Signed app should allow JIT on correct helpers to not crash #188
Comments
|
I couldn't release my application, because of this problem. My application signed with electron-osx-sign. The application window become blank when it run on macOS 10.14(Mojave). I signed the electron(ver.4.0.1) sample code but the same problem happened. By the way, these programs can be notarized successfully. |
|
@androidW Thanks for posting this issue! I just managed to reproduce this and it seems to be something with the hardened runtime option 🤔... without hardened runtime, thus also without notarization, everything seems working just fine. I may have some time next week to take a closer look at this. Since it may be a while before anyone find out a good solution to the hardened runtime issue, we may expect to get app notarization working at a little later time. I was playing with the following entitlements but the window is still blank after codesigned with hardened runtime (not notarized): <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>As an extra note, last year the hardened runtime option worked pretty well out of the box; however, recent macOS updates may have strengthened the security protocols so the old solution presented is no longer working. |
|
@sethlu Thanks for the reply! Hope to you can find a good solution. And sorry to take up your time. |
|
Well I'll bump this at a higher priority 🚨 Ref: Recent announcements from Apple Developer Relations
|
|
I have been able to reproduce this issue, getting a blank electron window after signing with the hardened runtime flag enabled. I have found setting the "enetitlements-inherit" option along with the "entitlements" option as below allow my application to be signed successfully. The application is working correctly and can be notarized successfully. app.entitlements(set these as required) And call the API using the following: |
|
@d-j-t Oh awesome! Thanks for posting your solution! I will give that a try too 😺 |
|
@d-j-t Just tested this out and it worked perfectly! I think I made a mistake with Also credits to @MarshallOfSound for bringing up that <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>@androidW Perhaps give this a try? Let us know if it works for you 😺 Afterwards we can update the docs on readme. Excerpt from Apple documentation:
https://developer.apple.com/documentation/bundleresources/entitlements?language=objc |
|
@sethlu I have been tried it. My application is signed successfully. And it is working correctly, but the notarization is failed. Then I try to sign electron sample application(electron version: V1.7.9 and v4.0.1). The result is the same as my application. The blank window is not shown, but these two sample app failed to notarized. I have set the "entitlements-inherit" option. And modified the entitlements. <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
</dict>
</plist>I used two ways to sign these apps. (2) And call the API using the following: var sign = require('electron-osx-sign');
sign({
app: 'xxx.app',
platform: "darwin",
type: "distribution",
identity: "Developer ID Application: xxx (xxxxx)",
keychain: "xxx.keychain",
entitlements: "entitlements.plist",
"entitlements-inherit": "entitlements.plist",
"hardened-runtime": true
}, function done (err) {
if (err) {
console.log(err);
return;
} else{
console.log("Application signed");
}
});The notarization log file is as below: |
|
@androidW I haven't personally tried notarizing an app 🤔 However, it may be helpful to have some codesigning logs for reference... Would you mind re-running the codesigning steps with @d-j-t Have you met this issue before? |
|
@sethlu The result as below: |
|
@androidW I'm not very sure 🤔 Can you run the following command with the correct path to the codesign -vvv --deep --strict path/to.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle |
|
@sethlu Sorry for the late reply. I'm ran the command. Then I get the output result as below. It seem like the signature result is correct. Why the notarization is failed ? |
|
I use
Package info: Hope this helps! |
Using the exact same setup, my app crashes directly after launch, putting following error into Console.app from process
Adding the required entitlement to cfprefsd:
contextstored:
All of these errors tell me |
|
@chawei Thanks for your answer. Because of some reasons, I couldn't sign my application directly. So I try to use electron-builder pack electron sample code. Then other colleague help me sign the application. The app launch is normally, but notarization still failed. I got the same result as using electron-packager to pack and use electron-osx-sign to sign. I want to know if there is a problem with this sign method. Could you help me test this case? package.json: notarization log: |
|
@androidW i think your issue has nothing to do with notarization and it's more of code signing issue. make sure you or your colleague has the valid certificate. search "The signature of the binary is invalid" in this article: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues. hope it helps. |
