App does not launch after sign - macOS 10.14.5 (Code Signature Invalid) #200
Comments
|
This worked for me, which I used now temorarily instead of electron-osx-sign, all of these files should be placed in root of project. Replace AppName, CompanyName (xxx) and /dist_electron/mas/$APP.app with your own. sign-mas.sh #!/bin/bash
CURRENT_PATH="$( cd "$(dirname "$0")" ; pwd -P )"
# Name of your app.
APP="AppName"
COMPANY_DEVELOPER_ID="CompanyName (xxx)"
# The path of your app to sign.
APP_PATH="$CURRENT_PATH/dist_electron/mas/$APP.app"
# The path to the location you want to put the signed package.
RESULT_PATH="$CURRENT_PATH/dist_electron/mas/$APP-Publish-Ready.pkg"
# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: $COMPANY_DEVELOPER_ID"
INSTALLER_KEY="3rd Party Mac Developer Installer: $COMPANY_DEVELOPER_ID"
# The path of your plist files.
CHILD_PLIST="$CURRENT_PATH/entitlements.mas.inherit.plist"
PARENT_PLIST="$CURRENT_PATH/entitlements.mas.plist"
LOGINHELPER_PLIST="$CURRENT_PATH/entitlements.mas.loginhelper.plist"
FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libnode.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/Contents/MacOS/$APP Login Helper"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"
codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"
productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"entitlements.mas.loginhelper.plist <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>entitlements.mas.inherit.plist <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>entitlements.mas.plist <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>XXX.com.appname.AppName</string>
</array>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>Then run |
|
Same problem on my end, tried manually and with electron-osx-sign: In my case: "sign-mac": "electron-osx-sign release-builds/TrayCoinMXLite-darwin-x64/TrayCoinMXLite.app --entitlements=release-builds/parent-entitlement.plist --entitlements-inherit=release-builds/child-entitlement.plist --identity="3rd Party Mac Developer Application: Wilson Munoz (DXXXXX)" --pre-auto-entitlements=true --no-gatekeeper-assess", Manually gives me also errors.
|
|
I also have the exact same issue. My packaging script uses electron-packager, which in turns uses electron-osx-sign (version 0.4.11). Link to packaging script: |
|
I resolved this issue by adding an <dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict> |
|
@javan That did not work for me |
|
The steps described in #188 helped me to get this resolved. |
|
@tobias-klein were you able to distribute your pkg on App Loader / Apple? I can confirm no crash using this entitlements but i get a rejection because of missing "App sandbox entitlements not enabled" |
|
@Wilsonilo |
|
@tobias-klein yeah it's seems like, i will give it another round of checks this week, thanks. |
|
@Wilsonilo I have the same issue - would be rejected by apple with default entitlements |
|
I'm going to join this club. electron-osx-sign says that the app was signed, and codesign verifies it, but when I try to run the application it crashes and the log message is: The crash reporter message has the following: If I run My entitlements: package.json: Debug signing logging: I literally have no idea where to go from here. |
|
@ndtreviv Which version of Electron are you using? I think the end of the output contains some broken entitlements content that's written into the executable? And I wonder what |
|
The relevant dependencies in my package.json are: From I'm using electron-builder which appears to use app-builder-lib. As for the entitlements - are you thinking it's corrupt because of the bad printout? I'm not sure why it's printing out like that. There are no dodgy characters in my actual file. The file that electron-osx-sign writes to |
|
@ndtreviv Yea I don't think the plist should look this dodgy 🤔 Can you try directly using
The debug output should have the entitlements at the end (hopefully without the dodgy format?) @develar Do you by chance know what the |
It's ok. I've resolved my issue, so this can be ignored. To resolve it, I did two things:
After that it all worked. Next up: Signing for Windows 😰 |
|
@ndtreviv 🤔 Would you ming sharing with us what you have in the |
|
Sure. entitlements.mac.plistentitlements.mas.plist |
|
@sethlu to answer your question about |
|
@james-criscuolo Currently |
|
My comment was in regards to your question about A lot of solutions have been posted above, but it appears they are all for DMG builds, and nobody has had a MAS build work yet (please let us know if you've got it working). |
|
Same issue here! Applying the |
|
@patrickmichalina stupid question, I know, but I am a little desperate: Does it work without |
|
