Executables within app.asar.unpacked are not being signed correctly in OSX 10.14.5

[dboakes]

• Version: 20.43.0

• Electron Updater Version: 4.0.6

• Target: Mac OSX 10.14.5

I have implemented the fix mentioned in issue #3828, also outlined here.

However, this isn't working for other binaries found within app.asar.unpacked. Before OSX 10.14.15, I had included a python binary which I had packed via pyinstaller, and this was then automatically signed by Electron Builder.

The error output states "Code signature found in [FILE_PATH]_ not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed."

I can see in the Contents folder of the app, that the CodeResources file contains keys for all the python binaries, but they don't seem to be recognised.

I have tried signing the files manually with codesign, which allowed the app to work on my mac, but when trying to open the app on another mac, it would get an error, as the package had been amended after being signed.

[yoannsark]

I had the same problem, that was fixed by adding com.apple.security.cs.disable-library-validation to plist file.

My electron builder configuration :

    "mac": {
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "entitlements": "./mac_build_files/entitlements.mac.inherit.plist",
      "entitlementsInherit": "./mac_build_files/entitlements.mac.inherit.plist",
      "target": ["dmg"]
    },

My entitlements.mac.inherit.plist :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

2025 EDIT: can lead to security issues please check @balazserdeszlogmein comment

[dboakes]

Only just seen your comment. Updating the plist with your suggestions worked perfectly! Amazing cheers mate.

[julienma]

I had the same issue (with native node extension Keytar).
I don't know what are the pros/cons of adding too much, so I tried to add the minimum required to get it working, and this is what I ended up with:

  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>

[jwheare]

I can confirm the same as @julienma, I didn't need the com.apple.security.cs.allow-dyld-environment-variables entitlement to fix this. Not sure if there are cases where it is needed, @yoannsark does your case work if you remove it? If so, might be worth removing it from the defaults added in 519bb47

[yoannsark]

Yes, com.apple.security.cs.allow-dyld-environment-variables is not necessary
The fix is just com.apple.security.cs.disable-library-validation

[dannypaz]

@Kilian you might need to update your article to include this, I was having an issue with entitlements following the guide (this is not to say that your guide is unappreciated)