Hardened signed app not working: container requires user-preference-write or file-write-data sandbox access

[puresick]

Problem:

Starting with macos 10.14.5, Apple requires applications to be hardened-signed, uploaded to their notary service and stapled to be able to get verified by gatekeeper to run.
Signing an electron application the "hardened" way (tested with electron-osx-sign version 0.4.11) will result in the application to be signed successful, but it cannot be run either on macos 10.14.5 (most recent) and older versions (tested with 10.14.4).

Reproducing the problem:

1. Using electron-quick-start as reference project by cloning it and installing its dependencies to get it up and running:

git clone https://github.com/electron/electron-quick-start.git && cd electron-quick-start && npm i

2. Installing electron-builder

The current release of electron-builder (version 20.41.0) enables passing down the --hardened-runtime flag - but for this example, we are going to disable signing from electron-builder and running electron-osx-sign manually after building the app!

npm i -D electron-builder

3. Preparing needed files for signing

Creating entitlements.mac.plist in project directory and adding entitlements to it needed for hardened signing:

• Creating directory: mkdir build
• Creating plist file: touch build/entitlements.mac.plist
• Adding following content to build/entitlements.mac./plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.automation.apple-events</key>
    <true/>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>TEAMID_MATCHING_CERTIFICATE.com.electronQuickStart.app</string>
    </array>
  </dict>
</plist>

• Creating inherit plist file: touch build/entitlements.inherit.mac.plist
• Adding following content to build/entitlements.inherit.mac.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

Also adding the appId to package.json:

...
"build": {
  "mac": {
    "appId": "com.electronQuickStart.app"
  }
}

4. Building application without signing:

npx electron-builder build -m -c.mac.identity=null

5. Extracting .app and signing it with electron-osx-sign

• Extract .app: unzip dist/electron-quick-start-1.0.0-mac.zip
• Sign .app:

npx electron-osx-sign "./electron-quick-start.app" --platform=darwin --type=distribution --identity="Developer ID Application: CERTIFICATE IDENTITY" --entitlements="./build/entitlements.mac.plist" --entitlements-inherit="./build/entitlements.inherit.mac.plist" --provisioning-profile="/PATH_TO/PROVISIONPROFILE.provisionprofile" --hardened-runtime --version="5.0.0"

6. Starting the application:

First, start Console.app and clear the current output to be able to monitor the error outputs the signed app will create.
Starting the signed application via finder or open electron-quick-start.app from the project dir.

Error Output:

The App will start and then silently crash, showing following erros in the Console.app:

process cfprefsd:

rejecting read of { kCFPreferencesAnyApplication, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 83356 because accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access

process taskgated-helper:

Couldn't read values in CFPrefsPlistSource<0x7fbff7f2c0a0> (Domain: kCFPreferencesAnyApplication, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: Yes): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access

process taskgated-helper:

com.electronQuickStart.app: Unsatisfied entitlements: com.apple.security.application-groups, com.apple.application-identifier

process taskgated-helper:

Disallowing: com.electronQuickStart.app

The following two outputs from kernel are appearing multiple times (around 10 times each)

process kernel:

Sandbox: electron-quick-s(83355) deny(1) mach-lookup com.apple.GameController.gamecontrollerd

process kernel:

Sandbox: electron-quick-s(83358) deny(1) mach-lookup com.apple.powerlog.plxpclogger.xpc

Does anyone experience similar issues?

EDIT:

Adding the following to build/entitlements.mac.plist removes the errors regarding GameController and powerlog:

<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
<array>
  <string>com.apple.GameController.gamecontrollerd</string>
  <string>com.apple.powerlog.plxpclogger.xpc</string>
</array>

[puresick]

It seems that setting the following content into the entitlements.mac.plist file and referencing to this same file with the flags --entitlements and entitlements-inherit resolves in signing the application correctly.
Also I left out the --version and --provisioning-profile flags.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
  </dict>
</plist>

npx electron-osx-sign "./dist/electron-quick-start.app" --platform=darwin --type=distribution --identity="Developer ID Application: CERTIFICATE IDENTITY" --entitlements="./build/entitlements.mac.plist" --entitlements-inherit="./build/entitlements.mac.plist" --hardened-runtime

I am not sure if this this is the best way to handle this, but for now it is the only way I found how this will work.

[sethlu]

@puresick Ah this may be a duplicate of this open issue: #188 (comment)

Did including com.apple.security.cs.allow-unsigned-executable-memory allow your app to run after code signed with hardened runtime?

[puresick]

@sethlu Yes, after adding this, it allowed me to run the app with hardened runtime on macos 10.14.5.

[sethlu]

Ah awesome! Thanks for the follow up 🙇

[dadiorchen]

@puresick but you removed the sandbox entitlement, right? Is it okay, does it means I didn't run the app in the sandbox? So I cannot find the problem it would emerge in the real App Store environment?

[puresick]

@dadiorchen Unfortunately, I am not working at the company anymore where I worked on the project this error occured. Also I cannot recal for sure what I did back then, sorry. :(

[dadiorchen]

@puresick it's fine, I'm working on this problem, I'll let you know the progress if any.

[pushkin-]

@dadiorchen curious if you had made any progress. Seeing these errors myself when sandboxed with hardendedRuntime:true