Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MacOS App Notarized but cannot be opened #6025

Closed
kidsonfilms-python-rules opened this issue Jul 4, 2021 · 4 comments
Closed

MacOS App Notarized but cannot be opened #6025

kidsonfilms-python-rules opened this issue Jul 4, 2021 · 4 comments
Labels
mac

Comments

@kidsonfilms-python-rules
Copy link

  • Electron-Builder Version: 22.11.7
  • Node Version: 14.6.0
  • Electron Version: 13.1.4
  • Electron Type (current, beta, nightly): current
  • Target: darwin (macos)

I successfully notarized the app and it gives the following error

I checked the signing and notarizing and it gives me the following:

> pkgutil --check-signature ./path/to/app/XXXX.app
Package "XXX":
   Status: signed by a certificate trusted by macOS
   Certificate Chain:
    1. Developer ID Application: ...

and

> spctl -a -t exec -vvv ./path/to/app/XXXX.app
./path/to/app/XXXX.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXXXXX (XXXXXX)

electron-notarize version is ^1.0.0

This shows it is successfully notarized, here are my config files (and signing js file if that helps):

package.json

"build": {
    "asar": true,
    "appId": "redacted",
    "files": [
      ...
    ],
    "afterSign": "./build/afterSignHook.js",
    "directories": {
      "buildResources": "./build/resources"
    },
    "publish": [
      {
        "provider": "github",
        "owner": "redacted",
        "repo": "redacted"
      }
    ],
    "mac": {
      "category": "public.app-category.music",
      "icon": "assets/appIcons/DJFlame Logo.icns",
      "hardenedRuntime": true,
      "entitlements": "./build/resources/entitlements.mac.plist",
      "asarUnpack": "**/*.node"
    },
    "dmg": {
      "background": null,
      "icon": "assets/appIcons/DJFlame Logo.icns",
      "backgroundColor": "#202020",
      "window": {
        ...
      },
      "contents": [
        ...
      ]
    },
    "nsis": {
      "oneClick": false,
      "perMachine": false,
      "installerIcon": "assets/appIcons/DJFlame Logo.ico",
      "license": "license.txt"
    },
    "linux": {
      "target": "AppImage",
      "icon": "assets/DJFlame Logo.png"
    }
  }

entitlements.mac.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>XXYYZZ112233.com.redacted.redacted</string>
    </array>

    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
  </dict>
</plist>

afterSignHook.js (notarizing file)

const fs = require('fs');
const path = require('path');
var electron_notarize = require('electron-notarize');
const config = require('../package.json')
require('dotenv').config();
module.exports = async function (params) {
  // Only notarize the app on Mac OS only.  
  if (process.platform !== 'darwin' || path.join(params.appOutDir, `${params.packager.appInfo.productFilename}.app`) == '/Users/siddharth/dev/DJTorsten/dist/win-unpacked/DJFlame.app') {
    return;
  }
  // Same appId in electron-builder.  
  let appId = config.build.appId
  let appPath = path.join(params.appOutDir, `${params.packager.appInfo.productFilename}.app`);
  if (!fs.existsSync(appPath)) {
    throw new Error(`Cannot find application at: ${appPath}`);
  }
  const startNoteTime = new Date()
  console.log(`Notarizing ${appId} found at ${appPath}. Started Notarizing at ${new Date().toLocaleTimeString()}, expected max finish time ${new Date(new Date().getTime() + 300000).toLocaleTimeString()}`);
  try {
    await electron_notarize.notarize({
      appBundleId: appId,
      appPath: appPath,
      appleId: process.env.APPLE_ID, // this is your apple ID it should be stored in an .env file  
      appleIdPassword: process.env.APPLE_ID_PASSWORD, // this is NOT your apple ID password. You need to   
      //create an application specific password from https://appleid.apple.com under "security" you can generate  
      //such a password   
      //   ascProvider: process.env.appleIdProvider // this is only needed if you have multiple developer  
      // profiles linked to your apple ID.   
    });
  } catch (error) {
    console.error(error);
    throw error;
  }
  console.log(`Done notarizing ${appId}! Time Finished: ${new Date().toLocaleTimeString()}, Time Elasped: ${Math.floor(new Date() / 1000) - Math.floor(startNoteTime / 1000)}s`);
};
@mmaietta
Copy link
Collaborator

mmaietta commented Jul 5, 2021

That error is unrelated to electron-builder, unfortunately, it seems to be more widespread on Big Sur
https://developer.apple.com/forums/thread/666611
Best guess would be trying sudo xattr -d com.apple.quarantine <app path>

@mmaietta mmaietta added the mac label Jul 5, 2021
@kidsonfilms-python-rules
Copy link
Author

yea in my case, changing the config and plist fixed it

#1 Add a value to package.json

When you add "entitlements": "./build/resources/entitlements.mac.plist", add an inherit that points to the same file. Also add gatekeeperAsses to false. The code would look like

"mac": {
     ...
     "hardenedRuntime": true,
     "gatekeeperAssess": false,
     "entitlements": "./build/resources/entitlements.mac.plist",
     "entitlementsInherit": "./build/resources/entitlements.mac.plist",
     "asarUnpack": "**/*.node"
 }

#2 Strip entitlements.mac.plist to bare-minimum

Apparently having too many entitlements may cause this error, so strip it to the entitlements you need. Mine would look like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.device.audio-input</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-only</key>
	<true/>
</dict>
</plist>

@ramonhoyo
Copy link

I'm having this problem too, is there any workaround for this problem?

I did try @kidsonfilms-python-rules propose but still having the issue

@MikeJerred
Copy link
Contributor

Removing com.apple.security.cs.disable-library-validation fixed this for me. My entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <!-- https://github.com/electron/electron-notarize#prerequisites -->
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
  </dict>
</plist>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
mac
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mmaietta @MikeJerred @ramonhoyo @kidsonfilms-python-rules