Code signing fails with a simple rejected during packaging:
Packaging ApplicationWARNING: Code sign failed; please retry manually. Error: Command failed: spctl --assess --type execute --verbose --ignore-cache --no-cache /var/folders/kw/fp514mmd4djdrld7q8_ttp4r0000gr/T/electron-packager/darwin-x64/myapp-darwin-x64/myapp.app
/var/folders/kw/fp514mmd4djdrld7q8_ttp4r0000gr/T/electron-packager/darwin-x64/myapp-darwin-x64/myapp.app: rejected
After notarization, the app crashes with this error:
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid))
Exception Codes: UNKNOWN_0x32 at 0x0000001e0000a5c0
Exception Codes: 0x0000000000000032, 0x0000001e0000a5c0
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 2
These are my packaging options in electron.config.js:
osxSign: {
identity:
'Developer ID Application: ### (###)',
},
osxNotarize: {
appleId: '###',
appleIdPassword: '###',
teamId: '###',
ascProvider: '###',
},
The certificate is listed in Xcode, Keychain Access and in security find-identity -p codesigning -v without warnings and with the related private key attached. I specified it in my config after experiencing the same behavior with the default configuration.
Any ideas what else to try, or what causes the rejection?
The problem was that New provisioning profiles / certificates require notarization to pass spctl checks. So gatekeeperAssess needs to be set to false for spctl. My version of @electron/osx-sign was outdated and did not take that into account. I had to update @electron-forge/* to >=6.0.4