Notarize app for macOS

[pashvin]

Is there any way to notarize app using electron builder?
Looks like Apple is going to force it soon. see link below
https://developer.apple.com/news/?id=04102019a

There is one npm module available but it will be nice this is supported by electron-builder.
https://github.com/electron-userland/electron-notarize

[martani]

I have users on OSX 10.14.5 reporting that the electron app can't be opened anymore.

Running spctl -a -t open --context context:primary-signature -v <pathToDMG> returns the following error:

Downloads/<pathToDMG>.dmg: rejected
source=Unnotarized Developer ID

It would be great if we have some option to notarize the app with electron-builder.

[Kilian]

ticket #3908 mentions running electron-notarize yourself in the afterAllArtifactBuild step, but probably due to timing, this interferes with the publish step so is less than ideal. Having this integrated would be super helpful.

[Kilian]

Also, this is blocked by #3504, otherwise you could roll your own with electron-notarize in the afterSign(not in the afterAllArtifactBuild step).

[wagslane]

Yeah this is a big issue :( all our Mac installs started breaking. Trying to figure out how we can do notarization using electron builder on a ci server (Travis) if anyone figures it out let me know!

[Kilian]

I have a fix in #3912, once that lands you can call electron-notarize in the afterSign step and everthing works as expected. I'll write a blogpost about it once it's merged in/published :)

[wagslane]

I have a fix in #3912, once that lands you can call electron-notarize in the afterSign step and everthing works as expected. I'll write a blogpost about it once it's merged in/published :)

You're a a hero, I'm excited.

[Kilian]

There's a few more things that need to happen, it seems. The DMG is also signed by electron-builder and anything that gets signed needs to be notarized or it won't be allowed to install. So we need one of two options:

• A setting to turn off signing the DMG. This is less than ideal, but workable. This creates an unsigned, un-notarized DMG that installs a signed and notarized app. You'll likely get the unknown developer message.
• An extra hook called after creating the dmg but before any of the electron-updater files (blockmap, latest-mac.yml) are created. The notarization process "staples" the dmg so the file changes, so it needs to run before any of the updater files are created. Instead of this, electron-notarize could add a setting where it doesn't staple the file after notarizing. This means a computer needs internet access to validate a notarization, but also means that the dmg does not change, and you can run notarize after all the update files have been created.

[Kilian]

@develar is this something you could help coordinate?

[develar]

electron-builder should use electron-notarize under the hood and user should not configure some hooks.

[develar]

update files

For DMG currently updates files are not used by electron-updater.

[Kilian]

That would be the best! It also means when the afterSign fix is released, we have a complete story for notarizing (albeit manually)

…

On 25 May 2019, at 10:23, Vladimir Krivosheev ***@***.***> wrote: electron-builder should use electron-notarize under the hood and user should not configure some hooks. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[Kilian]

We're tracking an issue in #3828 that's preventing regular users from installing from an electron-builder generated dmg even though it is notarized.

[Kilian]

The signing and notarizing of the app works with 20.42.0 using electron-notarize and (on macos 10.14.5) disabling electron-osx-sign's gatekeeper assessment. The signing and notarizing the dmg after its creation also works. If you check spctl -a -v for the app, and for the app inside the dmg, then the app is accepted and signed by a notarized developer id, so that all works as it should.

However, the dmg itself can only be opened by holding cmd, or right-clicking and selecting open. Additionally, users are greeted with an ominous message about malicious software.

For Google-ability, this is the text in the image:

"Appname.dmg" can't be opened because Apple cannot check it for malicious software.

This software needs to be updated. Contact the developer for more information.

This is less than ideal. @martani found out that it's the "open" type assessment of the dmg is not being notarized, and we suspect that's the issue.

[Kilian]

Solution found

When the DMG is not codesigned and not notarized, but the app inside it is, Gatekeeper accepts it.

So for the complete story regarding notarization with electron-builder we need two additional things:

1. it needs to disable the gatekeeper assessment when calling electron-osx-sign
2. the code that signs DMGs in dmg-builder should be removed (or there should be an option to disable it
3. bonus: implement electron-notarize as a new step after sign.

@develar I'll make a PR for point 1 and 2.

[martani]

Awesome, thanks @Kilian! I can confirm your solution is working as expected.

[Kilian]

And here's the guide on how to Notarize your app using electron-builder: https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

[zaherg]

@Kilian thanks for the post, just a small note about dotenv you can have a file called electron-builder.env which will be read by electron-builder automatically and the values within it can be used automatically within your aftersign script

[puresick]

@Kilian Thanks for the PR and the blogpost summarizing this.
There seems to be a bug with setting the { dmg: { sign: false } } option explicitly, because it gives me an error that this is an invalid configuration (with 20.43.0):

Error: Configuration is invalid.
 - configuration.dmg should be one of these:
   object { artifactName?, background?, backgroundColor?, contents?, format?, icon?, iconSize?, iconTextSize?, internetEnabled?, publish?, title?, window? } | {
     "type": "null"
   }
   macOS DMG options.
   
   Details:
    * configuration.dmg has an unknown property 'sign'. These properties are valid:
      object { artifactName?, background?, backgroundColor?, contents?, format?, icon?, iconSize?, iconTextSize?, internetEnabled?, publish?, title?, window? }
    * configuration.dmg should be null:
      {
        "type": "null"
      }

[Kilian]

Hmm, it should be there: https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/options/macOptions.ts#L192 @develar any idea?

[will-stone]

@Kilian Thanks for the blog post. May I suggest that you change the recommendation of storing the appleIdPassword from an env var to keychain? It wouldn't take much for someone to write malicious code into a package that dumps all of your environment variables and uploads them to a malicious actor. Using keychain will prompt the user to unlock it when running the notarize script, and at least there's some protection there before it's exposed.

[Kilian]

@will-stone Thanks, I've added a reference to https://github.com/electron-userland/electron-notarize#safety-when-using-appleidpassword

[BertholetDamien]

Thanks @Kilian for the guide ! It's really good.

Just a little thing, there is a little mistake into the notarize.js script (you declare electronPlatformName after using it).

[vkolova]

@Kilian , great guide! We tried it, but it didn't work for us.
We got as far as *** Error: To use this application, you must first sign in to iTunes Connect and sign the relevant contracts. and then we got stuck, because the developer is signed in in Application Launcher in Xcode, but we don't want to upload and release our application in the App Store (as the Launcher prompts us?).

We also tried disabling dmg signing and tried with no notarization, but then still get the unverified developer message. We used electron-builder@20.44.4. Any ideas on where to go from this?

[pliablepixels]

Does anyone know how to trigger afterSign just for mac? I have a multi platform build

Trying to put it inside the mac block results in an error

 "mac": {
      "category": "productivity",
      "target": "dmg",
      "icon": "icon.png",
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "afterSign": "electron_js/notarize.js"
    },

Error:

  - configuration.mac has an unknown property 'afterSign'. These properties are valid: 
object { appId?, artifactName?, asar?, asarUnpack?, binaries?, bundleShortVersion?, bundleVersion?, category?, compression?, cscInstallerKeyPassword?, cscInstallerLink?, cscKeyPassword?, cscLink?, darkModeSupport?, detectUpdateChannel?, electronLanguages?, electronUpdaterCompatibility?, entitlements?, entitlementsInherit?, extendInfo?, extraDistFiles?, extraFiles?, extraResources?, fileAssociations?, files?, forceCodeSigning?, gatekeeperAssess?, generateUpdatesFilesForAllChannels?, hardenedRuntime?, helperBundleId?, helperEHBundleId?, helperGPUBundleId?, helperNPBundleId?, helperPluginBundleId?, helperRendererBundleId?, icon?, identity?, minimumSystemVersion?, protocols?, provisioningProfile?, publish?, releaseInfo?, requirements?, target?, type? }

I am running 22.4.0 of electron-builder and as per the docs, I can add common configuration items inside mac.

[jwheare]

You can bail out of the script if it’s not being run for Mac (darwin) artifacts. See https://github.com/irccloud/irccloud-desktop/blob/master/scripts/afterSign.js#L7

[pliablepixels]

Thanks. That is how I’ve set it up for now. Would have preferred a cleaner way but good for now.

[XRenSiu]

Does anyone know how to trigger afterSign just for mac? I have a multi platform build

Trying to put it inside the mac block results in an error

 "mac": {
      "category": "productivity",
      "target": "dmg",
      "icon": "icon.png",
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "afterSign": "electron_js/notarize.js"
    },

Error:

  - configuration.mac has an unknown property 'afterSign'. These properties are valid: 
object { appId?, artifactName?, asar?, asarUnpack?, binaries?, bundleShortVersion?, bundleVersion?, category?, compression?, cscInstallerKeyPassword?, cscInstallerLink?, cscKeyPassword?, cscLink?, darkModeSupport?, detectUpdateChannel?, electronLanguages?, electronUpdaterCompatibility?, entitlements?, entitlementsInherit?, extendInfo?, extraDistFiles?, extraFiles?, extraResources?, fileAssociations?, files?, forceCodeSigning?, gatekeeperAssess?, generateUpdatesFilesForAllChannels?, hardenedRuntime?, helperBundleId?, helperEHBundleId?, helperGPUBundleId?, helperNPBundleId?, helperPluginBundleId?, helperRendererBundleId?, icon?, identity?, minimumSystemVersion?, protocols?, provisioningProfile?, publish?, releaseInfo?, requirements?, target?, type? }

I am running 22.4.0 of electron-builder and as per the docs, I can add common configuration items inside mac.