Unless something has changed (I don't believe it has), the app store requires you to have the sandbox entitlement. Without that entitlement, i can get the DMG (non-app store) version running. |
|
@johannesjo yeah I can sign and notarize the build without This issue is specifically for MAS. It won't be allowed to be uploaded to the AppStore without that entitlement. I am using |
|
@james-criscuolo @patrickmichalina thank you to very much for the information. I guessed so, but I hang on to every straw I can grab. Don't know how many late nights I put into this :) |
|
Just to clear some confusions:
Also, according to a technical note from Apple:
Ref: https://developer.apple.com/library/archive/qa/qa1884/_index.html Therefore, the app bundle is expected to crash with the default iirc if the app bundle is signed with a development certificate & provided with a development provisioning profile (including the whitelisted device UUID's), the app bundle should launch successfully. For distributions outside the Mac App Store however, no crash is expected, because that'll eventually be the signed app bundle for notarization & shipped. |
|
Anyone have any luck getting MAS and MAS-DEV builds working? As mentioned, the standalone DMG build works as expected however the MAS and MAS-DEV builds crash immediately on launch with codesign errors. I understand the MAS build would crash(expected) since thats the version used to upload to the app store, however MAS-DEV should not be crashing since that's for testing. We have the correct team ID in our entitlements along with the 6 macs' UID in our dev provision profile. Everything signs and validates fine however it still crashed on launch :( |
|
@JohnTendik Same issue here - with |
|
The answer for many ended up being over here: electron-userland/electron-builder#4040 (comment) There are a lot of useful comments scattered throughout that thread, but the big "change" to the app store ended up involving having to exclude native dependencies from the ASAR packaging. On top of that , hardenedRuntime does not play nicely with sandbox, so leave it off. Notarization is also unnecessary for the app store, but I've successfully released my app with it (although I may look to remove that). |
|
Awesome guys thank you I'm going to try these suggestions. Also I should note, although the app crashes, we don't get a crash log- none in user logs or system logs. We used to see "binary signed improperly" type error before but now that doesn't even come up. It just crashes regardless. Ill try turning hardened mode off. --update-- |
|
I had issues with immediate crashes when I had hardened runtime entitlements, with hardened runtime false. I believe the only necessary change (for the app store) is the asar unpack stuff, so I recommend going back to your last work build, and just adding asarUnpack option with your native modules. |
|
While you are trying with the asar unpack things... I think it may be nice to summarize the discussion above:
|
|
I am having the same error with electron-os-x sign and electron-packager With electron-builder I did work out how to solve all issue to get a valid package to upload in the app store (via transporter) but unfortunately by fixing the issue I made the app not running. If someone is interested in the electron-builder issues I published them here |
|
Im happy to report we have solved our build problems. All three builds are working as expected now. Our issue was a little bit different than some of you in this thread so I'm including our fix. It was thanks to the investigation of another user that we were able to move past this problem :) I've included my build configs there if anyone is interested in seeing how we were able to fix our problem. electron-userland/electron-builder#4040 (comment) Thanks everyone for all your help! |
|
🎉 Glad to hear that you've solved this specific problem! I'll close this issue for now since there are quite a few different issues discussed here and it's a little hard navigate with scrolling up and down the page... |
|
As we still can't get this to work, here is an update for Electron 7.0.1 tweaked version (Which is required for MAS builds at the moment - ref. electron/electron#20027 (comment)) for the current workaround we are using. Replace AppName, CompanyName (xxx) and /dist_electron/mas/$APP.app with your own. sign-mas.sh #!/bin/bash
CURRENT_PATH="$( cd "$(dirname "$0")" ; pwd -P )"
# Name of your app.
APP="AppName"
COMPANY_DEVELOPER_ID="CompanyName (xxx)"
# The path of your app to sign.
APP_PATH="$CURRENT_PATH/dist_electron/mas/$APP.app"
# The path to the location you want to put the signed package.
RESULT_PATH="$CURRENT_PATH/dist_electron/mas/$APP-Publish-Ready.pkg"
# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: $COMPANY_DEVELOPER_ID"
INSTALLER_KEY="3rd Party Mac Developer Installer: $COMPANY_DEVELOPER_ID"
# The path of your plist files.
CHILD_PLIST="$CURRENT_PATH/entitlements.mas.inherit.plist"
PARENT_PLIST="$CURRENT_PATH/entitlements.mas.plist"
LOGINHELPER_PLIST="$CURRENT_PATH/entitlements.mas.loginhelper.plist"
FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (GPU).app/Contents/MacOS/$APP Helper (GPU)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (GPU).app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Plugin).app/Contents/MacOS/$APP Helper (Plugin)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Plugin).app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Renderer).app/Contents/MacOS/$APP Helper (Renderer)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Renderer).app/"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/Contents/MacOS/$APP Login Helper"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"
codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"
productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"entitlements.mas.loginhelper.plist <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>entitlements.mas.inherit.plist <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>entitlements.mas.plist <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>XXX.com.appname.AppName</string>
</array>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.application-identifier</key>
<string>XXX.com.appname.AppName</string>
</dict>
</plist>Then run |
|
@steffanhalv I've used the linked tweaked electron version (7.0.1) and tried to build with electron-builder (20.44.0) a MAS version to sign it lateron with the script file you've provided. But I can't really build with target MAS. The App (before signing) always crashes on startup with exception type |
|
@michaelmika Check that all executable binaries inside your mas build is included to be signed and is correct relative to the script file. If the script is in root of your project, the mas build should be exactly CD into We did just got our app approved for the app store two days ago following this steps. Ex. We had the same problem until we added this lines in the script: Also check that entitlements are correct |
|
@steffanhalv thanks a lot! Spent several days to figure it out and finally found your solution |
|
@steffanhalv Unfortunately it did not work for me. I now figured out how to sign and publish with this guide from 2020. The crucial information is that it only seems to work with Electron 5.0.13 and 6.1.7 . |
|
Can you please elaborate how to add asarUnpack option exactly? I am encountering the same issue. I code sign with parameters
|
Development app does not launch after sign - macOS 10.14.5
It runs fine before signing.
Signing:
entitlements.mas.plist
entitlements.mas.inherit.plist
Crash log:
Process: AppName [7616] Path: /Users/USER/Documents/*/AppName.app/Contents/MacOS/AppName Identifier: com.appname.AppName Version: ??? Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: AppName [7616] User ID: 501 Date/Time: 2019-07-19 20:40:41.462 +0200 OS Version: Mac OS X 10.14.5 (18F132) Report Version: 12 Anonymous UUID: xxx-xxx-xxx-xxx-xxx Time Awake Since Boot: 100000 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 0x1 kernel messages: VM Regions Near 0 (cr2): --> __TEXT 00000001052d8000-0000000105301000 [ 164K] r-x/rwx SM=COW Thread 0 Crashed: 0 0x0000000112688000 _dyld_start + 0 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeea927b08 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x0000000112688000 rfl: 0x0000000000000200 cr2: 0x0000000000000000 Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0 Binary Images: 0x1052d8000 - 0x105300ff7 + (0) <3788637B-0A53-3737-B3B6-C827ABF3E314> 0x112687000 - 0x1126f16ef + (655.1.1) <CE635DB2-D47E-3C05-A0A3-6BD982E7E750> External Modification Summary: Calls made by other processes targeting this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by all processes on this machine: task_for_pid: 3857626 thread_create: 0 thread_set_state: 0 VM Region Summary: ReadOnly portion of Libraries: Total=776K resident=0K(0%) swapped_out_or_unallocated=776K(100%) Writable regions: Total=8404K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8404K(100%) VIRTUAL REGION REGION TYPE SIZE COUNT (non-coalesced) =========== ======= ======= STACK GUARD 56.0M 1 Stack 8192K 1 __DATA 244K 4 __LINKEDIT 184K 2 __TEXT 592K 2 shared memory 8K 2 =========== ======= ======= TOTAL 65.0M 12 Model: Macmini6,2, BootROM 278.0.0.0.0, 4 processors, Intel Core i7, 2,6 GHz, 12 GB, SMC 2.8f1 Graphics: kHW_IntelHD4000Item, Intel HD Graphics 4000, spdisplays_builtin Memory Module: BANK 0/DIMM0, 8 GB, DDR3, 1600 MHz, 0x859B, 0x43543130323436344246313630422E433136 Memory Module: BANK 1/DIMM0, 4 GB, DDR3, 1600 MHz, 0x80CE, 0x4D34373142353137334442302D594B302020 AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x10E), Broadcom BCM43xx 1.0 (7.21.190.33 AirPortDriverBrcm4360-1325.2) Bluetooth: Version 6.0.12f1, 3 services, 27 devices, 1 incoming serial ports Network Service: Wi-Fi, AirPort, en1 Serial ATA Device: APPLE SSD SM256E, 251 GB USB Device: USB 2.0 Bus USB Device: Hub USB Device: Keyboard Hub USB Device: USB Receiver USB Device: Apple Keyboard USB Device: USB 2.0 Bus USB Device: Hub USB Device: Hub USB Device: IR Receiver USB Device: BRCM20702 Hub USB Device: Bluetooth USB Host Controller USB Device: USB 3.0 Bus USB Device: Hub USB Device: Hub USB Device: SHANG CHEN HID USB Device: Hub USB Device: Hub Thunderbolt Bus: Mac mini, Apple Inc., 23.4All certs and provisioning profile is just created:
When trying to do the same with a plain project, I got another error:
#199
But the plain project (electron-quick-start) without manual sign gives the same crash log as this one.
The text was updated successfully, but these errors were encountered: