Trouble running and verifying MAS-signed app on MacOS X 10.12.6 #148

recommnded · 2017-08-11T04:23:03Z

Main Issue

I'm having trouble signing my app on MacOS X 10.12.6 (16G29) for Mac App Store distribution. After signing the app it crashes. And future investigation shows there is something wrong with assigning the provisioning profile.

Specifically, I run into these three issues:

Apple rejects the app because "Your app crashed on Mac running macOS 10.12.6 when we launched the app."
Based on the crash log Apple sent me, this crash looks to be because of an issue with code signing the "Helper" app (crash log is appended below)
I cannot seem to sign my app correctly for Mac App Store distribution using electron-builder, electron-osx-sign, or manually with codesign

Supporting Notes

I believe trying to sign a real MAS version is expected to crash when you run it: https://developer.apple.com/library/content/qa/qa1884/_index.html
However, I see that same error when signing a development version of the app. Is that expected?
Please point me to the donation area as I am happy to support the continuation of this great project and some extra attention to this issue (I've sunk about 15 hours into this so far and I just think I am missing something).

My Setup

Building on MacOS X 10.12.6 (16G29)
[email protected]
[email protected]
also tried [email protected]
My Team ID in the logs below is represented as 52U...TLM8
My App ID is com.electron.recommnded (I was using 'com.recommnded.hr' but I changed to match the electron-osx-sign defaults)
Using this guide: https://mintkit.net/electron-userland/electron-osx-sign/guide/

Hints about the error

When I run spctl on my signed app, I don't get a very promising or informative message:

$ spctl --assess --type execute --verbose --ignore-cache --no-cache ../releases/Recommnded-mas-x64/Recommnded.app

../releases/Recommnded-mas-x64/Recommnded.app: rejected

Output from RB App Checker Lite

In an attempt to learn a bit more about what was happening, I ran my app through RB App Checker and got the following:

Evaluating the application “Recommnded.app”.

The application was signed by “Apple Root CA”, “Mac Developer: Matthew Kaliara (AQQY...5QS)”.
	The (unverified) signing-time is: Aug 10, 2017, 9:24:00 PM.
	The object code format is “app bundle with Mach-O thin (x86_64)”.
	The signature contains the Team ID “52U...TLM8”.
	Both bundle and signing identifiers are “com.electron.recommnded”.
	The signature specifies implicit requirements. 
	The signature specifies resource rules (v1). 
	The signature specifies resource rules (v2). 
	Requirements and resources validate correctly.

The code signature has the UUID “12017E2...42A73B5E3BD”.
	Executable code for x86_64 has the UUID “107BF4A...D190A60FE”.

A signing-time snapshot of the application’s Info.plist was found. 
	Version 1.0.2 (1.0.2) 

The signature contains 3 certificates. 
	Certificate “Apple Root CA”: 
		Your keychain contains this trusted root certificate.
		Will expire on Feb 9, 2035.
	Certificate “Apple Worldwide Developer Relations Certification Authority”: 
		Will expire on Feb 7, 2023.
	Certificate “Mac Developer: Matthew Kaliara (AQQY...5QS)”: 
		Will expire on Aug 9, 2018.
		SHA1 fingerprint: “B3036F2....5F5C42AD6FF”.
		Team ID or Organizational Unit: “52U...TLM8”.
			This matches the Team ID contained in the signature.

The application is sandboxed.

The code signature contains entitlements. 
	Sandbox entitlements:
		Allow outgoing network connections: YES.
		Team identifier: “52U...TLM8”.
		Allow incoming network connections: YES.
		Application groups: “52U...TLM8.com.electron.recommnded”.
		Application identifier: “52U...TLM8.com.electron.recommnded”.

An embedded provisioning profile is present: “52U...TLM8 Electron Dev”. 
	UUID: “5d408...d590ba54d”.
	Created on Aug 10, 2017.
	Will expire on Aug 10, 2018.
	The profile specifies the application “recommnded electron” (52U...TLM8).
	The profile specifies the team “Matthew Kaliara” (52U...TLM8).
	➤ The profile does NOT match the application's Team ID (52U...TLM8)!
	There is one provisioned device. 
	The profile was signed by 3 certificates. 
	The profile may be used by one developer:
		Developer Certificate “Mac Developer: Matthew Kaliara (AQQY...5QS)”. 
			This certificate was used to sign the bundle.
			This certificate and corresponding key are in your keychain.

There is one embedded framework. 

48 auxiliary executables have been found. 
	58 data files have executable permissions, but should not.  
	178 files are invisible in the Finder.  
	36 executables are unsigned.  
	12 executables are signed by  “Apple Root CA”, “Mac Developer: Matthew Kaliara (AQQY...5QS)”. 
	42 executables are in the Resources folder. 
	8 executable files have no executable permissions, but should.

The decoded provisioning profile looks like this (exposed when you click the arrow next to the row):

Decoded profile dictionary: {
    AppIDName = "recommnded electron";
    ApplicationIdentifierPrefix =     (
        52U...TLM8
    );
    CreationDate = "2017-08-11 03:06:21 +0000";
    Entitlements =     {
        "com.apple.application-identifier" = "52U...TLM8.com.electron.recommnded";
        "com.apple.developer.team-identifier" = 52U...TLM8;
        "keychain-access-groups" =         (
            "52U...TLM8.*"
        );
    };
    ExpirationDate = "2018-08-11 03:06:21 +0000";
    Name = "52U...TLM8 Electron Dev";
    Platform =     (
        OSX
    );
    ProvisionedDevices =     (
        "1FC03...0C072908D"
    );
    TeamIdentifier =     (
        52U...TLM8
    );
    TeamName = "Matthew Kaliara";
    TimeToLive = 365;
    UUID = "5d408...d590ba54d";
    Version = 1;
}

So far everything seems to match up correctly, but the important line there is ➤ The profile does NOT match the application's Team ID (52U...TLM8)!. I am having trouble figuring out exactly what that means, but it initially led me to this page (https://developer.apple.com/library/content/qa/qa1879/_index.html) which hasn't really helped me make process.

Packaging and Signing the App

I'll take you through what I did to package and sign the app to make sure I didn't do anything silly.

Package it up

electron-packager . --overwrite --platform=mas --arch=x64 --icon=assets/icons/icon.icns --no-prune --out=../releases
(output)