{
"appId":"xxxx",
"afterSign":"electron_js/notarize.js",
"mac":{}
}

[b-zurg]

The recommended guide suggests not signing/notarizing the dmg but that's not what apple recommends ( sign/notarize the top container).
Looks like things can break if dmg is not notarized but from what I've read in the thread there's still not a quick way to do it with electron-builder. Am I wrong?

update:

I could successfully notarize the dmg (I'm also notarizing the app in a separate step) by adding a hook after all artifacts were built and calling a modified version of electron-notarize (one that does not zip the dmg file before sending it to apple servers).

The process changes the dmg file so blockmap and update files have to be updated, however it's possible to notarize and not stapling leaving the dmg file intact (this still works but users without connection will see apple warnings)

The modified electron-notarize in case someone else needs it.
https://github.com/hugozap/electron-notarize-dmg

Have you successfully updated the blockmap? I'm not sure how to do that part.

[hugozap]

The recommended guide suggests not signing/notarizing the dmg but that's not what apple recommends ( sign/notarize the top container).
Looks like things can break if dmg is not notarized but from what I've read in the thread there's still not a quick way to do it with electron-builder. Am I wrong?
update:
I could successfully notarize the dmg (I'm also notarizing the app in a separate step) by adding a hook after all artifacts were built and calling a modified version of electron-notarize (one that does not zip the dmg file before sending it to apple servers).
The process changes the dmg file so blockmap and update files have to be updated, however it's possible to notarize and not stapling leaving the dmg file intact (this still works but users without connection will see apple warnings)
The modified electron-notarize in case someone else needs it.
https://github.com/hugozap/electron-notarize-dmg

Have you successfully updated the blockmap? I'm not sure how to do that part.

I'm only notarizing the app and dmg, not the blockmap. Updates are working fine.

[psukhanov]

The recommended guide suggests not signing/notarizing the dmg but that's not what apple recommends ( sign/notarize the top container).
Looks like things can break if dmg is not notarized but from what I've read in the thread there's still not a quick way to do it with electron-builder. Am I wrong?

update:

I could successfully notarize the dmg (I'm also notarizing the app in a separate step) by adding a hook after all artifacts were built and calling a modified version of electron-notarize (one that does not zip the dmg file before sending it to apple servers).

The process changes the dmg file so blockmap and update files have to be updated, however it's possible to notarize and not stapling leaving the dmg file intact (this still works but users without connection will see apple warnings)

The modified electron-notarize in case someone else needs it.
https://github.com/hugozap/electron-notarize-dmg

Have you tested this on macOS 10.14.5? I'm still running into the "Apple cannot check it for malicious software" message when trying to open a signed, notarized .dmg on that os version.

and
spctl --assess --type open --context context:primary-signature --verbose myapp.dmg
rejects with source=Unnotarized Developer ID

I'm tempted to go with Kilian's suggestion of not signing/notarizing the .dmg, but also worried this will break in future os versions :'(

[hugozap]

The recommended guide suggests not signing/notarizing the dmg but that's not what apple recommends ( sign/notarize the top container).
Looks like things can break if dmg is not notarized but from what I've read in the thread there's still not a quick way to do it with electron-builder. Am I wrong?
update:
I could successfully notarize the dmg (I'm also notarizing the app in a separate step) by adding a hook after all artifacts were built and calling a modified version of electron-notarize (one that does not zip the dmg file before sending it to apple servers).
The process changes the dmg file so blockmap and update files have to be updated, however it's possible to notarize and not stapling leaving the dmg file intact (this still works but users without connection will see apple warnings)
The modified electron-notarize in case someone else needs it.
https://github.com/hugozap/electron-notarize-dmg

Have you tested this on macOS 10.14.5? I'm still running into the "Apple cannot check it for malicious software" message when trying to open a signed, notarized .dmg on that os version.

and
spctl --assess --type open --context context:primary-signature --verbose myapp.dmg
rejects with source=Unnotarized Developer ID

I'm tempted to go with Kilian's suggestion of not signing/notarizing the .dmg, but also worried this will break in future os versions :'(

It worked for me on Mojave and it's working on Catalina. I'm using this (Note that for the dmg I'm not stapling the file, and using https://github.com/hugozap/electron-notarize-dmg)

This runs in the afterAllArtifactBuildHook

   return await notarize({
    appBundleId: config.build.appId,
    dmgPath: dmgPath,
    appleId: process.env.APPLEID,
    appleIdPassword: process.env.APPLEIDPASS,
    staple: false
  });

( Note: The dmg was created with an already notarized .app bundle - The .app bundle was notarized with the default electron-notarize package )

[psukhanov]

@hugozap gotcha, thanks! It looks like the critical piece for me is to not .zip the .dmg, as electron-notarize does by default (and as you show in your fork). 👍🤩

I assume the reason for that is because Apple's notary service then assumes that the .zip is the top-level package you will distribute in (in which case you should still be able to distribute the .zip without issue?) IN any case, thanks for the help!

[michaelpeterlee]

@Kilian blog post works for our project. We are now missing the app icon, however.

[alex-paterson]

Since adding notarization, my MAS app is immediately exiting with no error message on MacOS versions older than Catalina. Detail here electron/electron#24423

[tudiantuan]

I confirm I've been able to notarize my Electron app by following this great article https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/ by @Kilian (thanks @Kilian !)

My setup:

• electron: 4.2.x
• electron-builder: 20.44.4
• electron-notarize: 0.2.1

Can you show file package.json?

[stakauskas]

Anyone facing issues on 10.15.7? I have app signed / notarized which works on 10.13.6 and 10.15.6, but on 10.15.7 it gives the message of:

"app" can't be opened because Apple cannot check it for malicious software.

[johnnysparav]

I have managed to notarize, sign and build .dmg by using electron-builder by following this guide:
https://david.dev/how-to-notarize-your-electron-app/

[codemanki]

@stakauskas i experience the same problem now. Did you manage to resolve this issue?

[thomasdarde]

We have an electron app containing other binaries and working from 10.3 to 11.0 (big sur).
It was a true pain in .. but it now works fine.

An important step was to use https://gist.github.com/harshitsilly/a1bd5a405f93966aad20358ae6c4cec5
to create the zip , the one created by electron-notarize was not valid.

Also copying the zip via scp to another computer was maybe an issue (I'm not sure of this), but passing via an http hosting was fine.

Last: the binary contained in our app had to be signed via command line , not in xcode. We use electron-notarize v 1.0.0, good luck

[stakauskas]

@stakauskas i experience the same problem now. Did you manage to resolve this issue?

Unfortunately - no. Still looking for a solution. Will check what @thomasdarde suggested.

[maitham]

Notarization seems to fail for me due to extra python .so files . Any ideas as to why, I assume they're not being picked up by electron builder. We've binarised our python files using Pyinstaller and included them in the Resources/main

  "build": {
    "asar": true,
    "afterSign": "scripts/notarize.js",
    "appId": "com.plato.app",
    "productName": "Plato",
    "directories": {  
      "buildResources": "resources"  
    },
    "mac": {
      "hardenedRuntime": true,
      "target": "dmg",
      "icon": "assets/app-icon.icns",
      "entitlements": "./build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist"
    },
    "dmg": {
      "sign": false
    },
    "files": [
      "!models",
      "!main",
      "!bin",
      "!.env"
    ],
    "extraFiles": [
      {
        "from": "bin",
        "to": "Resources/bin"
      },
      {
        "from": "assets",
        "to": "Resources/assets"
      },
      {
        "from": "./main",
        "to": "Resources/main"
      },
      {
        "from": "./models",
        "to": "Resources/models"
      }
    ]
  }

[thomasdarde]

@maitham did you try to sign manually the .so files before notarizing the whole folder ?

codesign -s "Developer ID Application: XXXXX" --options=runtime --force --timestamp filepath

[nokvai]

I'm trying to build a .pkg for "mas".
I'm also facing the same issue on mac os 11.1.
I seems like electron-builder cannot sign the following binaries...
These are the logs given by apple:

"issues":[
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":null
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/MacOS/MonsterVoIP Desktop Phone",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/Resources/app.asar.unpacked/node_modules/7zip-bin/mac/7za",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/Resources/app.asar.unpacked/node_modules/electron-builder-squirrel-windows/node_modules/app-builder-bin/mac/app-builder",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/Resources/app.asar.unpacked/node_modules/app-builder-bin/mac/app-builder",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },
   {
      "severity":"error",
      "code":null,
      "path":"MonsterVoIP_Desktop_Phone-1.18.55-mac.pkg/com.monstervoip.desktopphone.pkg Contents/Payload/Applications/MonsterVoIP Desktop Phone.app/Contents/Frameworks/MonsterVoIP Desktop Phone Helper (GPU).app/Contents/MacOS/MonsterVoIP Desktop Phone Helper (GPU)",
      "message":"The binary is not signed with a valid Developer ID certificate.",
      "docUrl":null,
      "architecture":"x86_64"
   },

[nokvai]

I hope this will work.
Code signing after mas file was built using electron-builder to upload on apple store via transporter:

#!/bin/bash

APP="Test Electron Desktop App"

APP_PATH="dist/mas/$APP.app"

RESULT_PATH="dist/mas/$APP-mac_store.pkg"

APP_KEY="3rd Party Mac Developer Application: My Company Name (*******)"
INSTALLER_KEY="3rd Party Mac Developer Installer: My Company Name (********)"

PARENT_PLIST="build/entitlements.mas.plist"
CHILD_PLIST="build/entitlements.mas.inherit.plist"
LOGINHELPER_PLIST="build/entitlements.mas.loginhelper.plist"
FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"
RESOURCES_PATH="$APP_PATH/Contents/Resources"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/ReactiveCocoa.framework/Versions/A/ReactiveCocoa"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Mantle.framework/Versions/A/Mantle"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Test Electron Desktop App Helper (Renderer).app/Contents/MacOS/Test Electron Desktop App Helper (Renderer)"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Test Electron Desktop App Helper.app/Contents/MacOS/Test Electron Desktop App Helper"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Test Electron Desktop App Helper (GPU).app/Contents/MacOS/Test Electron Desktop App Helper (GPU)"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Test Electron Desktop App Helper (Plugin).app/Contents/MacOS/Test Electron Desktop App Helper (Plugin)"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$RESOURCES_PATH/app.asar.unpacked/node_modules/electron-builder-squirrel-windows/node_modules/app-builder-bin/mac/app-builder"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$RESOURCES_PATH/app.asar.unpacked/node_modules/7zip-bin/mac/7za"
codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$RESOURCES_PATH/app.asar.unpacked/node_modules/app-builder-bin/mac/app-builder"

codesign -s "$APP_KEY" --options runtime -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"

codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"

productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

[andrew-mclachlan]

I added a wee script to my build notarize.js

require("dotenv").config();
const { notarize } = require("electron-notarize");

exports.default = async function notarizing(context) {
  const { electronPlatformName, appOutDir } = context;
  if (
    electronPlatformName !== "darwin" ||
    !process.env.APPLEID ||
    !process.env.APPLEIDPASS
  ) {
    console.log(
      "Not running notarize. Platform is not macOS or environment not set up."
    );
    return;
  }

  const appName = context.packager.appInfo.productFilename;

  return await notarize({
    appBundleId: "com.myapp.greatapp",
    appPath: `${appOutDir}/${appName}.app`,
    appleId: process.env.APPLEID,
    appleIdPassword: process.env.APPLEIDPASS
  });
};

and an entry to my package.json

"build": {
 ...
 "afterSign": "scripts/notarize.js",
...
 },

I set APPLEID and APPLEIDPASS in my environment.

[mmaietta]

Closing this issue. There are so many resources/articles available on how to notarize the app through a simple Google search for "electron-notarize" or for writing a custom script yourself, electron-notarize also being a 3rd-party module, and the afterSign hook functions as designed.

[alexgurr]

@stakauskas i experience the same problem now. Did you manage to resolve this issue?

Unfortunately - no. Still looking for a solution. Will check what @thomasdarde suggested.

I too have this issue with two different electron apps. Successful building + notarization but still unable to open because the developer cannot be verified.

[Vishal1419]

@Kilian @develar
First of all, thanks for the hard work that you guys are doing for the community. I will always be thankful to the community for helping developers like me to find the correct solutions.

After following Kilian's blog, I am able to successfully sign and notarize my app.

Now, I want to distribute .pkg instead of .dmg
But it seems that there is no option to skip signing for .pkg
Can you please guide me on either how to sign and notarize .pkg or how can I skip it?

Currently, when my users tries to open .pkg, they get this error: