OS X code signing error on Travis CI

[cheton]

I'm using a code signing certificate from Certum and trying to sign my code for both Windows and OS X platform. It works great for signing my Windows app on AppVeyor, and it can successfully sign the same app for OS X using my Mac Book Air. However, it failed only on Travis CI, the codesign tool reported an error of CSSMERR_TP_NOT_TRUSTED.

https://travis-ci.org/cheton/cnc/jobs/129935268#L7018
_Log of the terminal output:_

_.travis.yml_
https://github.com/cheton/cnc/blob/master/.travis.yml

Is there any clue that I can figure out what is causing this error? Thanks.

[develar]

Since you don't use StartSSL or Apple authority, you have to set CSA_LINK — link to your Certum code signing certificate.

I think, we can bundle Certum certs by default but for now you can use CSA_LINK workaround. See #216

[develar]

I guess we should bundle (http://www.certum.eu/certum/cert,expertise_root_certificates.xml, see "Public Key for Code Signing:"):

• https://repository.certum.pl/cscasha2.cer
• http://www.certum.eu/upload_module/downloads/certum/certyfikaty/nowe/csca.cer

Please check what certs do you have — Certum Code Signing CA SHA2, right?

[cheton]

The certificate is issued by Certum Code Signing CA SHA2.

I put my code-signing.pfx file on Google Drive and exported both CSC_LINK and CSC_KEY_PASSWORD variables on both Travis CI and my MBA. I can confirm that the certificate (incl. private key) was removed from Keychain Access of my MBA, so both environment should use the same variables (i.e. CSC_LINK and CSC_KEY_PASSWORD), but it only failed on Travis CI.

I will try using the CSA_LINK as you mentioned. Thanks.

[cheton]

I just removed Certum Code Signing CA SHA2 certificate from Keychain Access, now I can reproduce the same CSSMERR_TP_NOT_TRUSTED error from my MBA. The version of electron-builder that I'm using is 3.20.0, and I exported CSA_LINK environment variable as below:

export CSA_LINK='https://repository.certum.pl/cscasha2.cer'

Unfortunately the CSA_LINK doesn't work for me and I still got the same error, it will succeed only when I type the following command to import the Certum Code Signing CA SHA2 certificate to login.keychain:

$ security import "scripts/certs/Certum-Code-Signing-CA-SHA2.cer" \
    -k ~/Library/Keychains/login.keychain \
    -T /usr/bin/codesign
1 certificate imported.

I'm not sure what's going wrong with CSA_LINK, but the solution above fix my issue on Travis CI.

[cheton]

Just tried to dig into the code in node_modules/electron-builder, it works as expected if I replaced the generated keychainName with 'login.keychain' for CSA_LINK:

https://github.com/electron-userland/electron-builder/blob/master/src/codeSign.ts#L76

if (!importBundledCerts) {
    // Use 'login.keychain' for CSA_LINK
    keychainName = 'login.keychain';
}
for (let file of certFiles) {
    await exec("security", ["import", file, "-k", keychainName, "-T", "/usr/bin/codesign"])
}

[cheton]

Thanks for fixing this, however, the bundled cert still cannot solve the problem by my side, unless I manually imported the Code Signing certificate to login.keychain.

It looks like the problem is related to electron-osx-sign, so I wrote a simple program as shown below:

var sign = require('electron-osx-sign-tf').sign;
var opts = {
    identity: 'Open Source Developer, CHI-TAN WU',
    app: '/Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app',
    platform: 'darwin',
    keychain: 'csc-fd4a2cc3a28b7bed.keychain' // the file is generated by 'electron-builder'
};

sign(opts);

Then I got the following output:

$ DEBUG=electron-osx-sign* node test-sign.js
  electron-osx-sign:warn No `entitlements` passed in arguments, will not sign with entitlements. +0ms
  electron-osx-sign Signing application... +5ms
  electron-osx-sign > application         /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app +2ms
  electron-osx-sign > platform            darwin +1ms
  electron-osx-sign > entitlements        undefined +0ms
  electron-osx-sign > child-entitlements  undefined +0ms
  electron-osx-sign > additional-binaries undefined +1ms
  electron-osx-sign > identity            Open Source Developer, CHI-TAN WU +0ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Electron Framework.framework +616ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Mantle.framework +5s
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/ReactiveCocoa.framework +165ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Squirrel.framework +208ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/cnc Helper EH.app +194ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/cnc Helper NP.app +168ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/cnc Helper.app +157ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/MacOS/cnc +145ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +5s
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +352ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle +815ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +208ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/cnc Helper EH.app/Contents/MacOS/cnc Helper EH +3s
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/cnc Helper NP.app/Contents/MacOS/cnc Helper NP +199ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/cnc Helper.app/Contents/MacOS/cnc Helper +197ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel +190ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/A/ReactiveCocoa +356ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Resources/app/node_modules/base64-url/LICENSE +229ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Resources/app/node_modules/form-data/License +176ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Resources/app/node_modules/multiparty/LICENSE +169ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Resources/app/node_modules/retry/License +175ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Resources/app/node_modules/serialport/build/Release/serialport.node +203ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Resources/app/node_modules/stack-trace/License +195ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler +153ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt +190ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app/Contents/Resources/app/node_modules/har-validator/bin/har-validator +192ms
  electron-osx-sign Signing... /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app +178ms
  electron-osx-sign Verifying sign... +8s
  electron-osx-sign:error Sign failed. +59ms
  electron-osx-sign:error Command failed: codesign -v /Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app
/Users/cheton/github/cnc/output/cnc-darwin-x64/cnc.app: CSSMERR_TP_NOT_TRUSTED
In architecture: x86_64
 +0ms

I will post an issue on electron-osx-sign, maybe the author should know how to fix this.

[develar]

I will post an issue on electron-osx-sign, maybe the author should know how to fix this.

I am sure that issue on our side. I will check (I have StartSSL cert, so, it is easy for me to use real production certitifacte). Thanks for note about login.keychain. But we cannot import certs to default keychain to not pollute.

[develar]

I got the same error in case if StartSSL. Will be fixed soon.

[mbrainiac]

@develar

Any progress?
I got them same error with Travis OSX:

electron-builder 3.25.0, StartSSL

Packaging app for platform darwin x64 using electron v0.37.8
Signing app (identity: Nguyen Tien Dung)
Error: Command failed: codesign -v /Users/travis/build/mbrainiac/pencil/dist/Pencil-darwin-x64/Pencil.app
/Users/travis/build/mbrainiac/pencil/dist/Pencil-darwin-x64/Pencil.app: CSSMERR_TP_NOT_TRUSTED
In architecture: x86_64
    at ChildProcess.exithandler (child_process.js:202:12)
    at emitTwo (events.js:100:13)
    at ChildProcess.emit (events.js:185:7)
    at maybeClose (internal/child_process.js:850:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:215:5)

From previous event:
    at OsXPackager.<anonymous> (/Users/travis/build/mbrainiac/pencil/node_modules/electron-builder/src/osxPackager.ts:148:43)
    at [object Generator].next (native)

From previous event:
    at tsAwaiter (/Users/travis/build/mbrainiac/pencil/node_modules/electron-builder/src/awaiter.ts:10:47)
    at OsXPackager.sign (/Users/travis/build/mbrainiac/pencil/node_modules/electron-builder/src/osxPackager.ts:74:75)
    at /Users/travis/build/mbrainiac/pencil/node_modules/electron-builder/src/osxPackager.ts:57:26

From previous event:
    at OsXPackager.<anonymous> (/Users/travis/build/mbrainiac/pencil/node_modules/electron-builder/src/osxPackager.ts:57:10)
    at [object Generator].next (native)

From previous event:
    at tsAwaiter (/Users/travis/build/mbrainiac/pencil/node_modules/electron-builder/src/awaiter.ts:10:47)
    at Object.build (/Users/travis/build/mbrainiac/pencil/node_modules/electron-builder/src/builder.ts:30:59)
    at Object.<anonymous> (/Users/travis/build/mbrainiac/pencil/node_modules/electron-builder/src/build-cli.ts:47:2)
    at Module._compile (module.js:413:34)
    at Object.Module._extensions..js (module.js:422:10)
    at Module.load (module.js:357:32)
    at Function.Module._load (module.js:314:12)
    at Function.Module.runMain (module.js:447:10)
    at startup (node.js:148:18)
    at node.js:405:3

[cheton]

Hi @mbrainiac,
It's fine to update login.keychain on CI server since everything will be clean for a new job, you can try this workaround as I did on Travis CI:

security import "scripts/certs/Certum-Code-Signing-CA-SHA2.cer" \
    -k ~/Library/Keychains/login.keychain \
    -T /usr/bin/codesign

https://github.com/cheton/cnc/blob/master/.travis.yml#L83

Note. You can find the download link here.

[develar]

@cheton Is your app blocked on OS X because it is signed by not Apple cert and, so, you are not identified developer?

[cheton]

Yes, you're right. It seems OS X will block the app if I downloaded it from Internet, unless I manually checked the option of "Allow apps downloaded from anywhere" from Security & Privacy.

[develar]

@cheton So, why do you use Certum cert? Or app for private use?

[cheton]

I'm using Certum cert to sign the app.

[cheton]

May I know if it will work when using StartSSL?

[develar]

@cheton My first checks showed that yes, and it was confirmed by StartSSL support. But now I realized that no — Apple blocks any app, regardless of code signing, not from identified developer (it is a default setting). Sad, but true :(

[cheton]

"Gatekeeper only recognises Apple digital certificates." 😞
http://stackoverflow.com/questions/11833481/non-apple-issued-code-signing-certificate-can-it-work-with-mac-os-10-8-gatekeep

[cheton]

If it's confirmed that only code signing certificate signed with Apple Developer ID can pass through Gatekeeper, I think we should add a statement in Code Sigining to let developers know if they want to use non-Apple certificate to sign Mac OS X App, it may be blocked by Gatekeeper with default Security & Privacy settings.

[develar]

@cheton PR is welcome (https://github.com/electron-userland/electron-builder/blob/master/CONTRIBUTING.md#documentation) ;)