electron-packager Electron Packager 8.7.2 +0ms
  electron-packager Node v8.0.0 +5ms
  electron-packager Host Operating system: darwin (x64) +1ms
  electron-packager Packager Options: {"_":["."],"all":false,"deref-symlinks":true,"download":{"strictSSL":true},"overwrite":true,"prune":false,"quiet":false,"platform":"mas","arch":"x64","icon":"assets/icons/icon.icns","out":"../releases","dir":".","protocols":[]} +1ms
  electron-packager Target Platforms: mas +0ms
  electron-packager Target Architectures: x64 +0ms
  electron-packager Inferring application name from name in /Users/matthew/Sites/recommnded.com/desktop-app/app/package.json +27ms
  electron-packager Inferring appVersion from version in /Users/matthew/Sites/recommnded.com/desktop-app/app/package.json +0ms
  electron-packager Inferring target Electron version from electron in /Users/matthew/Sites/recommnded.com/desktop-app/app/package.json +15ms
  electron-packager Application name: Recommnded +1ms
  electron-packager Target Electron version: 1.6.10 +0ms
  electron-packager Ignored path regular expressions: [ '/node_modules/electron($|/)',
  '/node_modules/electron-prebuilt(-compile)?($|/)',
  '/node_modules/electron-packager($|/)',
  '/\\.git($|/)',
  '/node_modules/\\.bin($|/)',
  '\\.o(bj)?$' ] +0ms
  electron-packager Downloading Electron with options {"strictSSL":true,"platform":"mas","arch":"x64","version":"1.6.10"} +18ms
  electron-download info { cache: '/Users/matthew/Library/Caches/electron',
  filename: 'electron-v1.6.10-mas-x64.zip',
  url: 'https://github.com/electron/electron/releases/download/v1.6.10/electron-v1.6.10-mas-x64.zip' } +10ms
  electron-download zip exists /Users/matthew/Library/Caches/electron/electron-v1.6.10-mas-x64.zip +3ms
  electron-download Verifying zip with checksum +1ms
Packaging app for platform mas x64 using electron v1.6.10
  electron-packager Creating /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64-template +603ms
  electron-packager Extracting /Users/matthew/Library/Caches/electron/electron-v1.6.10-mas-x64.zip to /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64-template +1ms
  electron-packager Initializing app in /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64 from /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64-template template +2s
  electron-packager Ignored paths based on the out param: [ '/Users/matthew/Sites/recommnded.com/desktop-app/releases' ] +2ms
WARNING: signing is required for mas builds. Provide the osx-sign option, or manually sign the app later.
  electron-packager Copying icon "assets/icons/icon.icns" to app's Resources as "electron.icns" +2s
  electron-packager Renaming Electron to Recommnded in /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64/Electron.app/Contents/MacOS +5ms
  electron-packager Renaming Electron Helper to Recommnded Helper in /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64/Electron.app/Contents/Frameworks/Electron Helper.app/Contents/MacOS +1ms
  electron-packager Renaming Electron Helper.app to Recommnded Helper.app in /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64/Electron.app/Contents/Frameworks +1ms
  electron-packager Renaming Electron Helper EH to Recommnded Helper EH in /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64/Electron.app/Contents/Frameworks/Electron Helper EH.app/Contents/MacOS +0ms
  electron-packager Renaming Electron Helper EH.app to Recommnded Helper EH.app in /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64/Electron.app/Contents/Frameworks +0ms
  electron-packager Renaming Electron Helper NP to Recommnded Helper NP in /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64/Electron.app/Contents/Frameworks/Electron Helper NP.app/Contents/MacOS +1ms
  electron-packager Renaming Electron Helper NP.app to Recommnded Helper NP.app in /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64/Electron.app/Contents/Frameworks +0ms
  electron-packager Moving /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/electron-packager/mas-x64/Recommnded-mas-x64 to ../releases/Recommnded-mas-x64 +1ms
Wrote new app to ../releases/Recommnded-mas-x64

After packaging, the app seems to run fine before signing. Doesn't crash and works properly.

Signing

Here is my mas.entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
  </dict>
</plist>

My electron.provisionprofile is a developer provisioning profile with my machine's UUID as a device.

When trying to sign a development version, I run this:
electron-osx-sign "../releases/Recommnded-mas-x64/Recommnded.app" --platform=mas --type=development --entitlements="./build/mas.entitlements" --provisioning-profile="electron.provisionprofile"
(output)

electron-osx-sign:warn No `identity` passed in arguments... +0ms
  electron-osx-sign Finding `Mac Developer` certificate for signing app in development for the Mac App Store signing... +5ms
  electron-osx-sign Executing... security find-identity -v +3ms
  electron-osx-sign Identity:
 > Name: Mac Developer: Matthew Kaliara (AQQ...5QS)
 > Hash: B3036F2....5F5C42AD6FF +387ms
  electron-osx-sign Found 1 identity. +1ms
  electron-osx-sign:warn No `entitlements-inherit` passed in arguments:
 * Sandbox entitlements file for enclosing app files is default to: /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist +0ms
  electron-osx-sign Pre-sign operation enabled for provisioning profile:
 * Disable by setting `pre-embed-previsioning-profile` to `false`. +1ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:
 * Disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign `provisioning-profile` passed in arguments. +2ms
  electron-osx-sign Executing... security cms -D -i electron.provisionprofile +0ms
  electron-osx-sign Provisioning profile:
 > Name: 52U...TLM8 Electron Dev
 > Platforms: [ 'darwin', 'mas' ]
 > Type: development
 > Path: electron.provisionprofile
 > Message: { AppIDName: 'recommnded electron',
  ApplicationIdentifierPrefix: [ '52U...TLM8' ],
  CreationDate: 2017-08-11T03:06:21.000Z,
  Platform: [ 'OSX' ],
  DeveloperCertificates: [ <Buffer 30 82 05 8b 30 82 04 73 a0 03 02 01 02 02 08 22 bb b3 21 1d b9 0e d4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 96 31 0b 30 09 06 03 55 04 06 ... > ],
  Entitlements:
   { 'keychain-access-groups': [ '52U...TLM8.*' ],
     'com.apple.application-identifier': '52U...TLM8.com.electron.recommnded',
     'com.apple.developer.team-identifier': '52U...TLM8' },
  ExpirationDate: 2018-08-11T03:06:21.000Z,
  Name: '52U...TLM8 Electron Dev',
  ProvisionedDevices: [ '1FC030...C072908D' ],
  TeamIdentifier: [ '52U...TLM8' ],
  TeamName: 'Matthew Kaliara',
  TimeToLive: 365,
  UUID: '5d408...590ba54d',
  Version: 1 } +101ms
  electron-osx-sign Looking for existing provisioning profile... +11ms
  electron-osx-sign Embedding provisioning profile... +2ms
  electron-osx-sign Copying file...
 > Source: electron.provisionprofile
 > Target: ../releases/Recommnded-mas-x64/Recommnded.app/Contents/embedded.provisionprofile +1ms
  electron-osx-sign Automating entitlement app group...
 > Info.plist: ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Info.plist
 > Entitlements: ./build/mas.entitlements +7ms
  electron-osx-sign `ElectronTeamID` not found in `Info.plist`, use parsed from provisioning profile: 52U...TLM8 +14ms
  electron-osx-sign Entitlements file updated:
 > Info.plist: ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Info.plist +14ms
  electron-osx-sign `com.apple.application-identifier` not found in entitlements file, new inserted: 52U...TLM8.com.electron.recommnded +1ms
  electron-osx-sign `com.apple.developer.team-identifier` not found in entitlements file, new inserted: 52U...TLM8 +0ms
  electron-osx-sign `com.apple.security.application-groups` not found in entitlements file, new inserted: 52U...TLM8.com.electron.recommnded +0ms
  electron-osx-sign Entitlements file updated:
 > Entitlements: /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/6504b627-73ad-4da7-9b4f-7b377dde6bb7.plist +4ms
  electron-osx-sign Signing application...
 > Application: ../releases/Recommnded-mas-x64/Recommnded.app
 > Platform: mas
 > Entitlements: /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/6504b627-73ad-4da7-9b4f-7b377dde6bb7.plist
 > Child entitlements: /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist
 > Additional binaries: []
 > Identity: { name: 'Mac Developer: Matthew Kaliara (AQQ...5QS)',
  hash: 'B3036F2....5F5C42AD6FF' } +2ms
  electron-osx-sign Walking... ../releases/Recommnded-mas-x64/Recommnded.app/Contents +2ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +350ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +2s
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +270ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Electron Framework.framework +555ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Electron Framework.framework +1ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper EH.app/Contents/MacOS/Recommnded Helper EH +2s
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper EH.app/Contents/MacOS/Recommnded Helper EH +1ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper EH.app +219ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper EH.app +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper NP.app/Contents/MacOS/Recommnded Helper NP +223ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper NP.app/Contents/MacOS/Recommnded Helper NP +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper NP.app +237ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper NP.app +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper.app/Contents/MacOS/Recommnded Helper +281ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper.app/Contents/MacOS/Recommnded Helper +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper.app +233ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper.app +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/MacOS/Recommnded +268ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/MacOS/Recommnded +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/7zip-bin-mac/7za +1s
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/7zip-bin-mac/7za +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-48-darwin-x64.node +247ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-48-darwin-x64.node +1ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-48-linux-x64.node +220ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-48-linux-x64.node +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-48-win32-x64.node +206ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-48-win32-x64.node +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-51-darwin-x64.node +189ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-51-darwin-x64.node +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-51-linux-x64.node +233ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-51-linux-x64.node +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-51-win32-x64.node +249ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-51-win32-x64.node +1ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-57-darwin-x64.node +231ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-57-darwin-x64.node +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-57-linux-x64.node +246ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-57-linux-x64.node +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-57-win32-x64.node +216ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/fcopy-pre-bundled/lib/fcopy_binding/1-57-win32-x64.node +1ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/node-notifier/vendor/terminal-notifier.app/Contents/MacOS/terminal-notifier +227ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/node-notifier/vendor/terminal-notifier.app/Contents/MacOS/terminal-notifier +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/node-notifier/vendor/terminal-notifier.app +236ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/node-notifier/vendor/terminal-notifier.app +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/term-size/vendor/macos/term-size +245ms
  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /Users/matthew/.config/yarn/global/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Resources/app/node_modules/term-size/vendor/macos/term-size +0ms
  electron-osx-sign Signing... ../releases/Recommnded-mas-x64/Recommnded.app +226ms


