Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Notarize app for macOS #3870

Closed
pashvin opened this issue May 2, 2019 · 83 comments
Closed

Notarize app for macOS #3870

pashvin opened this issue May 2, 2019 · 83 comments

Comments

@pashvin
Copy link

pashvin commented May 2, 2019

Is there any way to notarize app using electron builder?
Looks like Apple is going to force it soon. see link below
https://developer.apple.com/news/?id=04102019a

There is one npm module available but it will be nice this is supported by electron-builder.
https://github.com/electron-userland/electron-notarize

@martani
Copy link

martani commented May 14, 2019

I have users on OSX 10.14.5 reporting that the electron app can't be opened anymore.

Running spctl -a -t open --context context:primary-signature -v <pathToDMG> returns the following error:

Downloads/<pathToDMG>.dmg: rejected
source=Unnotarized Developer ID

It would be great if we have some option to notarize the app with electron-builder.

@Kilian
Copy link
Contributor

Kilian commented May 21, 2019

ticket #3908 mentions running electron-notarize yourself in the afterAllArtifactBuild step, but probably due to timing, this interferes with the publish step so is less than ideal. Having this integrated would be super helpful.

@Kilian
Copy link
Contributor

Kilian commented May 21, 2019

Also, this is blocked by #3504, otherwise you could roll your own with electron-notarize in the afterSign(not in the afterAllArtifactBuild step).

@wagslane
Copy link

Yeah this is a big issue :( all our Mac installs started breaking. Trying to figure out how we can do notarization using electron builder on a ci server (Travis) if anyone figures it out let me know!

@Kilian
Copy link
Contributor

Kilian commented May 23, 2019

I have a fix in #3912, once that lands you can call electron-notarize in the afterSign step and everthing works as expected. I'll write a blogpost about it once it's merged in/published :)

@wagslane
Copy link

I have a fix in #3912, once that lands you can call electron-notarize in the afterSign step and everthing works as expected. I'll write a blogpost about it once it's merged in/published :)

You're a a hero, I'm excited.

@Kilian
Copy link
Contributor

Kilian commented May 25, 2019

There's a few more things that need to happen, it seems. The DMG is also signed by electron-builder and anything that gets signed needs to be notarized or it won't be allowed to install. So we need one of two options:

  • A setting to turn off signing the DMG. This is less than ideal, but workable. This creates an unsigned, un-notarized DMG that installs a signed and notarized app. You'll likely get the unknown developer message.
  • An extra hook called after creating the dmg but before any of the electron-updater files (blockmap, latest-mac.yml) are created. The notarization process "staples" the dmg so the file changes, so it needs to run before any of the updater files are created. Instead of this, electron-notarize could add a setting where it doesn't staple the file after notarizing. This means a computer needs internet access to validate a notarization, but also means that the dmg does not change, and you can run notarize after all the update files have been created.

@Kilian
Copy link
Contributor

Kilian commented May 25, 2019

@develar is this something you could help coordinate?

@develar
Copy link
Member

develar commented May 25, 2019

electron-builder should use electron-notarize under the hood and user should not configure some hooks.

@develar
Copy link
Member

develar commented May 25, 2019

update files

For DMG currently updates files are not used by electron-updater.

@Kilian
Copy link
Contributor

Kilian commented May 25, 2019 via email

@Kilian
Copy link
Contributor

Kilian commented May 26, 2019

We're tracking an issue in #3828 that's preventing regular users from installing from an electron-builder generated dmg even though it is notarized.

@Kilian
Copy link
Contributor

Kilian commented May 26, 2019

The signing and notarizing of the app works with 20.42.0 using electron-notarize and (on macos 10.14.5) disabling electron-osx-sign's gatekeeper assessment. The signing and notarizing the dmg after its creation also works. If you check spctl -a -v for the app, and for the app inside the dmg, then the app is accepted and signed by a notarized developer id, so that all works as it should.

However, the dmg itself can only be opened by holding cmd, or right-clicking and selecting open. Additionally, users are greeted with an ominous message about malicious software.
Screenshot_26_05_2019__14_14

For Google-ability, this is the text in the image:

"Appname.dmg" can't be opened because Apple cannot check it for malicious software.

This software needs to be updated. Contact the developer for more information.

This is less than ideal. @martani found out that it's the "open" type assessment of the dmg is not being notarized, and we suspect that's the issue.

@Kilian
Copy link
Contributor

Kilian commented May 27, 2019

Solution found

When the DMG is not codesigned and not notarized, but the app inside it is, Gatekeeper accepts it.

So for the complete story regarding notarization with electron-builder we need two additional things:

  1. it needs to disable the gatekeeper assessment when calling electron-osx-sign
  2. the code that signs DMGs in dmg-builder should be removed (or there should be an option to disable it
  3. bonus: implement electron-notarize as a new step after sign.

@develar I'll make a PR for point 1 and 2.

@martani
Copy link

martani commented May 27, 2019

Awesome, thanks @Kilian! I can confirm your solution is working as expected.

@Kilian
Copy link
Contributor

Kilian commented Jun 4, 2019

And here's the guide on how to Notarize your app using electron-builder: https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

@zaherg
Copy link

zaherg commented Jun 4, 2019

@Kilian thanks for the post, just a small note about dotenv you can have a file called electron-builder.env which will be read by electron-builder automatically and the values within it can be used automatically within your aftersign script

@puresick
Copy link

puresick commented Jun 5, 2019

@Kilian Thanks for the PR and the blogpost summarizing this.
There seems to be a bug with setting the { dmg: { sign: false } } option explicitly, because it gives me an error that this is an invalid configuration (with 20.43.0):

Error: Configuration is invalid.
 - configuration.dmg should be one of these:
   object { artifactName?, background?, backgroundColor?, contents?, format?, icon?, iconSize?, iconTextSize?, internetEnabled?, publish?, title?, window? } | {
     "type": "null"
   }
   macOS DMG options.
   
   Details:
    * configuration.dmg has an unknown property 'sign'. These properties are valid:
      object { artifactName?, background?, backgroundColor?, contents?, format?, icon?, iconSize?, iconTextSize?, internetEnabled?, publish?, title?, window? }
    * configuration.dmg should be null:
      {
        "type": "null"
      }

@Kilian
Copy link
Contributor

Kilian commented Jun 5, 2019

@will-stone
Copy link

will-stone commented Jun 5, 2019

@Kilian Thanks for the blog post. May I suggest that you change the recommendation of storing the appleIdPassword from an env var to keychain? It wouldn't take much for someone to write malicious code into a package that dumps all of your environment variables and uploads them to a malicious actor. Using keychain will prompt the user to unlock it when running the notarize script, and at least there's some protection there before it's exposed.

@Kilian
Copy link
Contributor

Kilian commented Jun 6, 2019

@will-stone Thanks, I've added a reference to https://github.com/electron-userland/electron-notarize#safety-when-using-appleidpassword

@BertholetDamien
Copy link

Thanks @Kilian for the guide ! It's really good.

Just a little thing, there is a little mistake into the notarize.js script (you declare electronPlatformName after using it).

@vkolova
Copy link

vkolova commented Jun 28, 2019

@Kilian , great guide! We tried it, but it didn't work for us.
We got as far as *** Error: To use this application, you must first sign in to iTunes Connect and sign the relevant contracts. and then we got stuck, because the developer is signed in in Application Launcher in Xcode, but we don't want to upload and release our application in the App Store (as the Launcher prompts us?).

We also tried disabling dmg signing and tried with no notarization, but then still get the unverified developer message. We used [email protected]. Any ideas on where to go from this?

@pliablepixels
Copy link

pliablepixels commented Mar 7, 2020

Does anyone know how to trigger afterSign just for mac? I have a multi platform build

Trying to put it inside the mac block results in an error

 "mac": {
      "category": "productivity",
      "target": "dmg",
      "icon": "icon.png",
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "afterSign": "electron_js/notarize.js"
    },

Error:

  - configuration.mac has an unknown property 'afterSign'. These properties are valid: 
object { appId?, artifactName?, asar?, asarUnpack?, binaries?, bundleShortVersion?, bundleVersion?, category?, compression?, cscInstallerKeyPassword?, cscInstallerLink?, cscKeyPassword?, cscLink?, darkModeSupport?, detectUpdateChannel?, electronLanguages?, electronUpdaterCompatibility?, entitlements?, entitlementsInherit?, extendInfo?, extraDistFiles?, extraFiles?, extraResources?, fileAssociations?, files?, forceCodeSigning?, gatekeeperAssess?, generateUpdatesFilesForAllChannels?, hardenedRuntime?, helperBundleId?, helperEHBundleId?, helperGPUBundleId?, helperNPBundleId?, helperPluginBundleId?, helperRendererBundleId?, icon?, identity?, minimumSystemVersion?, protocols?, provisioningProfile?, publish?, releaseInfo?, requirements?, target?, type? }

I am running 22.4.0 of electron-builder and as per the docs, I can add common configuration items inside mac.

@jwheare
Copy link
Contributor

jwheare commented Mar 7, 2020

You can bail out of the script if it’s not being run for Mac (darwin) artifacts. See https://github.com/irccloud/irccloud-desktop/blob/master/scripts/afterSign.js#L7

@pliablepixels
Copy link

Thanks. That is how I’ve set it up for now. Would have preferred a cleaner way but good for now.

@XRenSiu
Copy link

XRenSiu commented Apr 8, 2020

Does anyone know how to trigger afterSign just for mac? I have a multi platform build

Trying to put it inside the mac block results in an error

 "mac": {
      "category": "productivity",
      "target": "dmg",
      "icon": "icon.png",
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "afterSign": "electron_js/notarize.js"
    },

Error:

  - configuration.mac has an unknown property 'afterSign'. These properties are valid: 
object { appId?, artifactName?, asar?, asarUnpack?, binaries?, bundleShortVersion?, bundleVersion?, category?, compression?, cscInstallerKeyPassword?, cscInstallerLink?, cscKeyPassword?, cscLink?, darkModeSupport?, detectUpdateChannel?, electronLanguages?, electronUpdaterCompatibility?, entitlements?, entitlementsInherit?, extendInfo?, extraDistFiles?, extraFiles?, extraResources?, fileAssociations?, files?, forceCodeSigning?, gatekeeperAssess?, generateUpdatesFilesForAllChannels?, hardenedRuntime?, helperBundleId?, helperEHBundleId?, helperGPUBundleId?, helperNPBundleId?, helperPluginBundleId?, helperRendererBundleId?, icon?, identity?, minimumSystemVersion?, protocols?, provisioningProfile?, publish?, releaseInfo?, requirements?, target?, type? }

I am running 22.4.0 of electron-builder and as per the docs, I can add common configuration items inside mac.

{
"appId":"xxxx",
"afterSign":"electron_js/notarize.js",
"mac":{}
}

@b-zurg
Copy link
Contributor

b-zurg commented Apr 11, 2020

The recommended guide suggests not signing/notarizing the dmg but that's not what apple recommends ( sign/notarize the top container).
Looks like things can break if dmg is not notarized but from what I've read in the thread there's still not a quick way to do it with electron-builder. Am I wrong?

update:

I could successfully notarize the dmg (I'm also notarizing the app in a separate step) by adding a hook after all artifacts were built and calling a modified version of electron-notarize (one that does not zip the dmg file before sending it to apple servers).

The process changes the dmg file so blockmap and update files have to be updated, however it's possible to notarize and not stapling leaving the dmg file intact (this still works but users without connection will see apple warnings)

The modified electron-notarize in case someone else needs it.
https://github.com/hugozap/electron-notarize-dmg

Have you successfully updated the blockmap? I'm not sure how to do that part.

@hugozap
Copy link

hugozap commented Apr 11, 2020

The recommended guide suggests not signing/notarizing the dmg but that's not what apple recommends ( sign/notarize the top container).
Looks like things can break if dmg is not notarized but from what I've read in the thread there's still not a quick way to do it with electron-builder. Am I wrong?
update:
I could successfully notarize the dmg (I'm also notarizing the app in a separate step) by adding a hook after all artifacts were built and calling a modified version of electron-notarize (one that does not zip the dmg file before sending it to apple servers).
The process changes the dmg file so blockmap and update files have to be updated, however it's possible to notarize and not stapling leaving the dmg file intact (this still works but users without connection will see apple warnings)
The modified electron-notarize in case someone else needs it.
https://github.com/hugozap/electron-notarize-dmg

Have you successfully updated the blockmap? I'm not sure how to do that part.

I'm only notarizing the app and dmg, not the blockmap. Updates are working fine.

@psukhanov
Copy link

The recommended guide suggests not signing/notarizing the dmg but that's not what apple recommends ( sign/notarize the top container).
Looks like things can break if dmg is not notarized but from what I've read in the thread there's still not a quick way to do it with electron-builder. Am I wrong?

update:

I could successfully notarize the dmg (I'm also notarizing the app in a separate step) by adding a hook after all artifacts were built and calling a modified version of electron-notarize (one that does not zip the dmg file before sending it to apple servers).

The process changes the dmg file so blockmap and update files have to be updated, however it's possible to notarize and not stapling leaving the dmg file intact (this still works but users without connection will see apple warnings)

The modified electron-notarize in case someone else needs it.
https://github.com/hugozap/electron-notarize-dmg

Have you tested this on macOS 10.14.5? I'm still running into the "Apple cannot check it for malicious software" message when trying to open a signed, notarized .dmg on that os version.

and
spctl --assess --type open --context context:primary-signature --verbose myapp.dmg
rejects with source=Unnotarized Developer ID

I'm tempted to go with Kilian's suggestion of not signing/notarizing the .dmg, but also worried this will break in future os versions :'(

@hugozap
Copy link

hugozap commented May 16, 2020

The recommended guide suggests not signing/notarizing the dmg but that's not what apple recommends ( sign/notarize the top container).
Looks like things can break if dmg is not notarized but from what I've read in the thread there's still not a quick way to do it with electron-builder. Am I wrong?
update:
I could successfully notarize the dmg (I'm also notarizing the app in a separate step) by adding a hook after all artifacts were built and calling a modified version of electron-notarize (one that does not zip the dmg file before sending it to apple servers).
The process changes the dmg file so blockmap and update files have to be updated, however it's possible to notarize and not stapling leaving the dmg file intact (this still works but users without connection will see apple warnings)
The modified electron-notarize in case someone else needs it.
https://github.com/hugozap/electron-notarize-dmg

Have you tested this on macOS 10.14.5? I'm still running into the "Apple cannot check it for malicious software" message when trying to open a signed, notarized .dmg on that os version.

and
spctl --assess --type open --context context:primary-signature --verbose myapp.dmg
rejects with source=Unnotarized Developer ID

I'm tempted to go with Kilian's suggestion of not signing/notarizing the .dmg, but also worried this will break in future os versions :'(

It worked for me on Mojave and it's working on Catalina. I'm using this (Note that for the dmg I'm not stapling the file, and using https://github.com/hugozap/electron-notarize-dmg)

This runs in the afterAllArtifactBuildHook

   return await notarize({
    appBundleId: config.build.appId,
    dmgPath: dmgPath,
    appleId: process.env.APPLEID,
    appleIdPassword: process.env.APPLEIDPASS,
    staple: false
  });

( Note: The dmg was created with an already notarized .app bundle - The .app bundle was notarized with the default electron-notarize package )

@psukhanov
Copy link

@hugozap gotcha, thanks! It looks like the critical piece for me is to not .zip the .dmg, as electron-notarize does by default (and as you show in your fork). 👍🤩

I assume the reason for that is because Apple's notary service then assumes that the .zip is the top-level package you will distribute in (in which case you should still be able to distribute the .zip without issue?) IN any case, thanks for the help!

