I developed an electron app using the following "features":
open-url feature [Schemes: xx-note]node-keytar : get & set pwdI have no problem to run the application, and build it if I don't sign it, but to make the auto-update work, I absolutely need to sign it. (and it's better for my customers).
Unfortunately, when I sign it and try to run it on Big Sur I get the following message:
From finder :
You do not have permission to open the application “XX”
Contact your computer or network administrator for assistance.
From terminal :
The application cannot be opened for an unexpected reason,
error=Error Domain=NSOSStatusErrorDomain Code=-10826 "kLSNoLaunchPermissionErr: User doesn't have permission to launch the app (managed networks)"
UserInfo={_LSFunction=_LSLaunchWithRunningboard, _LSLine=2539, NSUnderlyingError=0x7f98fe4166d0 {Error Domain=RBSRequestErrorDomain Code=5 "Launch failed."
UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x7f98fe418060 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153"
UserInfo={NSLocalizedDescription=Launchd job spawn failed with error: 153}}}}}
And, in both case I have this message in the Console/system.log :
May 3 11:00:32 XX com.apple.xpc.launchd[1] (application.ai.XX.note-taking.39302547.39303101[25454]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Users/XX/Documents/XX/mr/XX-desktop/out/XX-darwin-x64/XX.app/Contents/MacOS/XX_Taking-Note:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
May 3 11:00:32 XX com.apple.xpc.launchd[1] (application.ai.XX.note-taking.39302547.39303101[25454]): Binary is improperly signed.
My colleague launched it from Catalina and got this error message
System Integrity Protection: enabled
Crashed Thread: 0
Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1
Using [electron-osx-sign][8] & [electron-notarize][8] with forge config :
packagerConfig: {
appBundleId: 'ai.XX.note-taking',
executableName: BUILD_NAME, //XX
name: APP_NAME, //XX
icon: iconPath,
overwrite: true,
asar: true,
extendInfo: './info.extends.plist',
protocols: {
name: 'XX-note',
schemes: ['XX-note'],
},
osxSign: {
identity: OSX_CREDENTIALS.SIGN_ID, // Developer ID Application: TeamName (MYTEAMID)
'hardened-runtime': true,
entitlements: 'entitlements.plist',
'entitlements-inherit': 'entitlements.plist',
'entitlements-loginhelper': 'login.entitlements.plist',
'signature-flags': 'library',
// https://github.com/electron/electron-notarize/issues/54
'gatekeeper-assess': false,
verbose: true,
},
osxNotarize: {
// appBundleId: 'ai.XX.note-taking', // (TESTED WITH & WITHOUT)
appleId: OSX_CREDENTIALS.ID, // [email protected]"
appleIdPassword: OSX_CREDENTIALS.PASSWORD, // app password
// ascProvider: 'MYTEAMID', // (TESTED WITH & WITHOUT)
},
out/XX-darwin-x64/XX.app: valid on disk
out/XX-darwin-x64/XX.app: satisfies its Designated Requirement
.plist<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleURLTypes</key>
<array>
<dict>
<key>CFBundleURLSchemes</key>
<array>
<string>XX-note</string>
</array>
</dict>
</array>
<key>NSDocumentsFolderUsageDescription</key>
<true />
<key>ElectronTeamID</key>
<string>MYTEAMID</string>
<key>NSAppTransportSecurity</key>
<dict>
<key>NSAllowsArbitraryLoads</key>
<false/>
<key>NSAllowsLocalNetworking</key>
<true/>
</dict>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
I really hope you can help me, I really tried to give you as much as possible, and it's already been more than three days that I'm looking everywhere without solving my problem.
I fix this issue using this tutorial : https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/
And this issue https://github.com/electron-userland/electron-builder/issues/3940
My final config is :
osxSign: {
identity: 'Developer ID Application: MyTeam (TEAMID)',
'hardened-runtime': true,
entitlements: 'mac/entitlements.plist',
'entitlements-inherit': 'mac/entitlements.plist',
'signature-flags': 'library',
// https://github.com/electron/electron-notarize/issues/54
'gatekeeper-assess': false,
verbose: true,
},
osxNotarize: {
appleId: 'myemail',
appleIdPassword: 'mypassword',
},
And mac/entitlements.plist is :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>