email protected]
└── [email protected]
Installed and bundled electron-debug@^1.0.0
Installing Electron headers for version 1.1.2
Recompiling native dependencies
The cache parameter is deprecated, use download.cache instead
Packaging app for platform darwin x64 using electron v0.37.5
Code sign failed; please retry manually. Error: No identity found for signing.
    at /Users/mateodelnorte/development/cardstack-desktop/node_modules/electron-osx-sign/index.js:49:28
    at ChildProcess.exithandler (child_process.js:193:7)
    at emitTwo (events.js:106:13)
    at ChildProcess.emit (events.js:191:7)
    at maybeClose (internal/child_process.js:852:16)
    at Socket.<anonymous> (internal/child_process.js:323:11)
    at emitOne (events.js:96:13)
    at Socket.emit (events.js:188:7)
    at Pipe._handle.close [as _onclose] (net.js:492:12)

I'm on El Capitan version 10.11.5 (15F34)
node --version: v6.3.0
electron --version: v1.3.1

Usage of sync methods

electron-builder tests executed in parallel And build can be in parallel (e.g. build mas and osx builds).

Don't you mind if I will fix it and will use Bluebird?

Mac Os (MAS) sandbox build freezes after being code-signed - The <app> Helper.app

OS: 10.11.6

electron-builder: 7.11.4
npm: 3.10.9
electron: 1.4.2

Mac App store

As soon as the mac app-store built is signed, when the app is launched, it freezes, particularly, the BrowserWindow.

After doing a lot of digging, I've narrowed the issue to the Helper.app being signed. As soon as that's signed - problem.

Please help. I spent many hours yesterday of banging my head against the wall until 3 am until I gave up. Maybe something is wrong with my entitlements?

I made a very basic "hello world" app to do the testing.

Here is my child.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <string>U3AQW9824Q.com.projector.screenmeet.testbuild</string>
  </dict>
</plist>

parent.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <string>U3AQW9824Q.com.projector.screenmeet.testbuild</string>
  </dict>
</plist>

build section from my package.json:

  "build": {
    "appId": "com.projector.screenmeet.testbuild",
    "asar" : false,
    "mac": {
      "target" : "mas",
      "category": "public.app-category.productivity",
      "identity" : "U3AQW9824Q"
    },
    "mas" : {
      "identity" : "U3AQW9824Q",
      "entitlements": "child.plist",
      "category": "public.app-category.productivity",
      "entitlementsInherit" : "parent.plist"

    }
  },

And finally, the build output:


Skip app dependencies rebuild because dev and app dependencies are not separated
Packaging for platform mas x64 using electron 1.4.3 to dist/mas

Warning: Application icon is not set, default Electron icon will be used
Signing app (identity: 3rd Party Mac Developer Application: Projector LLC (U3AQW9824Q))

  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`; disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign Automating entitlement app group... +1ms
  electron-osx-sign:warn `ElectronTeamID` not found in `Info.plist`, use parsed from signing identity: U3AQW9824Q +4ms
  electron-osx-sign `com.apple.security.application-groups` found in entitlements file: U3AQW9824Q.com.projector.screenmeet.testbuild +3ms
  electron-osx-sign Signing application... +1ms
  electron-osx-sign > application         /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app +0ms
  electron-osx-sign > platform            mas +0ms
  electron-osx-sign > entitlements        child.plist +0ms
  electron-osx-sign > child-entitlements  parent.plist +0ms
  electron-osx-sign > additional-binaries undefined +0ms
  electron-osx-sign > identity            3rd Party Mac Developer Application: Projector LLC (U3AQW9824Q) +0ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper EH.app/Contents/MacOS/AwesomeTestApp Helper EH +36ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper EH.app +213ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper NP.app/Contents/MacOS/AwesomeTestApp Helper NP +216ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper NP.app +214ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper.app/Contents/MacOS/AwesomeTestApp Helper +214ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper.app +210ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +215ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +1s
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +260ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework +501ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/MacOS/AwesomeTestApp +4s
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app +235ms
  electron-osx-sign Verifying... +235ms
  electron-osx-sign Verifying application bundle with codesign... +0ms
  electron-osx-sign Result:
--prepared:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper.app
--validated:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper.app
--prepared:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper NP.app--prepared:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper EH.app

--validated:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper NP.app
--validated:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper EH.app
--prepared:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--validated:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app: valid on disk
/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app: satisfies its Designated Requirement
 +609ms
  electron-osx-sign Verified. +0ms
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Entitlements (prefixed with blob header):
��qq�<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <string>U3AQW9824Q.com.projector.screenmeet.testbuild</string>
  </dict>
</plist> +17ms
  electron-osx-sign Application signed. +0ms
Signing app (identity: 3rd Party Mac Developer Application: Projector LLC (U3AQW9824Q))

  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`; disable by setting `pre-auto-entitlements` to `false`. +432ms
  electron-osx-sign Automating entitlement app group... +0ms
  electron-osx-sign `ElectronTeamID` found in `Info.plist`: U3AQW9824Q +2ms
  electron-osx-sign `com.apple.security.application-groups` found in entitlements file: U3AQW9824Q.com.projector.screenmeet.testbuild +0ms
  electron-osx-sign Signing application... +0ms
  electron-osx-sign > application         /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app +0ms
  electron-osx-sign > platform            mas +0ms
  electron-osx-sign > entitlements        child.plist +0ms
  electron-osx-sign > child-entitlements  parent.plist +0ms
  electron-osx-sign > additional-binaries undefined +0ms
  electron-osx-sign > identity            3rd Party Mac Developer Application: Projector LLC (U3AQW9824Q) +0ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper EH.app/Contents/MacOS/AwesomeTestApp Helper EH +41ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper EH.app +216ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper NP.app/Contents/MacOS/AwesomeTestApp Helper NP +214ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper NP.app +215ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper.app/Contents/MacOS/AwesomeTestApp Helper +214ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper.app +213ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +215ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +1s
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +251ms
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework +460ms
node_modules
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/MacOS/AwesomeTestApp +1s
  electron-osx-sign Signing... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app +233ms
  electron-osx-sign Verifying... +235ms
  electron-osx-sign Verifying application bundle with codesign... +0ms
  electron-osx-sign Result:
--prepared:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper NP.app
--validated:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper NP.app
--prepared:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper EH.app
--prepared:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper.app
--validated:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper EH.app
--validated:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/AwesomeTestApp Helper.app
--prepared:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--validated:/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app: valid on disk
/Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app: satisfies its Designated Requirement
 +608ms
  electron-osx-sign Verified. +1ms
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Entitlements (prefixed with blob header):
��qq�<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <string>U3AQW9824Q.com.projector.screenmeet.testbuild</string>
  </dict>
</plist> +17ms
  electron-osx-sign Application signed. +0ms
  electron-osx-sign:warn No `install` passed in arguments, will fallback to default `/Applications`. +2ms
  electron-osx-sign Flattening application... +431ms
  electron-osx-sign > application    /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app +0ms
  electron-osx-sign > package-output /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp-1.0.3.pkg +0ms
  electron-osx-sign > install-path   /Applications +1ms
node_modules
  electron-osx-sign > identity       3rd Party Mac Developer Installer: Projector LLC (U3AQW9824Q) +0ms
  electron-osx-sign Flattening... /Users/eugene/WebstormProjects/testbuild/dist/mas/AwesomeTestApp.app +0ms
  electron-osx-sign Application flattened. +7s
MacBook-Pro:testbuild eugene$ ./dist/mas/AwesomeTestApp.app/Contents/Resources/
am.lproj/     bg.lproj/     cs.lproj/     el.lproj/     es.lproj/     fa.lproj/     fr.lproj/     hi.lproj/     id.lproj/     kn.lproj/     lv.lproj/     ms.lproj/     pl.lproj/     ro.lproj/     sl.lproj/     sw.lproj/     th.lproj/     vi.lproj/
app/          bn.lproj/     da.lproj/     en.lproj/     es_419.lproj/ fi.lproj/     gu.lproj/     hr.lproj/     it.lproj/     ko.lproj/     ml.lproj/     nb.lproj/     pt_BR.lproj/  ru.lproj/     sr.lproj/     ta.lproj/     tr.lproj/     zh_CN.lproj/
ar.lproj/     ca.lproj/     de.lproj/     en_GB.lproj/  et.lproj/     fil.lproj/    he.lproj/     hu.lproj/     ja.lproj/     lt.lproj/     mr.lproj/     nl.lproj/     pt_PT.lproj/  sk.lproj/     sv.lproj/     te.lproj/     uk.lproj/     zh_TW.lproj/

Windows Signing

This is somewhat off-topic for OSX utility, but do you have any plans to work on a similar tool for Windows? I've written up a tutorial on how to do it here http://verysimple.com/2016/02/19/code-signing-applications-for-microsoft-windows/

I think the process could be automated similarly to how osx-sign and osx-flat have automated the process for OSX. (Although a flatten tool might not be necessary since that functionality is already available via windows-builder.)

iTunes: Files Only Readable By The Root User

After submitting my package to iTunes, I got this message back:

Files Only Readable By The Root User - The installer package includes files that are only readable by the root user. This will prevent verification of the application's code signature when your app is run. Ensure that non-root users can read the files in your app.

How to fix?

opt 'ignore', logic err?

index.js line:291

if (typeof opts.ignore !== 'function' || typeof opts.ignore !== 'string') return cb(new Error('Ignore filter should be either a function or a string.'))

Providing control over which files are signed

My OS X app includes an iOS .app inside of it (the OS X app is a developer tool that lets people install the iOS app on the iOS simulator for development). I sign the OS X app using electron-packager by passing in 'osx-sign': { identity: 'Developer ID Application: Organization (AAAAAAAAAA)' }, which seems to work fine until electron-osx-sign discovers the iOS .app in my app's resources and tries to sign it.

I looked through the code and didn't see a way to control if a file gets signed or not. What kind of API do you think would be good to provide this feature?

Invalid Signature and signed app isn't running correctly

Sorry in advance if I overlooked something obvious. I've tried to make this work for some hours now, and I'm out of ideas.

I developed a Mac app using electron and everything works as expected after packaging with electron-packager. Now I want to submit the app to the mac app store.

After packaging I'm signing the app using electron-osx-sign --identity="xyz" name.app and then I'm flattening it with electron-osx-flat --identity="xyz" name.app (it doesn't work without me specifying the identity, although this is the first app that I'm signing) and submit the created .pkg file to Application Loader.

The first problem is that the signed .app file doesn't work correctly anymore. If I try to execute it, the app starts with a window it usually doesn't have and doesn't respond at all:

bildschirmfoto 2016-06-19 um 18 23 28

I'm not sure if I'm still supposed to be able to execute apps that were signed for the MAS, so maybe this is just expected behaviour? Otherwise this may hint to something going wrong when signing.

The second problem: Application Loader accepts the .pkg file without any errors and uploads it to iTunes, but afterwards I get an email stating this error:

Invalid Signature - This error occurs when you have signed your app's installer incorrectly. There are two certs required for this process: the "3rd Party Mac Developer Application" cert and the "3rd Party Mac Developer Installer" cert. When signing your package, you need to ensure that you are using the Installer cert to sign your package. Ensure that you are specifying this cert when submitting your app via the Xcode Organizer or when running productbuild from the command line.

I do have those two certs and when signing/flattening several certs were requested, so I'm not sure what's going wrong. I'm not calling productbuild myself, electron-osx-flat is doing that right?

Do you guys have any idea what I might do wrong?

(The xyz in --identity="xyz" from above is the string in the parentheses of "3rd Party Mac Developer Installer: myname (xyz)".)

Packaging macOS applications with a self-signed certificate fails

Using [email protected] which I assume is something like a recent master of this repo (see #82).

Using a self-signed certificate passes codesign --verify but does not pass spctl --assess aka Gatekeeper.

Error: Failed to pass Gatekeeper: : Error: Command failed: spctl --assess --type execute --verbose --ignore-cache --no-cache dist/mac/MyApp.app
dist/mac/MyApp.app: rejected
    at node_modules/electron-osx-sign-tf/index.js:215:12
    at node_modules/electron-osx-sign-tf/index.js:302:64

In my understanding spctl failing is expected and can not be circumented with self-signed certificates and is the equivalent of seeing "This application is from an unidentified developer" when trying to execute the given application.

However I think letting self-signed applications through is still a valid use case, because:

  • Automatic updates require signed applications (self-signed are fine).
  • Self-signed applications will still be verified for integrity an not execute when currupted.

Maybe have an option to opt-out from the spctl check?

TypeError: undefined is not a function

Every time I try and sign my packaged app, I get this error. Does anyone know how I can fix it??
I'm using all of the latest updates and standard build settings and get this whether I try it with electron-packager or by itself with electron-sox-sign from CLI.

Error message:

/usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:111
if (path.extname(filePath).includes(' ')) {
^
TypeError: undefined is not a function
at /usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:111:40
at Array.forEach (native)
at walkSync (/usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:88:29)
at /usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:122:9
at Array.forEach (native)
at walkSync (/usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:88:29)
at /usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:122:9
at Array.forEach (native)
at walkSync (/usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:88:29)
at /usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:122:9
at Array.forEach (native)
at walkSync (/usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:88:29)
at /usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:122:9
at Array.forEach (native)
at walkSync (/usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:88:29)
at /usr/local/lib/node_modules/electron-packager/node_modules/electron-osx-sign/index.js:122:9
MacBook-Pro-3:buildthis3 Scott Barrington$

Building mas package file needs a different signing identity

Need to be able to pass two `identity'

  1. 3rd Party Mac Developer Application: Company (XXX) for signing the '.app'
  2. '3rd Party Mac Developer Installer: Company (XXX) for signing the '.pkg'

I cannot just let electron find the identity as there are multiple identities installed on my computer/ci machine.

Not Effect After Sign

I set config below and passed well.

const sign = require('electron-osx-sign');
sign({
      app: path.join(cwd, './release/xxx.app'),
      entitlements: path.join(__dirname, './parent.plist'),
      'entitlements-inherit': path.join(__dirname, './child.plist'),
      'identity': 'Mac Developer: Xiaofeng Mao (52D7B5F3L7)',
      'platform': 'darwin',
      'version': config.version,
    }, (error) => {
      if (!error) {
        console.log('signed success');
    }
});

print signed success until i checked my app by spctl -a -v xxx.app
result is xxx.app: rejected

tried many times and exhausted. please give me some tips~

Electron v0.36.8 compatibility: libffmpeg.dylib

In the change log of the most recent release of Electron v0.36.8 mentioned "Link with ffmpeg dynamically". Despite whether adding ffmpeg.dylib into mas builds will cause rejection from iTC, detection of ffmpeg.dylib will have to be added for code-signing.
@jasonhinkle did you request signing with additional binaries for adding ffmpeg.dylib earlier?

Enhancement idea: add optional codesign validation after codesigning is complete

I think it'd be helpful to have an option that verifies the code signature as part of the process and fails if it fails. This would have helped me in a recent issue I ran into.

Running something like:

codesign --verify --deep --strict MyApp.app/

I recently ran into an issue where a bundled dependency was being mysteriously modified after signing (which invalidates the signature). It looked like everything was working because I could run the app on my machine without any security issues but when I downloaded it from the internet, it wouldn't run. I've now incorporated this command into my build process to surface this issue much sooner, but I think having this here (and by extension in electron-builder) would be an improvement. I might have time to work on a PR if you'd like, just thought I'd float the idea first. Thanks!

ITMS-90135 - app may have been built or signed with non-compliant or pre-release tools

Signing the app with electron-osx-sign. Debug enabled, there are no errors, everything appears fine. When trying to load the app through Application Loader, however, I get this worse than useless error message:

ERROR ITMS-90135: "The executable could not be re-signed for submission to the App Store. The app may have been built or signed with non-compliant or pre-release tools."

My app contains a native module - node-spellcheck, and so I sign the binaries for that (hunspell.a and spellcheck.node) as well (I've tried without that, and it still gives me the same error).

I'm at a complete loss.

Helper IDs

This is fantastic. I've used this app to sign my application and I've nearly gotten through every issue to submit to the MAS with just two remaining.

The Frameworks have three Helper apps Helper, Helper.EH and Helper.NP. Using your pull request to electron-packager I've created the package file and it correctly changes the bundle id for the helper, however the EH and NP bundle ids still have the original github.electron id. I went in and manually changed those IDs to com.mydomain.myapp.helper.EH and com.mydomain.myapp.helper.NP. The application loader is now down to just two errors. Basically it's the same error for each of those files:

"Bad CFBundleExecutable. Cannot find executable file that matches the value of CFBundleExecutable in the nested bundle Electron Helper EH [com.mydomain.myapp.pkg/Payload/MyApp.app/Contents/Frameworks/MyApp Helper EH.app] property list file"

I'm not sure if I've named these improperly in the plist files? Or do I need to add those bundle IDS on iTunes Connect? I'm kinda stumped at this point.

Thanks for any help on this!

.o files being present in node_modules cause Application Loader to reject .pkg file

If there are any .o files generated from native modules in node_modules during packaging, they will be present in the .app. This will cause Application Loader to reject the package with this error:

ERROR ITMS-90135: "The executable could not be re-signed for submission to the App Store. The app may have been built or signed with non-compliant or pre-release tools."

The easy fix is to clear out the .o files from node_modules before packaging. Not sure if this should be fixed in electron-osx-sign or electron-packager, but the issue doesn't manifest until .pkg and Application Loader get involved.

Set DEBUG environment variable to automatically set verbose mode

In a few packages that are dependencies of electron-packager, you can set the DEBUG environment variable to a comma-separated list of module names that (if they have support for it) will print debug information as they're run. (A known list is in electron-packager's CONTRIBUTING document.)

Since this package has opts.verbose, it would be nice if DEBUG was found to contain electron-osx-sign, then verbose mode was automatically enabled.

Feature request - create and sign package file

In my build script, after signing the .app I create a .pkg file and sign that. Because Application Loader requires the app to be packaged up for submission. You must have this file in order to submit the app to the app store.

Even though it is more than technically signing - it seems like it would be appropriate to include in electron-osx-sign because it is the final step for MAS preparation (and there is more signing involved).

Here is the code in my script that does this:

APP_PATH="MyApp.app"
RESULT_PATH="MyApp.pkg"
APP_KEY="3rd Party Mac Developer Application: Company, Inc (C123K93QGT)"
INSTALLER_KEY="3rd Party Mac Developer Installer: Company, Inc (C123K93QGT)"

# build the pkg installer file which application loader expects
productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

# sign the package file (seems redundant, but otherwise binary is rejected by itunesconnect)
codesign -fs "$APP_KEY" "$RESULT_PATH"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.