Missing --deep flag prevents signing of packages that contain other binaries

[eriedl-kiban]

Adding --deep to the args array in function signApplicationAsync (opts) allows signing of MacOS apps that contain other executables. If this flag is not included the signing fails with the error message "code object is not signed at all".

[sethlu]

Hi @eriedl-kiban, thanks for filing the issue! We utilize walkAsync() to manually deep check all components that need signing, thus not providing the --deep flag. Also, the --deep flag is not recommended to be used. Are you having trouble signing your app currently with electron-osx-sign?

[eriedl-kiban]

I'm using electron-builder to package and sign my app. I also just realized there is another project electron-macos-sign. My apologies for posting to the wrong project.
But to give you some background, if I don't add the --deep flag then the signing fails with the error message code object is not signed at all.

[eriedl-kiban]

Looks like it is the same project. So the issue still persists :)

[develar]

@eriedl-kiban electron-builder uses another npm name because sometimes fork changes are required. Currently, latest version is used.

[sethlu]

@eriedl-kiban oh, would you mind providing your Electron version and a debug log of your signing process with export DEBUG=electron-osx-sign* so we may potentially track down the missing files to be signed?

[eriedl-kiban]

Your comment gave me a hint to try something else in my configuration. In my initial build configuration I put my additional files in the folder MyApplication.app/Contents using the extraFiles configuration property without a specific target directory.
If I use extraResources then the additional files get copied to MyApplication.app/Contents/Resources and then the signing succeeds. The signing also succeeds when specifying a target directory using extraFiles, so the files get copied to MyApplication.app/Contents/myFiles.
I suppose electron-osx-sign does everything as it is supposed to do and I will adjust on my end to comply with a proper package structure.

[develar]

Strange, as far I see, walk started from Contents (https://github.com/electron-userland/electron-osx-sign/blob/master/util.js#L97).

[eriedl-kiban]

I don't think the issue is that the files are not found, but that codesign does not expect any other files in the root of Contents. This might be something that is required of MacOS apps in general. If I put my binaries into a subfolder under Contents it signs just fine.

[sethlu]

Hi @eriedl-kiban, my understanding from the Apple doc (table 3-1 at https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html, retrieved Jan 19, 2017) is that pretty much all components should be placed at their corresponding locations:

Location	Description
Contents	Top content directory of the bundle
Contents/MacOS	Helper apps and tools
Contents/Frameworks	Frameworks, dylibs
Contents/PlugIns	Plug-ins, both loadable and extensions
Contents/XPCServices	XPC services
Contents/Helpers	Helper apps and tools
Contents/Library/Automator	Automator actions
Contents/Library/Spotlight	Spotlight importers
Contents/Library/LoginItems	Installable login items
Contents/Library/LaunchServices	Privileged helper tools installed by the ServiceManagement framework

And I think placing your files outside the Contents dir's the reason of causing this issue?

---

Amend: electron-osx-sign currently starts walking from Contents, but may feature file misplacement detection if that may help?

[eriedl-kiban]

Yes, that was indeed the problem. Thank you so much for providing this. It might be helpful to add this link to the general documentation of electron-builder for when build MacOS apps. I moved now my executables to Contents/MacOS as they are indeed helper apps and tools.