EXC_BAD_ACCESS (Code Signature Invalid) MAS-DEV

[steffanhalv]

• Version:
  21.1.1

• Target:
  mas & mas-dev

Problem:
Building for mas-dev gives EXC_BAD_ACCESS (Code Signature Invalid) and I also get the same results when submitting it for review.

4 min video:
https://drive.google.com/file/d/1WbclNwMxcxgrohI9SS0SpmFVa2IHpCtN/view?usp=sharing

Details:
Using MacOS Mojave 10.14.5 with newly created certs, provisionprofiles and a clean installation of https://github.com/electron/electron-quick-start, gives signature error after sign. This happens with all of my electron projects, even if I go back in git where it worked before with earlier versions of electron-builder / electron / electron-osx-sign.

More details here, trying to sign app manually with electron-osx-sign with same error:
electron/osx-sign#200

Notice that the apple developer portal just changed their gui, I don't know if they also made some other changes.

I also tried with hardenedRuntime set to true & gatekeeperAssess set to false.

[steffanhalv]

If I use this guideline, I get the app signed with correct entitlements and can run it:

https://github.com/electron/electron/blob/master/docs/tutorial/mac-app-store-submission-guide.md

Now I am just waiting for yet another review, hopefully it passes this time :-)

[mayqiyue]

+1

[mytran]

This is happening for me on 21.1.2. No issues on 21.0.3 and older.

[semireg]

I've had sandboxed mas-dev builds running perfectly for months. Now I'm trying to get a mas-dev build with hardenedRuntime working for days ... all errors, no luck.

Here's an interesting output from this script:

"package-mas-hr": "npm run build && electron-builder --mac mas mas-dev",

Configured as:

"mac": {
      "category": "public.app-category.productivity",
      "target": [
        "mas",
        "mas-dev",
        "zip",
        "dmg"
      ],
      "hardenedRuntime": true,
      "entitlements": "build/entitlements-lll.plist",
      "gatekeeperAssess": false
    },
    "afterSign": "build/notarize.js",
    "mas": {
      "provisioningProfile": "build/embeddedyesmas.provisionprofile",
      "entitlements": "build/entitlements-sandbox.plist"
    },

notarize.js

require('dotenv').config();
const { notarize } = require('electron-notarize');

exports.default = async function notarizing(context) {
  const { electronPlatformName, appOutDir } = context;
  // console.log(`context: ${JSON.stringify(context.targets, null, 3)}`);
  if (electronPlatformName !== 'darwin') {
    return;
  }

  const appName = context.packager.appInfo.productFilename;
  const password = `@keychain:myapp`;

  const appPath = `${appOutDir}/${appName}.app`;
  console.log(`beginning notarization for ${appPath}`);

  return notarize({
    appBundleId: 'com.semireg.LabelLIVE',
    appPath,
    appleId: '[email protected]',
    appleIdPassword: password,
    ascProvider: 'TEAMID'
  }).then(finished => {
    console.log(`finished notarization for ${appPath}`);
    return finished;
  });
};

Output during build:

  • electron-builder  version=21.1.2 os=18.6.0
  • loaded configuration  file=package.json ("build" field)
  • writing effective config  file=release/builder-effective-config.yaml
  • skipped dependencies rebuild  reason=npmRebuild is set to false
  • packaging       platform=darwin arch=x64 electron=4.2.8 appOutDir=release/mac
  • packaging       platform=mas arch=x64 electron=4.2.8 appOutDir=release/mas
  • signing         file=release/mas/Label LIVE.app identityName=Developer ID Application: Semireg Industries, LLC (ABC123) identityHash=ZEF123 provisioningProfile=none
  • signing         file=release/mac/Label LIVE.app identityName=Developer ID Application: Semireg Industries, LLC (ABC123) identityHash=ZEF123 provisioningProfile=none
  • signing         file=release/mas/Label LIVE.app identityName=3rd Party Mac Developer Application: Semireg Industries, LLC (ABC123) identityHash=LMNO provisioningProfile=build/embeddedyesmas.provisionprofile
beginning notarization for /Users/..../release/mac/Label LIVE.app
  • packaging       platform=mas arch=x64 electron=4.2.8 appOutDir=release/mas-dev
  • signing         file=release/mas-dev/Label LIVE.app identityName=Developer ID Application: Semireg Industries, LLC (ABC123) identityHash=ZEF123 provisioningProfile=none
  • signing         file=release/mas-dev/Label LIVE.app identityName=Mac Developer: Caylan Larson (ZZZZZZ) identityHash=XXXXXX provisioningProfile=build/embeddedyesmas.provisionprofile
finished notarization for /Users/..../release/mac/Label LIVE.app
✨  Done in 484.31s.

@develar, Any idea why this is trying to notarize the mac/Label LIVE.app? Shouldn't it be notarizing the mas/ and mas-dev/ files?

[semireg]

And of course, if I read the documentation it clearly states, "You can only notarize apps that you sign with a Developer ID certificate. If you use any other certificate—like a Mac App Distribution certificate, or a self-signed certificate—notarization fails with the following message:" - https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues

There's this, though, that says we should be able to run MAS apps with a hardened runtime. https://forums.developer.apple.com/thread/111145?q=Notarize%20MAS%20*

Now... I need to figure out why a user reports that my Electron app throws an error on Catalina that looks very much like it's running in quarantine with a hardened runtime. This is what led me down this rabbit hole...

[kspearrin]

@semireg According to the output, I noticed that it seems to be signing mas apps twice:

 • signing         file=release/mas-dev/Label LIVE.app identityName=Developer ID Application: Semireg Industries, LLC (ABC123) identityHash=ZEF123 provisioningProfile=none
  • signing         file=release/mas-dev/Label LIVE.app identityName=Mac Developer: Caylan Larson (ZZZZZZ) identityHash=XXXXXX provisioningProfile=build/embeddedyesmas.provisionprofile

Shouldn't it only sign it once? Seems like Mac Developer: Caylan Larson is probably not the right one to sign a production app with?

I am having the same issue and noticed the same problem with mine. Still trying to figure this out.

UPDATE: Nevermind, that seems like it might be correct since this is a mas-dev build, which is signing with your dev identity.

[quanglam2807]

I have the same issue with hardenRuntime: false. Downgrading to [email protected] fixes it.

[poiru]

Possibly related: #4179

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[mayqiyue]

stale[bot] <[email protected]>于2019年10月23日 周三10:20写道：

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#4074?email_source=notifications&email_token=ABQZYVY67DRRVSMTX3C4QTTQP6YGZA5CNFSM4IFTMSE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEB7ZYEA#issuecomment-545233936>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABQZYV7G7TPDBQNJUXGUWP3QP6YGZANCNFSM4IFTMSEQ> .

nope

[johannesjo]

The stale bot is a jerk...

[quanglam2807]

Well at least, the bot removed the label. We should be thankful.

[quanglam2807]

After investigation, the bug is caused by this commit c8c37f2. hardenedRuntime is set to true by default. If you distribute your app on Mac App Store, set hardenedRuntime to false fixes the problem for me.

Still, if you distribute hardenedRuntime both on MAS and outside MAS, then you'll need to wait for a PR since you cannot disable hardenedRuntime for MAS alone. I'll make a PR soon.

[johannesjo]

@quanglam2807 Setting hardenedRuntime to false does not fix the error for me (using 22.7.0). Could you maybe share your config and the versions used of electron and electron builder?

[quanglam2807]

@johannesjo This bug has been fixed in the latest version already so your change won’t help. It must be something else. Can you post the error?

[johannesjo]

@quanglam2807 It's the same error as above (though I am not sure atm if it did come in the 0x0, 0x1 or 0x2 flavor). I will recheck and post some more details as soon as I get access to my mac, which might unfortunately take a couple of days...

There are also some suggestions made here, which I will try then too. The error happens both for mas and mas dev.

[johannesjo]

So this is the exact error message:

Exception Type:        EXC_CRASH (Code Signature Invalid)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x1

[johannesjo]

@quanglam2807 So this is a little bit embarrassing, but it turns out I was not running mas-dev, but rather the regular mas build and that's what seems to have caused the error. Very sorry for the inconvenience. In my defense: After switching config properties around for hours I tend to get a little dizzy

Thank you very much for your help!

[semireg]

@johannesjo, it's a terribly complicated system... Good luck!

[StephanHoyer]

Missing entitlements was the reason for me. I fixed this by adding those via cli args:

--entitlements=entitlements.plist --entitlements-inherit=entitlements.plist

the file looks like this

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.debugger</key>
    <true/>
  </dict>
</plist>