@michaelpeterlee
Copy link

@Kilian blog post works for our project. We are now missing the app icon, however.

@alex-paterson
Copy link

Since adding notarization, my MAS app is immediately exiting with no error message on MacOS versions older than Catalina. Detail here electron/electron#24423

@tudiantuan
Copy link

I confirm I've been able to notarize my Electron app by following this great article https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/ by @Kilian (thanks @Kilian !)

My setup:

  • electron: 4.2.x
  • electron-builder: 20.44.4
  • electron-notarize: 0.2.1

Can you show file package.json?

@stakauskas
Copy link

Anyone facing issues on 10.15.7? I have app signed / notarized which works on 10.13.6 and 10.15.6, but on 10.15.7 it gives the message of:

"app" can't be opened because Apple cannot check it for malicious software.

@johnnysparav
Copy link

I have managed to notarize, sign and build .dmg by using electron-builder by following this guide:
https://david.dev/how-to-notarize-your-electron-app/

@codemanki
Copy link

@stakauskas i experience the same problem now. Did you manage to resolve this issue?

@thomasdarde
Copy link

We have an electron app containing other binaries and working from 10.3 to 11.0 (big sur).
It was a true pain in .. but it now works fine.

An important step was to use https://gist.github.com/harshitsilly/a1bd5a405f93966aad20358ae6c4cec5
to create the zip , the one created by electron-notarize was not valid.

Also copying the zip via scp to another computer was maybe an issue (I'm not sure of this), but passing via an http hosting was fine.

Last: the binary contained in our app had to be signed via command line , not in xcode. We use electron-notarize v 1.0.0, good luck

@stakauskas
Copy link

@stakauskas i experience the same problem now. Did you manage to resolve this issue?

Unfortunately - no. Still looking for a solution. Will check what @thomasdarde suggested.

@maitham
Copy link

maitham commented Nov 19, 2020

Notarization seems to fail for me due to extra python .so files . Any ideas as to why, I assume they're not being picked up by electron builder. We've binarised our python files using Pyinstaller and included them in the Resources/main

  "build": {
    "asar": true,
    "afterSign": "scripts/notarize.js",
    "appId": "com.plato.app",
    "productName": "Plato",
    "directories": {  
      "buildResources": "resources"  
    },
    "mac": {
      "hardenedRuntime": true,
      "target": "dmg",
      "icon": "assets/app-icon.icns",
      "entitlements": "./build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist"
    },
    "dmg": {
      "sign": false
    },
    "files": [
      "!models",
      "!main",
      "!bin",
      "!.env"
    ],
    "extraFiles": [
      {
        "from": "bin",
        "to": "Resources/bin"
      },
      {
        "from": "assets",
        "to": "Resources/assets"
      },
      {
        "from": "./main",
        "to": "Resources/main"
      },
      {
        "from": "./models",
        "to": "Resources/models"
      }
    ]
  }

@thomasdarde
Copy link

@maitham did you try to sign manually the .so files before notarizing the whole folder ?

codesign -s "Developer ID Application: XXXXX" --options=runtime --force --timestamp filepath

@nokvai
Copy link

nokvai commented Jan 19, 2021

I'm trying to build a .pkg for "mas".
I'm also facing the same issue on mac os 11.1.
I seems like electron-builder cannot sign the following binaries...
These are the logs given by apple:

"issues":[
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":null
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/MacOS/MonsterVoIP Desktop Phone",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/Resources/app.asar.unpacked/node_modules/7zip-bin/mac/7za",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/Resources/app.asar.unpacked/node_modules/electron-builder-squirrel-windows/node_modules/app-builder-bin/mac/app-builder",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/Resources/app.asar.unpacked/node_modules/app-builder-bin/mac/app-builder",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/Frameworks/MonsterVoIP Desktop Phone Helper (GPU).app/Contents/MacOS/MonsterVoIP Desktop Phone Helper (GPU)",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },

@nokvai
Copy link

nokvai commented Jan 20, 2021

I hope this will work.
Code signing after mas file was built using electron-builder to upload on apple store via transporter:

#!/bin/bash

APP="Test Electron Desktop App"

APP_PATH="dist/mas/$APP.app"

RESULT_PATH="dist/mas/$APP-mac_store.pkg"

APP_KEY="3rd Party Mac Developer Application: My Company Name (*******)"
INSTALLER_KEY="3rd Party Mac Developer Installer: My Company Name (********)"

PARENT_PLIST="build/entitlements.mas.plist"
CHILD_PLIST="build/entitlements.mas.inherit.plist"
LOGINHELPER_PLIST="build/entitlements.mas.loginhelper.plist"
FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"
RESOURCES_PATH="$APP_PATH/Contents/Resources"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/ReactiveCocoa.framework/Versions/A/ReactiveCocoa"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Mantle.framework/Versions/A/Mantle"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Test Electron Desktop App Helper (Renderer).app/Contents/MacOS/Test Electron Desktop App Helper (Renderer)"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Test Electron Desktop App Helper.app/Contents/MacOS/Test Electron Desktop App Helper"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Test Electron Desktop App Helper (GPU).app/Contents/MacOS/Test Electron Desktop App Helper (GPU)"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Test Electron Desktop App Helper (Plugin).app/Contents/MacOS/Test Electron Desktop App Helper (Plugin)"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$RESOURCES_PATH/app.asar.unpacked/node_modules/electron-builder-squirrel-windows/node_modules/app-builder-bin/mac/app-builder"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$RESOURCES_PATH/app.asar.unpacked/node_modules/7zip-bin/mac/7za"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$RESOURCES_PATH/app.asar.unpacked/node_modules/app-builder-bin/mac/app-builder"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"

codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"

productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

@andrew-mclachlan
Copy link

I added a wee script to my build notarize.js

require("dotenv").config();
const { notarize } = require("electron-notarize");

exports.default = async function notarizing(context) {
  const { electronPlatformName, appOutDir } = context;
  if (
    electronPlatformName !== "darwin" ||
    !process.env.APPLEID ||
    !process.env.APPLEIDPASS
  ) {
    console.log(
      "Not running notarize. Platform is not macOS or environment not set up."
    );
    return;
  }

  const appName = context.packager.appInfo.productFilename;

  return await notarize({
    appBundleId: "com.myapp.greatapp",
    appPath: `${appOutDir}/${appName}.app`,
    appleId: process.env.APPLEID,
    appleIdPassword: process.env.APPLEIDPASS
  });
};

and an entry to my package.json

"build": {
 ...
 "afterSign": "scripts/notarize.js",
...
 },

I set APPLEID and APPLEIDPASS in my environment.

@mmaietta
Copy link
Collaborator

mmaietta commented Mar 5, 2021

Closing this issue. There are so many resources/articles available on how to notarize the app through a simple Google search for "electron-notarize" or for writing a custom script yourself, electron-notarize also being a 3rd-party module, and the afterSign hook functions as designed.

@mmaietta mmaietta closed this as completed Mar 5, 2021
@mmaietta mmaietta unpinned this issue Mar 5, 2021
@alexgurr
Copy link

@stakauskas i experience the same problem now. Did you manage to resolve this issue?

Unfortunately - no. Still looking for a solution. Will check what @thomasdarde suggested.

I too have this issue with two different electron apps. Successful building + notarization but still unable to open because the developer cannot be verified.

@Vishal1419
Copy link

@Kilian @develar
First of all, thanks for the hard work that you guys are doing for the community. I will always be thankful to the community for helping developers like me to find the correct solutions.

After following Kilian's blog, I am able to successfully sign and notarize my app.

Now, I want to distribute .pkg instead of .dmg
But it seems that there is no option to skip signing for .pkg
Can you please guide me on either how to sign and notarize .pkg or how can I skip it?

Currently, when my users tries to open .pkg, they get this error:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests