Invalid Signature and signed app isn't running correctly

[florian]

Sorry in advance if I overlooked something obvious. I've tried to make this work for some hours now, and I'm out of ideas.

I developed a Mac app using electron and everything works as expected after packaging with electron-packager. Now I want to submit the app to the mac app store.

After packaging I'm signing the app using electron-osx-sign --identity="xyz" name.app and then I'm flattening it with electron-osx-flat --identity="xyz" name.app (it doesn't work without me specifying the identity, although this is the first app that I'm signing) and submit the created .pkg file to Application Loader.

The first problem is that the signed .app file doesn't work correctly anymore. If I try to execute it, the app starts with a window it usually doesn't have and doesn't respond at all:

I'm not sure if I'm still supposed to be able to execute apps that were signed for the MAS, so maybe this is just expected behaviour? Otherwise this may hint to something going wrong when signing.

The second problem: Application Loader accepts the .pkg file without any errors and uploads it to iTunes, but afterwards I get an email stating this error:

Invalid Signature - This error occurs when you have signed your app's installer incorrectly. There are two certs required for this process: the "3rd Party Mac Developer Application" cert and the "3rd Party Mac Developer Installer" cert. When signing your package, you need to ensure that you are using the Installer cert to sign your package. Ensure that you are specifying this cert when submitting your app via the Xcode Organizer or when running productbuild from the command line.

I do have those two certs and when signing/flattening several certs were requested, so I'm not sure what's going wrong. I'm not calling productbuild myself, electron-osx-flat is doing that right?

Do you guys have any idea what I might do wrong?

(The xyz in --identity="xyz" from above is the string in the parentheses of "3rd Party Mac Developer Installer: myname (xyz)".)

[sethlu]

Hi @florian, thanks for filing this issue! From my first observation, the signing identities may be improperly used. Would you run the following script in your Terminal, snd post the output (with sensitive info like team id crossed out) here? Usually electron-osx-sign/flat could discover certs by itself.

$ security find-identity

[florian]

Thanks for the quick answer! :) You were right about the identities. I had this problem before, and I did import the new certificate. This stopped Application Loader from showing errors, that's why I thought it was fixed. But I also had to remove the old certificate. I just did this, and now security find-identity shows my installer/application certs as valid.

I still have the other problem. After signing, executing the .app file doesn't work properly anymore.

I tried signing it directly when packaging:

electron-packager . {appname} --platform=mas --arch=x64 --version="1.0.0" --app-version="1.0.2" --asar --overwrite --app-bundle-id="com.{myname}.{appname}" app-category-type="public.app-category.productivity" --icon="assets/img/logo.icns" --ignore="…" --build-version="1.0.2" --osx-sign

Now executing it works fine but after flattening and submitting it to Application Loader, I get this error:

"App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.{myname}.{appname}.pkg/Payload/{appname}.app/Contents/Frameworks/{appname} Helper EH.app/Contents/MacOS/{appname} Helper EH", "com.{myname}.{appname}.pkg/Payload/{appname}.app/Contents/Frameworks/{appname} Helper NP.app/Contents/MacOS/{appname} Helper NP", "com.{myname}.{appname}.pkg/Payload/{appname}.app/Contents/Frameworks/{appname} Helper.app/Contents/MacOS/{appname} Helper", "com.{myname}.{appname}.pkg/Payload/{appname}.app/Contents/MacOS/Electron" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app."

I don't get any errors about identities though, so --osx-sign must've done something. According to the electron-packager docs it uses the default electron-osx-sign values, so I don't why it behaves differently (working executable but no entitlements).

Do you have any suggestions on what I should try next?

[sethlu]

@florian usually an app after sandboxed, though may be made for mas, should still be able to run locally. Would you try electron-osx-sign separately from electron-packager so we could see a full log of signing procedures?

npm install -g electron-osx-sign # Please try the latest 0.4.0-beta4
export DEBUG=electron-osx-sign*
electron-osx-sign <app> # This should now display what is being signed and the entitlements embedded within the app

[florian]

Sure. I've replaced the cert identity and similar stuff with {identity}, {appname} or {myname}.

$ electron-osx-sign {appname}-mas-x64/{appname}.app
  electron-osx-sign:warn No `platform` passed in arguments, checking Electron platform... +0ms
  electron-osx-sign:warn No `entitlements` passed in arguments, will fallback to default settings. +6ms
  electron-osx-sign:warn No `entitlements-inherit` passed in arguments, will fallback to default settings. +2ms
  electron-osx-sign:warn No `identity` passed in arguments, discovering identities... +1ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`; disable by setting `pre-auto-entitlements` to `false`. +321ms
  electron-osx-sign Automating entitlement app group... +0ms
  electron-osx-sign:warn `ElectronTeamID` not found in `Info.plist`, use parsed from signing identity: {identity} +14ms
  electron-osx-sign:warn `com.apple.security.application-groups` not found in entitlements file, new inserted: {identity}.com.{myname}.{appname} +16ms
  electron-osx-sign Signing application... +2ms
  electron-osx-sign > application         {appname}-mas-x64/{appname}.app +1ms
  electron-osx-sign > platform            mas +0ms
  electron-osx-sign > entitlements        /var/folders/63/{longhash}.plist +0ms
  electron-osx-sign > child-entitlements  /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist +0ms
  electron-osx-sign > additional-binaries  +0ms
  electron-osx-sign > identity            3rd Party Mac Developer Application: {myname} ({identity}) +0ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +73ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +3s
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +262ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/Electron Framework.framework +480ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper EH.app/Contents/MacOS/{appname} Helper EH +1s
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper EH.app +229ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper NP.app/Contents/MacOS/{appname} Helper NP +237ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper NP.app +232ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper.app/Contents/MacOS/{appname} Helper +238ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper.app +230ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app/Contents/MacOS/Electron +265ms
  electron-osx-sign Signing... {appname}-mas-x64/{appname}.app +1s
  electron-osx-sign Verifying code sign... +1s
  electron-osx-sign Verification displayed below:
--prepared:/Users/florian/code/{appname}/{appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper EH.app
--validated:/Users/florian/code/{appname}/{appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper EH.app
--prepared:/Users/florian/code/{appname}/{appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper NP.app
--validated:/Users/florian/code/{appname}/{appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper NP.app
--prepared:/Users/florian/code/{appname}/{appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper.app
--validated:/Users/florian/code/{appname}/{appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper.app
--prepared:/Users/florian/code/{appname}/{appname}-mas-x64/{appname}.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--validated:/Users/florian/code/{appname}/{appname}-mas-x64/{appname}.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
{appname}-mas-x64/{appname}.app: valid on disk
{appname}-mas-x64/{appname}.app: satisfies its Designated Requirement
 +366ms
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Entitlements:
��qq�<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>{identity}.com.{myname}.{appname}</string>
    </array>
  </dict>
</plist> +25ms
  electron-osx-sign Application signed. +0ms
Application signed: {appname}-mas-x64/{appname}.app

So <key>com.apple.security.app-sandbox</key> is actually in there…

[sethlu]

Hi @florian, sorry for my late reply... Personally I don't see any issues with your code signing. Following the err message, we probably should then check whether the entitlements signed on the helper apps are correct; would you run the following script on {appname} Helper EH.app in the app framework folder?

$ codesign --display --entitlements - <helperapp>

It should output with com.apple.security.app-sandbox if properly signed. From the debug log I think it should; but just to confirm. 😉

[florian]

Sorry, I can't execute it right now, I had a hardware problem with my Mac, I'll update this when it's fixed. :)

But I don't think the log in combination with codesign is that useful. Just to recap, there are two ways to package/sign with different problems:

1. Only using electron-packager

I'm running ˋelectron-packager ... --osx-signˋ. In this case I can run the .app file without problems but the signing doesn't work correctly (according to the mail I get from iTunes).
Is there a way I can log electron-osx-signs behaviour when using electron-packager?

2. Using electron-packager and electron-osx-sign

First I run ˋelectron-packager ...ˋ followed by ˋelectron-osx-sign ...ˋ. This is what I logged in my previous post. Signing works fine here (no complains from iTunes) but running the .app file doesn't work correctly anymore.

---

I'll try ˋcodesignˋ with both approaches when I'm able to in a few days, but the log was only from the packaging way where signing worked anyway (but executing the .app file didn't).

[develar]

@florian Or you can try use electron-builder – no need to manually flat after package, no need to explicitly specify identity (corresponding will be automatically found). Just build --osx mas.

Is there a way I can log electron-osx-signs behaviour when using electron-packager?

The same way, export DEBUG=electron-osx-sign*

[sethlu]

@florian Actually, the logging with export DEBUG=electron-osx-sign* could work when doing everything in one go with electron-packager. However, I wanted to know earlier if anything went wrong only during electron-osx-sign. (like what @develar just said)
It's quite strange to see the differences with some steps combined or separated. After resolving the hardware problem, would you mind laughing Terminal before running your app (before and after sandbox)? And let us know if there be any messages/errors thrown from the app? Thanks.

[florian]

Yes, I'll do that! Sorry for the delay.

[sethlu]

@florian no worries 😉 keep us updated.

[florian]

The hardware problem is now fixed and I tried your suggestions.

~/code/{appname} $ export DEBUG=electron-osx-sign*
~/code/{appname} $ electron-packager . {appname} --platform=mas --arch=x64 --version="1.0.0" --app-version="1.0.2" --asar --overwrite --app-bundle-id="…" app-category-type="public.app-category.productivity" --icon="assets/img/logo.icns" --ignore "…" --build-version="1.0.2" --osx-sign

Packaging app for platform mas x64 using electron v1.0.0
Wrote new app to /Users/florian/code/{appname}/{appname}-mas-x64

Nothing was logged. So either logging doesn't work like that when signing via electron-packager; or electron-osx-sign is just never called by electron-packager.

~/code/{appname} $ codesign --display --entitlements - {appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname}\ Helper.app
{appname}-mas-x64/{appname}.app/Contents/Frameworks/{appname} Helper.app: code object is not signed at all

If I run electron-osx-sign {appname}.app then stuff gets logged and codesign shows me plist data regarding the sandbox.

[azer]

@florian you can enable the logs inline;

DEBUG=* codesign ...

I'm also having the same problem; same e-mail from Apple after submitting the app, and also, same blank screen after signing.

I used the script in the instructions for signing. electron-osx-sign is not able to find any sign, and if I run security find-identity, I get following;

3) 123ABC "3rd Party Mac Developer Application: Azer Koculu (XYZ)" (CSSMERR_TP_CERT_EXPIRED) 4) ABC123 "3rd Party Mac Developer Installer: Azer Koculu (XYZ)" (CSSMERR_TP_CERT_EXPIRED)

Not sure what CSSMERR_TP_CERT_EXPIRED means. Certifications are new, they shouldn't be expired yet.

[sethlu]

Hi @azer, I'll have you issue resolved first as it should be done fairly straightforward. I'm not sure if @florian has a same case for not knowing a list of his certificates available.
Would you mind following #9 and check if your certs have an invalid issuer?

[sethlu]

@florian We should probably code-sign your app by calling electron-osx-sign separately if it's not performing properly at the moment. However, I am thinking if updating your electron-packager along with its dependencies (including a latest electron-osx-sign) may resolve it as using debug to display logs was not introduced before the deprecation of the --verbose flag.

---

If an app fails to launch after code-signed, I should say the result may be normal because some tweaks may be necessary for your app to work as expected. Was your previous test (with codesign --display --entitlements - <...>) done when app code-signed separately? If not, great, then we may move onto checking if any error messages get logged in the macOS console. 😸 Thanks for checking.

[florian]

@azer I used to have the exact same problem. Just follow the instructions here. You just need to import Apple's new certificate and remove the old one.

---

@sethlu Updating electron-packager was a good idea. Now both ways to sign/package result in the same problem, and not into two seperate problems. :)

I tried signing with electron-packager … --osx-sign and with electron-packager … && electron-osx-sign {appname}.app. After signing the app doesn't work anymore. It's the same problem that I described in my initial post. After starting, the app shows an empty Electron window (picture in initial post) and then the app doesn't react anymore, and if I right click on it in the Dock, OS X only offers me to kill it directly.

My app is similar to apps like Spotlight or Alfred. It only consists of a floating window, and the visibility of that window can be toggled using a hotkey. By default it's not shown. So the window that appears when starting the signed app is definitely unexpected behaviour.

Was your previous test (with codesign --display --entitlements - <...>) done when app code-signed separately?

I tested it for both ways (seperate worked, all with electron-packager didn't). I just tried again, after updating electron-packager, and now both ways show that the signing worked for that file.
Sorry for not updating electron-packager earlier.

[florian]

I thought trying it with a different app would be a good idea, since the app that I want to submit to the MAS has this special window behaviour.

However I get the same problem with the other app I tried (which is open source by the way). The only difference is that the size of the unresponsive window is larger (as big as it usually is when the app is started and is working).

So I guess that means that it's probably not app specific but has something to do with my dev environment.

[sethlu]

Hi @florian, glad to hear that the issues now resolve into one. I'll try packing your open-sourced project tomorrow myself and see if encountering any issues. However, I should now recommend checking in your macOS Console (/Applications/Utilities/Console.app) if there are any logs while launching your app. For the blank screen appears, it should say something related to it.

[florian]

However, I should now recommend checking in your macOS Console (/Applications/Utilities/Console.app) if there are any logs while launching your app. For the blank screen appears, it should say something related to it.

That was a good suggestion. It's logging 26.06.16 20:48:58,810 sandboxd[151]: ([13399]) HackerNews Helpe(13399) deny mach-lookup org.chromium.Chromium.rohitfork.13398 for my HN app.

I found this electron issue from you regarding this exact error message. :)

I tried building with the newest Electron version, assuming that should fix everything since the issue is closed. However I now get these errors in the log:

26.06.16 21:40:35,000 kernel[0]: Sandbox: HackerNews Helpe(14575) deny(1) mach-lookup com.electron.hackernews.rohitfork.14574
…
26.06.16 21:40:45,000 kernel[0]: Sandbox: HackerNews(14574) deny(1) file-read-data /Users/florian/Library/Preferences/com.apple.symbolichotkeys.plist

What do you suggest to try next?

My other app also has some other sandbox issues, probably because it's running some AppleScripts (e.g. to get the currently selected text). I guess it's better to focus on the simple HN app first and I'll try to take care of the other missing entitlements for the more complex app myself later. :)

[sethlu]

@florian From your mentioning deny mach-lookup org.chromium.Chromium.rohitfork.13398 I am wondering which Electron version are you utilizing currently. (Though electron/electron#3871 already closed, there are still some parts with which I disagree slightly. 😺) However, would you try the following on your signed app so we could know the entitlements embedded?

$ codesign --display --entitlements - <app>

com.apple.security.application-groups should be somewhere in the output. If not, we may need to investigate a bit more.

[florian]

I am wondering which Electron version are you utilizing currently.

After I found your issue regarding the error message, I upgraded to the newest Electron version (v1.2.5). All of the error message beginning from my last post are from that Electron version.

I just triple checked that I'm definitely using that electron version. The packaging process outputs "Packaging app for platform mas x64 using electron v1.2.5 mas-x64 finished!".

I also tried logging the electron version when running the packaged and signed app.

dialog.showMessageBox(mainWindow, { message: process.versions.electron, buttons: [] });
mainWindow.loadURL(`file://${__dirname}/app/app.html`)

This works and shows an alert like window with the content "1.2.5". So I'm definitely using the newest Electron version.

Interesting side note: dialog.showMessageBox blocks until the user clicked on the "OK" button. Until I press that button, the app doesn't freeze. This caught my attention and if I found that mainWindow.loadURL is what causes the freezing.

However, would you try the following on your signed app so we could know the entitlements embedded?

~/code/hnclient $ codesign --display --entitlements - /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app
Executable=/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/MacOS/HackerNews
��qq<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

I wasn't sure if you wanted me to run that on the parent .app file, so I also ran this on the nested .app file that I previously ran codesign on.

~/code/hnclient $ codesign --display --entitlements - /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews\ Helper.app
Executable=/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper.app/Contents/MacOS/HackerNews Helper
��qq8<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

[sethlu]

@florian 😄 I think I see where the issue is now; in the entitlements signed with your app we should have the com.apple.security.application-groups somewhere, which now is missing. Would you mind signing your app again with electron-osx-sign and enable the logs?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>{identity}.com.{myname}.{appname}</string>
    </array>
  </dict>
</plist>

We would like to see what similar to above, as you posted earlier #61 (comment). The latest electron-osx-sign should have no issue with doing so I think.

[florian]

~/code/hnclient $ export DEBUG=electron-osx-sign*
~/code/hnclient $ electron-osx-sign /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app
  electron-osx-sign:warn No `platform` passed in arguments, checking Electron platform... +0ms
  electron-osx-sign:warn No `entitlements` passed in arguments, will fallback to default settings. +7ms
  electron-osx-sign:warn No `entitlements-inherit` passed in arguments, will fallback to default settings. +2ms
  electron-osx-sign:warn No `identity` passed in arguments, discovering identities... +0ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`; disable by setting `pre-auto-entitlements` to `false`. +255ms
  electron-osx-sign Automating entitlement app group... +0ms
  electron-osx-sign:warn `ElectronTeamID` not found in `Info.plist`, use parsed from signing identity: {identity} +12ms
  electron-osx-sign:warn `com.apple.security.application-groups` not found in entitlements file, new inserted: {identity}.com.electron.hackernews +10ms
  electron-osx-sign Signing application... +2ms
  electron-osx-sign > application         /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app +0ms
  electron-osx-sign > platform            mas +0ms
  electron-osx-sign > entitlements        /var/folders/63/65tpqxsd1y19g6q_15r57knw0000gn/T/7e4240af-2661-4907-b867-be08bdabf79b.plist +0ms
  electron-osx-sign > child-entitlements  /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist +0ms
  electron-osx-sign > additional-binaries  +0ms
  electron-osx-sign > identity            3rd Party Mac Developer Application: Florian Hartmann ({identity}) +0ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +54ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +783ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +212ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/Electron Framework.framework +335ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper EH.app/Contents/MacOS/HackerNews Helper EH +816ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper EH.app +192ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper NP.app/Contents/MacOS/HackerNews Helper NP +201ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper NP.app +187ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper.app/Contents/MacOS/HackerNews Helper +198ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper.app +190ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/MacOS/HackerNews +200ms
  electron-osx-sign Signing... /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app +236ms
  electron-osx-sign Verifying code sign... +244ms
  electron-osx-sign Verification displayed below:
--prepared:/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper EH.app
--validated:/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper EH.app
--prepared:/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper.app
--validated:/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper.app
--prepared:/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper NP.app
--validated:/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/HackerNews Helper NP.app
--prepared:/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--validated:/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app: valid on disk
/Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app: satisfies its Designated Requirement
 +265ms
  electron-osx-sign Displaying entitlements... +1ms
  electron-osx-sign Entitlements:
��qq�<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>{identity}.com.electron.hackernews</string>
    </array>
  </dict>
</plist> +21ms
  electron-osx-sign Application signed. +0ms
Application signed: /Users/florian/code/hnclient/release/mas-x64/HackerNews-mas-x64/HackerNews.app

Now, the app opens without freezing. However nothing network dependent is being loaded. The data that's coming from an HN API is missing, and the webview doesn't show anything either.
Looks like I need special entitlements for making network requests right?

I also checked the console:

27.06.16 13:14:08,633 taskgated[336]: no application identifier provided, can't use provisioning profiles [pid=1925]
27.06.16 13:14:09,900 HackerNews[1925]: __net_helper_get_connection_block_invoke_3 could not connect to networkd
27.06.16 13:14:09,900 HackerNews[1925]: __nw_path_evaluator_start_helper_connection_block_invoke net_helper_path_evaluation_start callback failed, dumping backtrace:
        [x86_64] libnetcore-582.1.4
    0   libsystem_network.dylib             0x00007fff93e31a05 __nw_create_backtrace_string + 123
    1   libsystem_network.dylib             0x00007fff93e4ac61 __nw_path_evaluator_start_helper_connection_block_invoke + 22
    2   libxpc.dylib                        0x00007fff9396974b _xpc_connection_reply_callout + 26
    3   libxpc.dylib                        0x00007fff939696ec _xpc_connection_call_reply + 36
    4   libdispatch.dylib                   0x00007fff929ff453 _dispatch_client_callout + 8
    5   libdispatch.dylib                   0x00007fff92a04083 _dispatch_queue_drain + 754
    6   libdispatch.dylib                   0x00007fff92a0a6c9 _dispatch_queue_invoke + 549
    7   libdispatch.dylib                   0x00007fff92a02d9b _dispatch_root_queue_drain + 538
    8   libdispatch.dylib                   0x00007fff92a02b48 _dispatch_worker_thread3 + 91
    9   libsystem_pthread.dylib             0x00007fff9a8284f2 _pthread_wqthread + 1129
    10  libsystem_pthread.dylib             0x00007fff9a826375 start_wqthread + 13
27.06.16 13:14:09,901 HackerNews[1925]: nw_path_evaluator_start_helper_connection net_helper_path_evaluation_start failed, dumping backtrace:
        [x86_64] libnetcore-582.1.4
    0   libsystem_network.dylib             0x00007fff93e31a05 __nw_create_backtrace_string + 123
    1   libsystem_network.dylib             0x00007fff93e47088 nw_path_evaluator_start_helper_connection + 196
    2   libdispatch.dylib                   0x00007fff92a0a8ff _dispatch_call_block_and_release + 12
    3   libdispatch.dylib                   0x00007fff929ff453 _dispatch_client_callout + 8
    4   libdispatch.dylib                   0x00007fff92a04083 _dispatch_queue_drain + 754
    5   libdispatch.dylib                   0x00007fff92a0a6c9 _dispatch_queue_invoke + 549
    6   libdispatch.dylib                   0x00007fff92a02d9b _dispatch_root_queue_drain + 538
    7   libdispatch.dylib                   0x00007fff92a02b48 _dispatch_worker_thread3 + 91
    8   libsystem_pthread.dylib             0x00007fff9a8284f2 _pthread_wqthread + 1129
    9   libsystem_pthread.dylib             0x00007fff9a826375 start_wqthread + 13
27.06.16 13:14:09,979 sandboxd[147]: ([1925]) HackerNews(1925) deny network-outbound 159.203.152.155:80
27.06.16 13:14:09,982 sandboxd[147]: ([1925]) HackerNews(1925) deny network-outbound 159.203.152.155:80
27.06.16 13:14:10,033 sandboxd[147]: ([1925]) HackerNews(1925) deny mach-lookup com.apple.networkd
27.06.16 13:14:19,092 sandboxd[147]: ([1925]) HackerNews(1925) deny file-read-data /Users/florian/Library/Preferences/com.apple.symbolichotkeys.plist

[sethlu]

@florian great it's working! Honestly I don't know why Electron's requesting network access; same happens to me. Anyway, would you create a custom entitlements file with the following? The file extension may be .plist or .entitlements (the latter preferred by Apple).

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

And then, code-sign your app again 😄 with the following script:

$ electron-osx-sign <app> --entitlements <entitlements>

After that the networking issue should be resolved. Let me know how it goes.

[florian]

Yeah, I just did that and it worked. :) Finally!
However I wasn't sure what default entitlements from this repo I should extend, default.entitlements.mas.inherit.plist or default.entitlements.mas.plist?

---

And after all, there also seems to be a bug in electron-packager, right? The signing is only working when using electron-osx-sign on its own.

[sethlu]

@florian I should say extending default.entitlements.mas.plist probably as we use it for signing the app bundle; default.entitlements.mas.inherit.plist is only for creating inheritance of sandbox settings in helper apps for example.
I'm not sure though if electron-packager has a bug... It's an open PR here haha: https://github.com/electron-userland/electron-packager/pull/384/files. [email protected] is still in beta so we should probably wait until it gets stable. 😸 It's quite functional so far.

[develar]

[email protected] is still in beta so we should probably wait until it gets stable

electron-builder uses 0.4.0 and no issues from users, only successful reports that mas target works ;)

[florian]

Honestly I don't know why Electron's requesting network access; same happens to me.

Well in my case it's makes sense, as the app itself does network requests (query HackerNews API, display websites).

I should say extending default.entitlements.mas.plist

Alright, then I'll use that one :) Both work, so I guess it's better to use the more minimal config anyways.

Thanks a lot for the great help throughout the last 8 days. I'm super grateful for the support and the project. :)

Is it alright if I keep the issue open until I successfully signed (using the correct entitlements) the more complex app?

[sethlu]

@florian It's fine to keep this open. 😸 We'll see how much we may help.

[florian]

I submitted the HN app to the MAS today and everything seemed to work fine. So it looks like the original issue is solved :)

---

@sethlu This isn't regarding electron-osx-sign not working, but I thought I'd ask you since you seem to be very knowledgeable with signing/entitlements. I'll try on StackOverflow if you don't have any advice or no time for this. So feel free to ignore this if you don't want to spend time on it. :)

My app executes AppleScript, e.g. to copy the currently selected text to the clipboard. Executing AppleScript in node is only possible by using /usr/bin/osascript.
I've spent quite some time trying different entitlements, but I found none that stop this console errors:

03.07.16 21:06:06,358 appleeventsd[61]: rdar://problem/11489077 A sandboxed application with pid 30507, "osascript" checked in with appleeventsd, but its code signature could not be read and validated by appleeventsd, and so it cannot receive AppleEvents targeted by name, bundle id, or signature. Install the application in /Applications/ or some other world readable location to resolve this issue. Error=ERROR: #100001 { "NSDescription"="SecCodeCopyGuestWithAttributes() returned 100001, -." } (handleMessage()/appleEventsD.cp #2098) com.apple.root.default-qos
03.07.16 21:06:06,403 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-data /usr/bin
03.07.16 21:06:06,434 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-metadata /usr/bin
03.07.16 21:06:06,465 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-data /usr/bin/osascript

I guess the problem is also that running /usr/bin/osascript spawns a new process that doesn't have the same entitlements.

My entitlements:

    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.scripting-targets</key>
    <dict>
        <key>com.apple.systemevents</key>
        <true/>
    </dict>

The AppleScripts tell "System Events" to do stuff, thus the scripting target.

[sethlu]

Hi @florian glad to know the code-signing worked! 🎊 From my understanding of the entitlements only as I haven't had much experience with AppleScript, I would recommend trying adding the following to your entitlements and then code-signing again.

<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
<array>
  <string>/usr/bin</string>
</array>

03.07.16 21:06:06,358 appleeventsd[61]: rdar://problem/11489077 A sandboxed application with pid 30507, "osascript" checked in with appleeventsd, but its code signature could not be read and validated by appleeventsd, and so it cannot receive AppleEvents targeted by name, bundle id, or signature. Install the application in /Applications/ or some other world readable location to resolve this issue. Error=ERROR: #100001 { "NSDescription"="SecCodeCopyGuestWithAttributes() returned 100001, -." } (handleMessage()/appleEventsD.cp #2098) com.apple.root.default-qos

On the message given by appleeventsd, probably moving the app bundle to /Applications may resolve it. However, I have not tested a solution myself. 😢

Ref: https://developer.apple.com/library/ios/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AppSandboxTemporaryExceptionEntitlements.html#//apple_ref/doc/uid/TP40011195-CH5-SW1

[florian]

Thanks a lot for your reply. :) I tried both suggestions and they didn't work, I still get the same errors. Does a temporary exception mean it's only permitted for a short time after the app starts? Because I'm executing AppleScripts from time to time.

A read right (com.apple.security.temporary-exception.files.absolute-path.read-only) also sounds different from a right to execute the script. But I couldn't find a right for that and the error is complaining about reading anyway, so maybe this has nothing to do with it.

On the message given by appleeventsd, probably moving the app bundle to /Applications may resolve it

I think the problem regarding that message is that /usr/bin/osascript is not in /Applications. But I can hardly move it there and sign it too :D

[sethlu]

@florian "A temporary exception entitlement permits your OS X app to perform certain operations otherwise disallowed by App Sandbox." (ref: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AppSandboxTemporaryExceptionEntitlements.html#//apple_ref/doc/uid/TP40011195-CH5-SW1) It should allow actions throughout your code execution, not limited to how much you access it I think.

I was thinking about com.apple.security.temporary-exception.files.absolute-path.read-only because the following was emitted:

03.07.16 21:06:06,403 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-data /usr/bin
03.07.16 21:06:06,434 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-metadata /usr/bin
03.07.16 21:06:06,465 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-data /usr/bin/osascript

I'm not sure why it is complaining this way... If we are executing something from node, we may probably go with spawn or exec? I've only tested with executing php to run .php scripts from within an Electron app, which passed the MAS review.

I've found this online, and not sure if it may become an alternative to using AppleScript when copying selected text to clipboard: http://www.javascriptkit.com/javatutors/copytoclipboard.shtml

[florian]

I've found this online, and not sure if it may become an alternative to using AppleScript when copying selected text to clipboard: http://www.javascriptkit.com/javatutors/copytoclipboard.shtml

No, I need it to use system wide, not just in my app. And there's also some other AppleScript stuff, that I definitely can't replace, so I'm stuck with AS.

If we are executing something from node, we may probably go with spawn or exec?

Yeah, I'm using a helper library for executing AppleScript and parsing the return values, and it's calling spawn.
exec is calling spawn under the hood (I looked it up in the node code :P), so switching to that wouldn't help. And I don't see any other way to call AppleScript from node other than spawn / exec.

I've only tested with executing php to run .php scripts from within an Electron app, which passed the MAS review.

I'd say the difference is that your PHP scripts are not interacting with the UI like AppleScript does, but the deny file-read error messages look like they don't care about that. What entitlement did you use to be able to execute using /usr/bin/php?

[sethlu]

@florian Sorry for my late reply. I thought the JavaScript trick may work around. 😢

I'd say the difference is that your PHP scripts are not interacting with the UI like AppleScript does, but the deny file-read error messages look like they don't care about that. What entitlement did you use to be able to execute using /usr/bin/php?

I did the following to have my php script running last year without additional entitlements:

require("child_process").exec("php -r ...")

Not sure if it may be helpful in your app. 😕 Also:

03.07.16 21:06:06,358 appleeventsd[61]: rdar://problem/11489077 A sandboxed application with pid 30507, "osascript" checked in with appleeventsd, but its code signature could not be read and validated by appleeventsd, and so it cannot receive AppleEvents targeted by name, bundle id, or signature. Install the application in /Applications/ or some other world readable location to resolve this issue. Error=ERROR: #100001 { "NSDescription"="SecCodeCopyGuestWithAttributes() returned 100001, -." } (handleMessage()/appleEventsD.cp #2098) com.apple.root.default-qos

I'm not sure but from some online forums... Moving the app (MyApp.app for example) into /Applications/ may work around this issue. Hope it helps! 😸

[thomastuts]

@florian I am currently running into the same exact issue:

<rdar://problem/11489077> A sandboxed application with pid 16820, "osascript" checked in with 
appleeventsd, but its code signature could not be read and validated by appleeventsd, and so it cannot 
receive AppleEvents targeted by name, bundle id, or signature. Install the application in /Applications/ or 
some other world readable location to resolve this issue. Error=ERROR: #100001  { 
"NSDescription"="SecCodeCopyGuestWithAttributes() returned 100001, -." }  
(handleMessage()/appleEventsD.cp #2098) com.apple.root.default-qos

Did you happen to fix this, and if so, how? Kind of stumped here!

[sethlu]

@florian @thomastuts a quick thought from me: Are your AppleScript put in actual files that are called as arguments for osascript? I'm imagining if code signing the individual AppleScript files may resolve the issue, if there being any.

[florian]

Did you happen to fix this, and if so, how? Kind of stumped here!

Nope. I kept trying for another day but then I stopped because university exams were coming up. And it was also really frustrating and not a lot of fun to work on this :P
But I had the intention to work on it on a weekend soon.

@florian @thomastuts a quick thought from me: Are your AppleScript put in actual files that are called as arguments for osascript? I'm imagining if code signing the individual AppleScript files may resolve the issue, if there being any.

I only tried directly passing strings to osascript. According to man osascript it's also possible to pass files, so that might be a good idea indeed.

[thomastuts]

@sethlu @florian I've been using files instead of inlining the AppleScript code.

By the looks of the error, it seems like it's an entitlement issue rather than a code signing one (especially if inlining the code doesn't work either). I'll give it a shot this week and see if that changes anything. Just to be sure, @sethlu, how would I go about signing the file? Would it be the same process that is outlined in the Electron docs? More specifically, something like this:

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "<PATH_TO_APPLESCRIPT_FILE>"

[sethlu]

@thomastuts I'm not sure about the AppleScript files... However, as codesign works upon file integrity, it is fine I think to apply the same code on them. 😕

Sorry I haven't tried AppleScript myself; not sure what to do upon cases like this.

[florian]

@sethlu Did you make any progress this week?

[sethlu]

@florian I was quite busy during the week... However, I've found some related hints about code signing on AppleScript: https://developer.apple.com/library/mac/releasenotes/AppleScript/RN-AppleScript/RN-10_8/RN-10_8.html

I'm trying to get myself familiar to the language so that I could create a test case to test its workability in the coming week. Would you try if the methods in the Apple doc work?

[florian]

@sethlu Sounds good, I'll take a closer look at your link on the weekend.

I'm trying to get myself familiar to the language so that I could create a test case to test its workability in the coming week.

You don't really need to learn AppleScript for that :) I've just created a minimal example Electron app that uses AppleScript: https://github.com/florian/electron-sign-applescript To be exact it uses osascript -e.
I guess we can use that as a test case to try to find a signing solution.

Do you think I should open a new issue for AppleScript signing? It seems that we're cluttering this issue a little bit.

[sethlu]

@florian Nice, thanks for pushing a test case! I'll have a look into that tonight.

---

I'm in the middle of trying to include provisioning profiles for MAS signing, eventually after some time of tweaking for a better workflow.

[florian]

@sethlu Are you sure that I shouldn't open a new issue for this?

@sethlu Did you make any progress this week?

Sorry, I meant to at-mention @thomastuts because he said that he'd give it another try that week :)

Are your AppleScript put in actual files that are called as arguments for osascript? I'm imagining if code signing the individual AppleScript files may resolve the issue, if there being any.

I tried that today, without much success. However I didn't manage to put the signed AS files into Electron's asar archive and pass them to osascript. I only tried with signed AS code outside, and the Mac sandbox didn't like that. I added a temporary exception for being allowed to read files there and then got the usual osascript error messages.

I'm not sure if it's even possible to get a file path that leads into an asar archive and then give that path to a command line script. But it might be something to try in the future.

---

Other than that I spend most of the day trying to find other ways to solve the AppleScript signing.
I updated my example repo to have a better test case and included packaging commands.

The previous random number example wasn't that useful. While the console does complain about the random number AppleScript, it allows executing it. Probably because the script couldn't do much harm.
However, if I try an AppleScript that executes a keyboard shortcut (like Cmd+C, Cmd+Z), the sandbox will block it. I now included Cmd+Space in the example, because it's easy to test if Spotlight is being opened. :)
To run that shortcut, an apple event is send to "System Events". I tried getting permissions to send events to that application, but didn't find a way that worked. The sandbox complains that this permissions is missing, so I think finding a way to declare it is the way to go.

In an Apple documentation I read that it's possible to get permission to send events to specific apps, so sending messages to System Events should be possible. The only thing that wouldn't work is getting permission to send events to all possible apps (which isn't really necessary, because System Events handles a lot of stuff).

---

I'm in the middle of trying to include provisioning profiles for MAS signing, eventually after some time of tweaking for a better workflow.

Does provisioning profiles mean entitlement files?

[sethlu]

@florian

@sethlu Are you sure that I shouldn't open a new issue for this?

Actually I'm also thinking about opening another thread for this issue 😹 The AppleScript may be addressed under a better title. (A closed issue like this is quite hard to search for in GitHub directly.)

---

On packaging with asar I'm thinking that it may be more doable to unpack these AS.

---

Does provisioning profiles mean entitlement files?

Provisioning profiles are quite different from entitlement files in the way that they bear signing identities and mark machines UDID for development/testing. It describes a development team in short.

They were discussed slightly in #59 and were proved useful avoiding some Sandbox issues with application group (recommended starting Electron v1.1.1) to allow better threading of system and graphics. Performance/graphic glitches were observed prior to the introduction of application group.

I have drafted a workflow for manually embedding provisioning profiles in https://github.com/sethlu/electron-distribution-guide, following which a branch of electron-osx-sign will be implemented. Hopefully, it would be useful to address this issue with AppleScript.

[thomastuts]

@florian @sethlu Sorry for the late reply!

I've been doing some testing and concluded that running the AppleScript itself is not the problem. In a signed app, I can run a debug .applescript file (using osascript and pointing it to an external file) just fine. The only thing this file does is spawn a dialog (which is apparently always allowed). The same thing worked by inlining the script when running osascript (using the statement -e option).

The privilege error only occurs when you start scripting other applications (in our case, that's Keynote). Apple has some documentation on the entitlements you need. You can find out the access groups by using sdef, for example sdef /Applications/Mail.app. The XML output of that command exposes the access-group attributes (search the XML for it). In our case, it seems like the only access group is *, but adding that to the entitlements as shown in the link above doesn't work. We've sent in a support request to check if the entitlements we're using are correct for Keynote, and if there are any others we should use.