  electron-osx-sign Executing... codesign --sign B3036F2....5F5C42AD6FF --force --entitlements /var/folders/98/dzv600rj0hq5c_c6fm2p2ynm0000gn/T/6504b627-73ad-4da7-9b4f-7b377dde6bb7.plist ../releases/Recommnded-mas-x64/Recommnded.app +3ms


  electron-osx-sign Verifying... +1s
  electron-osx-sign Verifying application bundle with codesign... +1ms
  electron-osx-sign Executing... codesign --verify --deep --verbose=2 --strict ../releases/Recommnded-mas-x64/Recommnded.app +1ms
  electron-osx-sign Verified. +1s
  electron-osx-sign Displaying entitlements... +1ms
  electron-osx-sign Executing... codesign --display --entitlements :- ../releases/Recommnded-mas-x64/Recommnded.app +0ms
  electron-osx-sign Entitlements:
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.application-identifier</key>
    <string>52U...TLM8.com.electron.recommnded</string>
    <key>com.apple.developer.team-identifier</key>
    <string>52U...TLM8</string>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>52U...TLM8.com.electron.recommnded</string>
    </array>
  </dict>
</plist> +140ms
  electron-osx-sign Application signed. +0ms
  electron-osx-sign Application signed: ../releases/Recommnded-mas-x64/Recommnded.app +0ms
Application signed: ../releases/Recommnded-mas-x64/Recommnded.app

Reviewing the final entitlements embedded into the app

First the main app
codesign -d --entitlements :- ../releases/Recommnded-mas-x64/Recommnded.app

Executable=/Users/matthew/Sites/recommnded.com/desktop-app/releases/Recommnded-mas-x64/Recommnded.app/Contents/MacOS/Recommnded

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.application-identifier</key>
    <string>52U...TLM8.com.electron.recommnded</string>
    <key>com.apple.developer.team-identifier</key>
    <string>52U...TLM8</string>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>52U...TLM8.com.electron.recommnded</string>
    </array>
  </dict>
</plist>

And the Helper app
codesign -d --entitlements :- ../releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded\ Helper.app

Executable=/Users/matthew/Sites/recommnded.com/desktop-app/releases/Recommnded-mas-x64/Recommnded.app/Contents/Frameworks/Recommnded Helper.app/Contents/MacOS/Recommnded Helper
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

And some other script to investigate the provisioning profile

$ security cms -D -i ../releases/Recommnded-mas-x64/Recommnded.app/Contents/embedded.provisionprofile

security: SecPolicySetValue: One or more parameters passed to a function were not valid.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppIDName</key>
	<string>recommnded electron</string>
	<key>ApplicationIdentifierPrefix</key>
	<array>
	<string>52U...TLM8</string>
	</array>
	<key>CreationDate</key>
	<date>2017-08-11T03:06:21Z</date>
	<key>Platform</key>
	<array>
		<string>OSX</string>
	</array>
	<key>DeveloperCertificates</key>
	<array>
		<data>MIIFizCC...WHyMCHgQ==</data>
	</array>
	<key>Entitlements</key>
	<dict>
		<key>keychain-access-groups</key>
		<array>
			<string>52U...TLM8.*</string>		
		</array>
		<key>com.apple.application-identifier</key>
		<string>52U...TLM8.com.electron.recommnded</string>
		<key>com.apple.developer.team-identifier</key>
		<string>52U...TLM8</string>
	</dict>
	<key>ExpirationDate</key>
	<date>2018-08-11T03:06:21Z</date>
	<key>Name</key>
	<string>52U...TLM8 Electron Dev</string>
	<key>ProvisionedDevices</key>
	<array>
		<string>1FC030E...C072908D</string>
	</array>
	<key>TeamIdentifier</key>
	<array>
		<string>52U...TLM8</string>
	</array>
	<key>TeamName</key>
	<string>Matthew Kaliara</string>
	<key>TimeToLive</key>
	<integer>365</integer>
	<key>UUID</key>
	<string>5d408f...590ba54d</string>
	<key>Version</key>
	<integer>1</integer>
</dict>
</plist>

Again, that all looks ok to me. All of the Team IDs and App IDs match up. Also, that error on the first line didn't seem to really matter after investigating a few reports like this one (DanTheMan827/ios-app-signer#19)

Stuff I have tried

Originally was using electron-builder and this guide (but I believe I have been able to rule out electron-builder as the issue):

https://github.com/electron/electron/blob/master/docs/tutorial/mac-app-store-submission-guide.md

Looked at this but my IDs do seem to match.

https://developer.apple.com/library/content/qa/qa1879/_index.html

A previous issue helped me narrow down a few things, but never get it completely working:

Invalid Signature and signed app isn't running correctly #61

Looked at this but manually signing the app with --timestamp=none only seemed to bring up an error finding an Electron framework

Command failed when signing app #132 (comment)

Also tried manually signing using scripts from, but still got same issue from RB Checker:

Looked at this but didn't seem to have any rogue symlinks lying around

[resolved] Failing to sign app on macOS electron-userland/electron-builder#1892

Other notes that might be helpful

package.json

package.json
{
  "name": "Recommnded",
  "version": "1.0.2",
  "main": "main.js",
  "scripts": {
    "start": "electron .",
    "pack": "build --dir",
    "dist": "build"
  },
  "build": {
    "appId": "com.recommnded.hr",
    "mac": {
      "target": [
        "mas"
      ],
      "icon": "build/icon.icns",
      "category": "public.app-category.business",
      "entitlements": "build/child.plist",
      "type": "distribution"
    },
    "dmg": {
      "backgroundColor": "#eeeeee",
      "icon": "assets/icons/icon.icns",
      "title": "Install ${productName}"
    },
    "mas": {
      "entitlements": "build/parent.plist",
      "entitlementsInherit": "build/child.plist",
      "asar": true,
      "type": "distribution",
      "category": "public.app-category.business"
    },
    "win": {
      "icon": "assets/icons/icon_large.ico",
      "certificateSubjectName": "Recommnded, LLC",
      "target": [
        "nsis"
      ]
    },
    "files": [
      "main.js",
      "node_modules/**/*",
      "app/**/*",
      "package.json"
    ],
    "protocols": {
      "name": "Recommnded",
      "role": "None",
      "schemes": [
        "recommnded"
      ]
    }
  },
  "author": "Recommnded Inc.",
  "license": "CC0-1.0",
  "dependencies": {
    "node-notifier": "5.1.2",
    "semver": "^5.4.1"
  },
  "devDependencies": {
    "electron": "1.6.10",
    "electron-builder": "^19.19.1",
    "semver": "^5.4.1"
  }
}

Production Node Modules

$ npm ls --production
├─┬ [email protected]
│ ├── [email protected]
│ ├── [email protected] deduped
│ ├── [email protected]
│ └─┬ [email protected]
│   └── [email protected]
└── [email protected]

Crash Log from Apple when submitted to App Store (using the old App ID)

Process:               Recommnded Helper [68315]
Path:                  /Applications/Recommnded.app/Contents/Frameworks/Recommnded Helper.app/Contents/MacOS/Recommnded Helper
Identifier:            com.recommnded.hr.helper
Version:               0
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           Recommnded Helper [68315]
User ID:               504

Date/Time:             2017-08-04 16:18:30.564 -0700
OS Version:            Mac OS X 10.12.6 (16G29)
Report Version:        12
Anonymous UUID:        1730E2C1-3D54-2A94-4DA5-03180217F005

Sleep/Wake UUID:       6913A39D-3B43-4145-AA71-D0DF7EE0E805

Time Awake Since Boot: 540000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  CrRendererMain  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Application Specific Information:
abort() called

Thread 0 Crashed:: CrRendererMain  Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x00007fffe4667d42 __pthread_kill + 10
1   libsystem_pthread.dylib       	0x00007fffe4755457 pthread_kill + 90
2   libsystem_c.dylib             	0x00007fffe45cd420 abort + 129
3   libnode.dylib                 	0x000000010e499146 uv_sem_post + 22
4   com.github.electron.framework 	0x000000010a19d1e7 atom::NodeBindings::~NodeBindings() + 39
5   com.github.electron.framework 	0x000000010a19e579 atom::NodeBindingsMac::~NodeBindingsMac() + 9
6   com.github.electron.framework 	0x000000010a19e589 atom::NodeBindingsMac::~NodeBindingsMac() + 9
7   com.github.electron.framework 	0x000000010a19e59e atom::NodeBindingsMac::~NodeBindingsMac() + 14
8   com.github.electron.framework 	0x000000010a1a7e26 atom::AtomRendererClient::~AtomRendererClient() + 70
9   com.github.electron.framework 	0x000000010a1a7e49 atom::AtomRendererClient::~AtomRendererClient() + 9
10  com.github.electron.framework 	0x000000010a1a7e5e atom::AtomRendererClient::~AtomRendererClient() + 14
11  com.github.electron.framework 	0x000000010a08f8a1 atom::AtomMainDelegate::~AtomMainDelegate() + 65
12  com.github.electron.framework 	0x000000010a08f8d9 atom::AtomMainDelegate::~AtomMainDelegate() + 9
13  com.github.electron.framework 	0x000000010a08c955 AtomMain + 85
14  com.recommnded.hr.helper      	0x000000010931af26 main + 38
15  libdyld.dylib                 	0x00007fffe4539235 start + 1

Thread 1:
0   libsystem_pthread.dylib       	0x00007fffe4752070 start_wqthread + 0
1   ???                           	0x0000000000005703 0 + 22275

Thread 2:
0   libsystem_pthread.dylib       	0x00007fffe4752070 start_wqthread + 0

Thread 3:
0   libsystem_pthread.dylib       	0x00007fffe4752070 start_wqthread + 0

Thread 4:: WorkerPool/19207
0   libsystem_kernel.dylib        	0x00007fffe4667bf2 __psynch_cvwait + 10
1   libsystem_pthread.dylib       	0x00007fffe4753833 _pthread_cond_wait + 769
2   com.github.electron.framework 	0x000000010a27316b 0x10a08a000 + 2003307
3   com.github.electron.framework 	0x000000010a305469 0x10a08a000 + 2602089
4   com.github.electron.framework 	0x000000010a3058c7 0x10a08a000 + 2603207
5   com.github.electron.framework 	0x000000010a2b90e7 0x10a08a000 + 2289895
6   libsystem_pthread.dylib       	0x00007fffe475293b _pthread_body + 180
7   libsystem_pthread.dylib       	0x00007fffe4752887 _pthread_start + 286
8   libsystem_pthread.dylib       	0x00007fffe475208d thread_start + 13

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007fff568e5438  rdx: 0x0000000000000000
  rdi: 0x0000000000000307  rsi: 0x0000000000000006  rbp: 0x00007fff568e5460  rsp: 0x00007fff568e5438
   r8: 0x0000000000000002   r9: 0x00007fb8ca613900  r10: 0x0000000008000000  r11: 0x0000000000000206
  r12: 0x0000000000000000  r13: 0x0000000000000000  r14: 0x00007fffed4bb3c0  r15: 0x00007fff568e5590
  rip: 0x00007fffe4667d42  rfl: 0x0000000000000206  cr2: 0x00007fffed49d128

Logical CPU:     0
Error Code:      0x02000148
Trap Number:     133

The text was updated successfully, but these errors were encountered:

sethlu · 2017-08-11T16:00:58Z

Hi @recommnded, thanks for filing this rare-encountering issue! I really appreciate your effort looking into all these resources 😺 From the information you provided, there are a few concerns I find...

The electron-osx-sign debug log printed is not from [email protected] but a previous version. To see if it's the latest version, the debug log should start with electron-osx-sign [email protected] +0ms. There may be unexpected issues with older versions.
I'm not very sure what The profile does NOT match the app's Team ID means... Probably it's due to the different app identifiers used for signing?

A few suggestions:

The app ID doesn't need to strictly follow the com.electron.* format as it only needs to be a reversed domain name. So having com.recommend.hr should be totally fine.
spctl will not work with apps signed with the dev certificate Mac Developer:* nor with the 3rd party app dev 3rd Party Mac Developer:*, since Gatekeeper checks if the app is signed by Apple or by the a Developer ID certificate (for distribution outside the Mac App Store).

And where to go next (first):

A good way to make sure if the codesigning works would be launching a development-signed build of your app for distribution in the Mac App Store. And I believe you've already tested this yourself:

electron-osx-sign "../releases/Recommnded-mas-x64/Recommnded.app" --platform=mas --type=development --entitlements="./build/mas.entitlements" --provisioning-profile="electron.provisionprofile"

Did signing with this set up work? If the app crashes at launch, it would be great to fix the issue before trying to submit it again for review.

recommnded · 2017-08-12T02:17:24Z

@sethlu: thank you for your response so quickly.

Every time I sit back down to try to figure this out another door to more information seems to open. This evening, I saw this post on SO which states:

According to Apple's developer forums, you can't do this anymore in the sandbox--the behavior you are seeing is expected. It's really aggravating, because no alternative API exists to implement this functionality, short of stepping outside of the sandbox.

It turns out this is a bit of a deal-breaker for us. Thus, I have moved onto signing my app for outside distribution. This seems to work especially when turning off sandboxing. Oddly, I do still see this error in RB App Checker:

➤ The profile does NOT match the application's Team ID (52U...TLM8)!

So until we know more, you may close this issue. And please tell me where to donate!

sethlu · 2017-08-12T07:07:22Z

@recommnded I believe you are referring to this #88 (comment) if working with URL schemes. As of the current macOS I believe it's a little difficult to set this up for MAS distribution. 😿 Publishing your app outside the Mac App Store should be a more viable option I believe.

By the way, currently we don't have a portal for donation yet. But we are grateful for your appreciation on this utility project. 🎉

Closing this issue for now... We can always come back to discuss solutions to this after macOS releases URL schemes for apps in the MAS. 😸 All the best with publishing your app!

sethlu added the question label Aug 11, 2017

sethlu closed this as completed Aug 12, 2017

sethlu mentioned this issue Aug 25, 2017

The profile does NOT match the application's Team ID #149

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trouble running and verifying MAS-signed app on MacOS X 10.12.6 #148

Trouble running and verifying MAS-signed app on MacOS X 10.12.6 #148

recommnded commented Aug 11, 2017

sethlu commented Aug 11, 2017 •

edited

Loading

recommnded commented Aug 12, 2017

sethlu commented Aug 12, 2017 •

edited

Loading

Trouble running and verifying MAS-signed app on MacOS X 10.12.6 #148

Trouble running and verifying MAS-signed app on MacOS X 10.12.6 #148

Comments

recommnded commented Aug 11, 2017

Main Issue

My Setup

Hints about the error

Output from RB App Checker Lite

The decoded provisioning profile looks like this (exposed when you click the arrow next to the row):

Packaging and Signing the App

Package it up

Signing

Reviewing the final entitlements embedded into the app

And some other script to investigate the provisioning profile

Stuff I have tried

Other notes that might be helpful

package.json

Production Node Modules

Crash Log from Apple when submitted to App Store (using the old App ID)

sethlu commented Aug 11, 2017 • edited Loading

recommnded commented Aug 12, 2017

sethlu commented Aug 12, 2017 • edited Loading

sethlu commented Aug 11, 2017 •

edited

Loading

sethlu commented Aug 12, 2017 •

edited

Loading