|
@chawei The certificate is valid. |
|
@androidW unfortunately i've never experienced this before so it's hard to know why this might be with the quick glance. |
@puresick I ran into the same issue as well when trying to enable hardened runtime for my app. Even after adding Adding the |
|
This tutorial resolved all my problems (and yours I guess) : https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/ If you sign it manually or if you try to enable hardened runtime on OSX >= 10.14 after the build it will make your app crash. |
|
I followed the tutorial and the main app process runs fine. However, the browser windows never open because they are crashing. Not seeing a lot of search results for this error. My app is heavy with native node modules. I've experimented with many different entitlements... now trying to add in the kitchen sink: |
|
My issue was stemming from both sandbox and hardening being active in the build. I am working on offering my app outside the App Store, which is why I'm exploring notarization. Because of this, I assumed that because my app is already sandboxed, I should try to add hardening... but it seems that they are mutually exclusive at the moment. Further, reading about both of these (sandbox & hardening) at https://lapcatsoftware.com/articles/hardened-runtime-sandboxing.html makes me feel like I can continue to offer a sandboxed-only version in the App Store, and a hardened-only version outside the App Store. Electron-builder doesn't make this easy, and perhaps I need to open another ticket there, but I'll quickly describe the setup that allows me to build MAS (sandboxed-only) and MAC builds (hardened-only) side by side. package.json scripts: It's not ideal to set afterSign to "do-nothing.js" but... =null ("null"), =undefined ("undefined") and just plain = ('') results in strings. package.json build: entitlements-lll.plist (these 3, plus my normal entitlements for app-specific behavior) entitlements-sandbox.plist (this 1 for sandboxing, plus my normal entitlements for app-specific behavior) entitlements-inherit.plist (just the default, only two, that's it) I hope this helps someone get both sandboxing and hardening setup with their builds. I'm eager to simplify this setup because overriding like this is a pain. |
Hi Semirej, I also landed in same situation where I need both sandbox and hardening. And yes they both are working well in their respective space but not together. Hope, we can get some support for the same soon. Kindly update if find any progress for it at [email protected] Happy Coding!! |
|
@semireg Do you mean that the Mac App Store App no need to hardened and notarization? |
|
This was made much harder to debug for me by running into this bug: I wrongly assumed that the error log sometimes just doesn't get saved for whatever reason, but actually everything was working fine. |
|
I experienced this issue on macOS 10.15.1, too. The solution outlined above in #188 (comment) fixed it! Thanks! |
|
Experiencing this issue today. Current workaround is to double-down on entitlements as described in #188 (comment). With that, I was able to sign with a hardened runtime and notarize successfully. macOS: 10.15.3 Catalina |
|
This is still an issue, since Apple requires you to have both hardened runtime and app-sandbox activated to distribute an app through the Mac App Store. See also electron/electron#22656 |
MarshallOfSound
changed the title
|
@MarshallOfSound JFYI because it could potentially be another known issue:
Looks like guys from RocketChat faced a similar issue but for a production App Store build: RocketChat/Rocket.Chat.Electron#2373 and solved it by exactly adding the |
and others
After I signed my application, the blank screen is displayed when I launch it. Could you give me some advice to fix this problem?
This problem only occurs on the macOS 10.14(Mojave). This app run on other version of macOS are normal.
By the way, I'm using electron-packager to package my app. Using electron-osx-sign to sign the app.
I sign my app with the following command:
I'm attempt to distribute my app outside the Mac App Store. And I don't want to enable App Sandbox.
entitlements.plist
The final result:
① sign -> success
② launch -> blank screen
③ notarization -> success
Then I sign different version(v1.7.9 & v4.0.1) of electron sample application(electron-quick-start). When I launch these two applications, the problem with the blank screen still occurs.
P.S. This problem still only occurs on the macOS 10.14(Mojave).
I package these two apps with the following command:
release.js
p.s.
① v1.7.9:
app_name -> 'sample(current_v1.7.9)'
electronVersion -> '1.7.9'
② v4.0.1:
app_name -> 'sample(latest_v4.0.1)'
electronVersion -> '4.0.1'
I sign these two apps with the following commands:
entitlements.plist
sample1_7_9.log
sample4_0_1.log
The text was updated successfully, but these errors were encountered: