Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

App Crash after electron-builder 22.2.0 MAS build #4553

Closed
danieldoddjr opened this issue Dec 23, 2019 · 39 comments
Closed

App Crash after electron-builder 22.2.0 MAS build #4553

danieldoddjr opened this issue Dec 23, 2019 · 39 comments
Labels

Comments

@danieldoddjr
Copy link

electron-builder 22.2.0

  • Version:

MAS

  • Target:

I am trying to build for Mac App Store. All other builds work except MAS. It looks like all went well with signing but when I open the app I get a immediate crash. Here is the report...

Exception Type: EXC_BAD_ACCESS (Code Signature Invalid)
Exception Codes: 0x0000000000000032, 0x00000e4470682040
Exception Note: EXC_CORPSE_NOTIFY

Termination Reason: Namespace CODESIGNING, Code 0x2

What can be done to resolve this issue?

@danieldoddjr
Copy link
Author

danieldoddjr commented Dec 23, 2019

After adding "hardenedRuntime": false it opens without error. When I try to upload it to the app store I get this error...

ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" ...

@danieldoddjr
Copy link
Author

danieldoddjr commented Dec 23, 2019

Got it!

package.json

"mac": {
      "target": "mas",
      "hardenedRuntime": false,
      "gatekeeperAssess": false,
      "identity": null,
      "category": "public.app-category.lifestyle",
      "icon": "assets/mac/icon.icns"
    },
    "mas": {
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.inherit.plist",
      "provisioningProfile": "**profile_name**.provisionprofile"
    }

entitlements.mac.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>**devId.appId**</string>
    </array>
    
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

entitlements.mac.inherit.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

Hope this helps someone out there!

@steve981cr
Copy link

Was about to post the same question before I saw this. But sadly this didn't work for me either. It builds the app and I can launch it from the build/mac folder. But when I try to submit it to App Store connect using their Transporter app it fails saying Code Signing Invalid and Missing Required Icon even though the icon is there in the right place in the right format.

@danieldoddjr
Copy link
Author

danieldoddjr commented Dec 31, 2019

I bet your really close. The icon is actually a collection of different sizes in one file. I had the same issue and got it worked out...

electron/osx-sign#217

@steve981cr
Copy link

steve981cr commented Dec 31, 2019

Thanks for the tip on the icon. Per your link I fixed the icon issue. And I got the other errors fixed. Honestly I don't know what was the cause of the others. I just started the whole process over from scratch with new certificates and provisioning profiles and it worked after that. I am going to post an issue that the MAS submission process be documented. I scoured the web and couldn't find any up-to-date instructions on the whole process. Wasted lots of time on it.

@abhish3kk
Copy link

My electron app works fine before singing by the script provided here.

However, after signing the app, the app can no longer access the network. Also, if I try to submit the app through Transporter I get this issue

ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list:

Upon checking few comments and troubleshooting for last two days I can confirm that my plists are fine and all of them include

<key>com.apple.security.app-sandbox</key>
<true/>

Also I tried, electron/osx-sign#192 (comment).

My assumption is, after singing in the app, the pkg is losing its entitlements.

Is there something I might be doing wrong?

build script in package.json

"build": {
    "appId": "xxx.xxx.xxxx",
    "productName": "XXX XXX XXX,
    "win": {
      "target": "nsis"
    },
    "mac": {
      "icon": "resources/icon.icns",
      "target": "mas",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "identity": null,
      "category": "public.app-category.business",
      "entitlementsInherit": "build/entitlements.mac.inherit.plist",
      "type": "distribution"
    },
    "mas": {
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.inherit.plist",
      "provisioningProfile": "xxxxxxxxxxxxx.provisionprofile"
    },
    "asar": false
  },

entitlements

CHILD_PLIST="build/entitlements.mac.inherit.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
  </dict>
</plist>

PARENT_PLIST="build/entitlements.mac.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>xxxxxx.xxx.xxxxxxx.xxxxxxx.xxxxxx</string>
    </array>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.personal-information.location</key>
    <true/>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

LOGINHELPER_PLIST="entitlements.mas.loginhelper.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

Packages used:

"electron": "^7.1.7",
 "electron-builder": "^22.2.0",
"electron-packager": "^14.1.1",

@kellerchch
Copy link

thanks for posting your fixes @danieldoddjr and @steve981cr. Similar but different, we are struggling to find a fix to our electron build issue #4602 Do you have any ideas? And, we'd be willing to hire the right dev to help us get a fix if you know of one. Thanks.

@steve981cr
Copy link

@kellerchch
I put together a step by step process for Electron apps submitted to the Mac App Store. It's not completely done but it may help you. This is the starting point and looking at the error you mentioned I would follow these steps and it may fix it.
ELECTRON-MAS-SUBMISSION-GUIDE.txt

@kellerchch
Copy link

Thank you @steve981cr for replying with that link. I'll work with Wali who is my developer doing the work and we'll step through your instructions. :-)

@steve981cr
Copy link

Great, let me know if that solves it for you. One thing I didn't include but is critical is you have to use Electron version 5.0.13 or 6.1.7 or your app will be rejected for use of private APIs. These two versions are patched to not use private APIs when building for the MAS. Electron version 7 does not have these patches. These are considered a temporary fix and the Electron team is working on a permanent solution.

@jitinl
Copy link

jitinl commented Mar 23, 2020

Release notes for Electron 8.0.2 include "Fixed Electron apps getting rejected to Mac App Store." electron/electron#22298

@ghost
Copy link

ghost commented Apr 25, 2020

I followed the steps provided by @abhish3kk , no matter what I do... the app file after code sign crash.
I get:
"Exception Type: EXC_CRASH (Code Signature Invalid)"
I tried the RB App CHecker
It says "The profile does NOT match the application's Team ID (XXXXXXXX)!"

My package.json has these

"mac": {
  "category": "public.app-category.developer-tools",
  "target": [ "mas" ],
  "icon": "build/app.icns",
  "provisioningProfile": "embedded.provisionprofile",
  "entitlements": "build/entitlements.mas.plist",
  "entitlementsInherit": "build/entitlements.mas.inherit.plist",
  "hardenedRuntime": false
},

I am using...
"electron": "8.2.3",
"electron-builder": "^22.5.1",

Any one can help please ?

@Faksprod
Copy link

Faksprod commented Apr 30, 2020

Same problem here. I had my fingers crossed when trying the step by step signing solution for the mas/ folder from @danieldoddjr and @abhish3kk but I still get the error Exception Type: EXC_CRASH (Code Signature Invalid). No error message thrown from the Terminal during signing process.

  • electron-builder  version=22.6.0 os=19.4.0
  • loaded configuration  file=package.json ("build" field)
  • description is missed in the package.json  appPackageFile=/Applications/MAMP/htdocs/webapp/app-electron/package.json
  • packaging       platform=mas arch=x64 electron=8.2.4 appOutDir=build/mas
  • signing         file=build/mas/superApp.app identityName=Developer ID Application: COMPANY_NAME (TEAM_ID) identityHash=XXXXXXXXXXXX04555B8B0FXXXXXXXXXX provisioningProfile=none
  • signing         file=build/mas/superApp.app identityName=3rd Party Mac Developer Application: COMPANY_NAME (TEAM_ID) identityHash=XXXXXXXXXXXX677A48XXXXXXXXXXXX provisioningProfile=xxxxxxxxxxxx.provisionprofile

If I try to sign my app for local testing to the mac/ folder (with "target":"dmg"), I get a different error type which is Exception Type: EXC_BAD_ACCESS (Code Signature Invalid). Any ideas about the difference between EXC_CRASH and EXC_BAD_ACCESS?

I'm using:
"electron": "^8.2.4"
"electron-builder": "^22.6.0"

My Certificates, Identifiers & Profiles are well installed and up to date (I revoked and redone the all process to be sure). Entitlements files are there too.
My package.json is:

"build": {
       "appId": "xxx.xxxxxxxxxxxx.xxx",
        "productName": "SuperApp",
        "mac":{
            "target":"mas",
            "hardenedRuntime": false,
            "gatekeeperAssess": false,
            "type":"distribution",
            "identity": "COMPANY_NAME (TEAM_ID)",
            "category": "public.app-category.music-games",
            "icon": "icons.icns",
            "minimumSystemVersion":"10.9.0",
            "electronLanguages":["en","fr","it","pt_BR","es","zh_TW","ja","de","tr","pl","ar","hi","ta","te","vi","id","ms","th","bn","nb","ko","ru","zh_CN"],
            "extendInfo": {
                "ITSAppUsesNonExemptEncryption": false,
                "CFBundleVersion": "0.1.7"
            }
        },
        "mas":{
            "provisioningProfile": "xxxxxxxxxxxx.provisionprofile",
            "entitlements": "build/entitlements.mac.plist",
            "entitlementsInherit": "build/entitlements.mac.inherit.plist"
        }
}

(of course XXXXXX and COMPANY_NAME (TEAM_ID) are replaced in my code with correct values).

Any ideas would be very very welcome! Thanks.

@Faksprod
Copy link

Faksprod commented Apr 30, 2020

I just tried to sign my app with the method explained on the Electron Github using a bash script. No error thrown during signing process (so I guess it is signed?)

/Applications/test/build/mas/mySuperApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework: replacing existing signature
/Applications/test/build/mas/mySuperApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib: replacing existing signature
/Applications/test/build/mas/mySuperApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib: No such file or directory
/Applications/test/build/mas/mySuperApp.app/Contents/Frameworks/Electron Framework.framework: replacing existing signature
/Applications/test/build/mas/mySuperApp.app/Contents/Frameworks/mySuperApp Helper.app/Contents/MacOS/mySuperApp Helper: replacing existing signature
/Applications/test/build/mas/mySuperApp.app/Contents/Frameworks/mySuperApp Helper.app/: replacing existing signature
/Applications/test/build/mas/mySuperApp.app/Contents/Library/LoginItems/mySuperApp Login Helper.app/Contents/MacOS/mySuperApp Login Helper: replacing existing signature
/Applications/test/build/mas/mySuperApp.app/Contents/Library/LoginItems/mySuperApp Login Helper.app/: replacing existing signature
/Applications/test/build/mas/mySuperApp.app/Contents/MacOS/mySuperApp: replacing existing signature
/Applications/test/build/mas/mySuperApp.app: replacing existing signature
productbuild: Adding component at /Applications/test/build/mas/mySuperApp.app
productbuild: Signing product with identity "3rd Party Mac Developer Installer: COMPANY_NAME (TEAM_ID)" from keychain /Users/myName/Library/Keychains/login.keychain-db
productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to /Users/myName/Desktop/mySuperApp.pkg
productbuild: Supported OS versions: [10.9.0, )

I get my app.pkg and apparently it is signed. If I try to install this PKG on my Mac, installation succeed, but impossible to find the app (no ideas in what folder it goes)...

So I tried on a second Mac -> open the PKG -> installation succeed -> I can find the app in the Applications folder -> open it -> app crashes -> crashlog: Exception type: EXC_BAD_INSTRUCTION (SIGILL)

Any help/advises would be (hugely) appreciate. Thanks!

@Faksprod
Copy link

Faksprod commented May 4, 2020

I spent 4 days trying to sign my Electron app (without Notarization process) for the MAS (Mac App Store) distribution with electron-builder...
By cross-checking helpful documentation found here (Electron Mac App Store Submission) and here I finally found a way for building and signing MAS .app+.pkg files without crashes at launch and getting validation from the App Store Connect without any problems (hurray!).

Very important: my test succeed ONLY using these versions:

    "electron": "^5.0.13",
    "electron-builder": "^21.2.0"

If you don't use these versions, I can't promise anything... Here you can find Electron version history list and Electron-builder version history list (if you still want to try different versions combination).

Here is the step by step solution who worked for me, I really hope it could help some of you to not tear your hair off like I did.


Restart process from a clean base

To be sure that app's crashes I got after signing process wasn't due to my app code or because of my Certificats and Provisioning profiles, I restart all the process from scratch.

Certificats, identifiers and Provisioning profile

This step has always been complicated and blurry for me. Never sure about what I am doing clearly during this process... So I removed every Certificats, Identifiers and Provisioning profiles from my App Store Connect interface, removed local certificats from my Keychain Access, and re-did it again. I followed the below steps using the App Store Connect interface:

• Generate and install new Certificates
• Generate a new Identifier (com.myCompany.superApp).
• Register my Device (my Mac 10.15.4).
• Generate a Provisioning profile for Distribution to the Mac App Store connected to my Identifier.

Electron quick start

To be sure my own app code wasn't the source of my problems, I restarted from a clean project.

I clone the official electron-quick-start app. I install it in my MAMP root folder from the Terminal:

# Go to the folder you want
cd /Applications/MAMP/
# Clone this repository
git clone https://github.com/electron/electron-quick-start
# Go into the repository
cd electron-quick-start
# Install dependencies
npm install

The electron-quick-start app use by default the latest version of Electron (which is 8.2.5 today). So I have to downgrade it:

npm i electron@5.0.13 --save-dev

Then I install the right version of electron-builder

npm i electron-builder@21.2.0 --save-dev

Now my package.json and root folder looks like below:

{
  "name": "electron-quick-start",
  "version": "1.0.0",
  "description": "A minimal Electron application",
  "main": "main.js",
  "scripts": {
    "start": "electron ."
  },
  "devDependencies": {
    "electron": "^5.0.13",
    "electron-builder": "^21.2.0"
  }
}

Capture d’écran 2020-05-04 à 12 56 52
Just to be sure, I test a npm run start to see if the app runs correctly. The app runs, let's continue.


Adding files in the build folder

Now I create a build/ folder to my root directory in which I add the following files:
Capture d’écran 2020-05-04 à 13 00 19

embedded.provisionprofile is the Provisioning profile generated and downloaded from the App Store Connect which makes reference to my Identifier com.myCompany.superApp.
-> Rename your Provisioning profile by embedded.provisionprofile.

entitlements.mas.plist contains:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.app-sandbox</key>
        <true/>
        <key>com.apple.security.application-groups</key>
        <array>
            <string>TEAM_ID.com.myCompany.superApp</string>
        </array>    
    </dict>
</plist>

-> You have to replace TEAM_ID and com.myCompany.superApp with your own informations.

entitlements.mas.inherit.plist contains:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.app-sandbox</key>
        <true/>
        <key>com.apple.security.inherit</key>
	<true/>
    </dict>
</plist>

entitlements.mas.loginhelper.plist contains:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.app-sandbox</key>
        <true/>
    </dict>
</plist>

resignAndPackage.sh is a bash script needed to re-sign the SuperApp.app and for generating a valid PKG file. First, electron-builder will do its job (building+signing) like usually, which will create a .app and .pkg in the dist/mas/ folder. Then, the resignAndPackage.sh bash script will be called. It will target the SuperApp.app, re-signed it then create a valid PKG from it. This new PKG will be use for the MAS submission.

#!/bin/bash

printf "......................\nresignAndPackage start\n\n"

# Name of your app.
APP="SuperApp"
# Your Certificate name.
CERT="COMPANY_NAME (TEAM_ID)"
# The path of your app to sign.
APP_PATH="/Applications/MAMP/electron-quick-start/dist/mas/$APP.app"
# The path to the location you want to put the signed package.
RESULT_PATH="/Applications/MAMP/electron-quick-start/dist/mas/$APP-mac_store.pkg"
# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: $CERT"
INSTALLER_KEY="3rd Party Mac Developer Installer: $CERT"
# The path of your plist files.
PARENT_PLIST="build/entitlements.mas.plist"
CHILD_PLIST="build/entitlements.mas.inherit.plist"
LOGINHELPER_PLIST="build/entitlements.mas.loginhelper.plist"
FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/Contents/MacOS/$APP Login Helper"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"
codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"
productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

printf "\nresignAndPackage end\n......................\n"

-> Replace CERT var with your own information.
-> Replace /Applications/MAMP/electron-quick-start/ with your own path.


Edit the package.json

Now I have to edit my package.json file with the right key/value for script and build so electron-builder can do the job. My package.json looks like:

{
  "name": "electron-quick-start",
  "version": "1.0.0",
  "description": "A minimal Electron application",
  "main": "main.js",
  "scripts": {
    "start": "electron .",
    "build-mas": "electron-builder && bash build/resignAndPackage.sh"
  },
  "devDependencies": {
    "electron": "^5.0.13",
    "electron-builder": "^21.2.0"
  },
  "build": {

        "productName": "SuperApp",
        "appId": "com.myCompany.superApp",

        "mac":{
            "target":["mas"]
        },

        "mas":{
            "provisioningProfile": "build/embedded.provisionprofile",
            "entitlements": "build/entitlements.mas.plist",
            "entitlementsInherit": "build/entitlements.mas.inherit.plist"
        }
    }
}

Build + Sign + Re-Sign

From the Terminal you can now run (and cross your fingers :)

npm run build-mas

Your Terminal should return this:

> electron-quick-start@1.0.0 build-mas /Applications/MAMP/electron-quick-start
> electron-builder && bash build/resignAndPackage.sh

  • electron-builder  version=21.2.0 os=19.4.0
  • loaded configuration  file=package.json ("build" field)
  • author is missed in the package.json  appPackageFile=/Applications/MAMP/electron-quick-start/package.json
  • writing effective config  file=dist/builder-effective-config.yaml
  • packaging       platform=mas arch=x64 electron=5.0.13 appOutDir=dist/mas
  • default Electron icon is used  reason=application icon is not set
  • signing         file=dist/mas/SuperApp.app identityName=Developer ID Application: COMPANY_NAME (TEAM_ID) identityHash=XXXXXXXXXXXXXXXXXXXX provisioningProfile=none
  • signing         file=dist/mas/SuperApp.app identityName=3rd Party Mac Developer Application: COMPANY_NAME (TEAM_ID) identityHash=XXXXXXXXXXXXXXXXXXXX provisioningProfile=build/embedded.provisionprofile
......................
resignAndPackage start

/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/Frameworks/Electron Framework.framework/Libraries/libffmpeg.dylib: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/Frameworks/Electron Framework.framework: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/Frameworks/SuperApp Helper.app/Contents/MacOS/SuperApp Helper: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/Frameworks/SuperApp Helper.app/: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/Library/LoginItems/SuperApp Login Helper.app/Contents/MacOS/SuperApp Login Helper: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/Library/LoginItems/SuperApp Login Helper.app/: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app/Contents/MacOS/SuperApp: replacing existing signature
/Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app: replacing existing signature
productbuild: Adding component at /Applications/MAMP/electron-quick-start/dist/mas/SuperApp.app
productbuild: Signing product with identity "3rd Party Mac Developer Installer: COMPANY_NAME (TEAM_ID)" from keychain /Users/YOU/Library/Keychains/login.keychain-db
productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to /Applications/MAMP/electron-quick-start/dist/mas/SuperApp-mac_store.pkg
productbuild: Supported OS versions: [10.10.0, )

resignAndPackage end
......................

Asking electron-builder to build and sign your app without specifying an output folder for builds will create a new dist/ folder to your root directory.
This folder will now contains dist/mas/ folder containing your SuperApp.app (which can be open without crashing) and a SuperApp-mac_store.pkg (which can be used for MAS submission).
-> You can remove/delete the SuperApp-1.0.0.pkg.
Capture d’écran 2020-05-04 à 14 27 27
Capture d’écran 2020-05-04 à 14 27 42

Hope this can helps!

@ghost
Copy link

ghost commented May 8, 2020

Nope, same issue, it says invalid signature.

@Faksprod
Copy link

Faksprod commented May 8, 2020

Sorry for you. Are you sure about the Certificats, identifiers and Provisioning profile process? Did you double check in your Keychain Access that your Certificats are valid and up to date? From which macOS version are you trying?

@chenjuneking
Copy link

This work for me, with the latest electron-builder version(22.6.1), my os x version is 10.15.4

@lanistor
Copy link

@chenjuneking Could you show us your electron-builder's configuration and entitlements file? I tested in development using dev-provisioning-profile and failed again, with electron-builder version 22.6.1.

@chenjuneking
Copy link

@vifird

package.json

{
  "name": "myapp",
  // ...
  "build": {
    "productName": "myapp",
    "copyright": "xxx",
    "directories": {
      "buildResources": "./"
    },
    "files": [
      "!**/bin",
      "!**/build",
      "!**/*.sh"
    ],
    "mac": {
      "icon": "build/icon.icns",
      "target": [
        "mas"
      ],
      "provisioningProfile": "build/myapp.provisionprofile"
    },
    "appId": "my.app",
    "mas": {
      "entitlements": "build/entitlements.mas.plist",
      "entitlementsInherit": "build/entitlements.mas.inherit.plist"
    }
  }
}

entitlements.mas.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>xxx.com.myapp</string>
    </array>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

entitlements.mas.inherit.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

entitlements.mas.loginhelper.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

@lanistor
Copy link

@chenjuneking Thanks a lot. Have you used entitlements.mas.loginhelper.plist? I didn't see how to use it in electron-builder.
And the target you runned succded is mas target? How did you test the package? Have you tried mas-dev target?

I haven't test mas target with electron-builder 22.6.1, i tested mas-dev and it crashed.

@chenjuneking
Copy link

@vifird I didnot add entitlements.mas.loginhelper.plist into my configuration, so I dont think this file is necessary.
I test on a mac target before, when I decide to distribute my app to the OS X app store, I add a mas target. The mac target configuration as bellow:

{
  "name": "myapp",
  // ...
  "build": {
    "mac": {
      "icon": "build/icon.icns",
      "target": [
        "dmg",
        "zip"
      ],
      "publish": [
        {
          "provider": "generic",
          "url": "https://my/hot/update/url"
        }
      ],
      "provisioningProfile": "build/myapp.provisionprofile"
    },
    "dmg": {
      "icon": "build/icon.icns",
      "iconSize": 80
    }
  }
}

As you see, I didnot add any .plist on target mac, but it works.
So I think setting a entitlements.mas.plist and entitlements.mas.inherit.plist was only mas target needed.
Let me know if my understanding was wrong.

@lanistor
Copy link

@chenjuneking Yeah, it' right. So you build your mas target and push to AppStore directly? Has it approved?

@chenjuneking
Copy link

@vifird It's under review, not yet approved.

@lanistor
Copy link

@vifird It's under review, not yet approved.

Hard to say, let's waiting for Apple's reply.

@stale
Copy link

stale bot commented Jul 22, 2020

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the backlog label Jul 22, 2020
@stale stale bot closed this as completed Jul 29, 2020
@bojanbizjak
Copy link

The app quits on launch (no crash logs produced) on MAS build (development or distribution).

"electron": "13.2.1",
"electron-builder": "22.11.7",

electron-builder.json

    "mac": {
        ...,
        "type": "development",
        "provisioningProfile": "build/GisMatrixApp_Development.provisionprofile",
        ...
    },
    "mas": {
        ...,
        "type": "development",
        "provisioningProfile": "build/GisMatrixApp_Development.provisionprofile",
        "hardenedRuntime": false,
        "gatekeeperAssess": false,
        ...
    }

@hisnameisjimmy
Copy link

@bojanbizjak same, I've been digging through so many github issues to try and understand the underlying cause. Did you ever resolve the issue?

@bojanbizjak
Copy link

@hisnameisjimmy Works with electron-builder v22.11.5.
It doesn't work with electron-builder >22.11.5 because I can't find a solution on how to sign sqlite3 libraries that electron-builder 22.11.5 signs correctly. Do you have any clues about this?

// MAS-DEV

{
    "appId": "com.gismatrix.app",
    "productName": "Gismatrix",
    "directories": {
        "output": "out",
        "buildResources": "build"
    },
    "files": [
        "dist"
    ],
    "mac": {
        "type": "development",
        "icon": "build/GM_1024x1024px.png",
        "category": "public.app-category.productivity",
        "extendInfo": {
            "ITSAppUsesNonExemptEncryption": "NO"   
        },
        "asarUnpack": [
            "**/*.node"
        ]
    },
    "masDev": {
        "type": "development",
        "provisioningProfile": "build/GisMatrixApp_Development.provisionprofile",
        "hardenedRuntime": false,
        "gatekeeperAssess": false,
        "category": "public.app-category.utilities",
        "entitlements": "build/entitlements.mas.plist",
        "entitlementsInherit": "build/entitlements.mas.inherit.plist"
    }
}

// MAS

{
    "appId": "com.gismatrix.app",
    "productName": "Gismatrix",
    "directories": {
        "output": "out",
        "buildResources": "build"
    },
    "files": [
        "dist"
    ],
    "mac": {
        "type": "distribution",
        "icon": "build/GM_1024x1024px.png",
        "artifactName": "${productName}-${version}-${os}.${ext}",
        "category": "public.app-category.productivity",
        "extendInfo": {
            "ITSAppUsesNonExemptEncryption": "NO"
        },
        "asarUnpack": [
            "**/*.node"
        ]
    },
    "mas": {
        "type": "distribution",
        "provisioningProfile": "build/GisMatrixApp_AppStore.provisionprofile",
        "hardenedRuntime": false,
        "gatekeeperAssess": false,
        "category": "public.app-category.utilities",
        "entitlements": "build/entitlements.mas.plist",
        "entitlementsInherit": "build/entitlements.mas.inherit.plist"
    }
}

@hisnameisjimmy
Copy link

I'm using electron-builder 23.0.8, and haven't been able to build something for Testflight (mas) or for local (mas-dev) that hasn't produced the same result (quit on launch).

When I look at the console, I see messages around unsatisfied entitlements and invalid signatures, but I'm not sure how to resolve them, as it looks like they're correct at the moment.

Some messages from console:
com.artdiario.artdiarioapp: Unsatisfied entitlements: com.apple.developer.team-identifier

mac_vnode_check_signature: /Users/xxxxxxx/Desktop/art-diario-electron/dist/mas-dev-arm64/ArtDiario.app/Contents/MacOS/ArtDiario: code signature validation failed fatally: When validating /Users/jimmyhooker/Desktop/art-diario-electron/dist/mas-dev-arm64/ArtDiario.app/Contents/MacOS/ArtDiario:
  Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:

proc 15974: load code signature error 4 for file "ArtDiario"

ASP: Security policy would not allow process: 15974, /Users/xxxxxxx/Desktop/art-diario-electron/dist/mas-dev-arm64/ArtDiario.app/Contents/MacOS/ArtDiario

I think next I'm going to regenerate all of my certificates and provisioning profiles and see if that does anything.

@garrettvercoe
Copy link

@hisnameisjimmy Also having similar issues. Will update if I can find a workaround. Please post any additional findings here if you're able!

@hisnameisjimmy
Copy link

I took a mental break as it's a side project and it was driving me crazy. Will report back in a couple weeks when I build the motivation to try again.

@spartygw
Copy link

spartygw commented Aug 1, 2022

@kellerchch
I put together a step by step process for Electron apps submitted to the Mac App Store. It's not completely done but it may help you. This is the starting point and looking at the error you mentioned I would follow these steps and it may fix it.
ELECTRON-MAS-SUBMISSION-GUIDE.txt

@steve981cr Thanks for putting together this guide. It has helped, but are you able to deploy to TestFlight? I can get builds up to the App Store but they are flagged "Not available for testing" with no other information available. I reached out to Apple support for more info and so far (3 days) no response as to why it's not letting me deploy via TestFlight.

@hisnameisjimmy
Copy link

@spartygw This might help you: #6856 (comment)

@ShongSu
Copy link

ShongSu commented Dec 15, 2022

@spartygw Have you figured it out how to enable it for TestFlight testing? My app was able to uploaded to app store connect via Transporter without errors. but the build is saying "Not available for testing" as yours. I got rejected by reviewer twice due to app crash when open.

@spartygw
Copy link

@ShongSu Sorry to say it but I never resolved the issue and spent way too much time on it. My solution is to drop electron.

@technotip
Copy link

technotip commented May 17, 2023

@ShongSu Sorry to say it but I never resolved the issue and spent way too much time on it. My solution is to drop electron.

Dropping electron sounds like the only solution, really.
The support has been pathetic so far. And nobody seems to have any clue about building the app for MAS. Just pathetic.

I finished building the app in 1 month, and it's been more than a month now trying to figure out how to build it for MAS. Nothing seems to work.

@xieerduos
Copy link

@ShongSu Sorry to say it but I never resolved the issue and spent way too much time on it. My solution is to drop electron.

Dropping electron sounds like the only solution, really. The support has been pathetic so far. And nobody seems to have any clue about building the app for MAS. Just pathetic.

I finished building the app in 1 month, and it's been more than a month now trying to figure out how to build it for MAS. Nothing seems to work.

哈哈哈

@pauljonescodes
Copy link

pauljonescodes commented Feb 27, 2024

@Faksprod thank you for the script, even though this whole process and debugging experience has been awful. For me to get a successful upload (whether it runs right remains to be seen), some additional codesigning was necessary as I suspect they've been added subsequently. I will paste the whole script for whatever other poor souls are out there trying to get this to work:

#!/bin/bash

printf "......................\nresignAndPackage start\n\n"

# Name of your app.
APP="Your Apps Name"
# Your Certificate name.
CERT="Your Name (Y0UR_T3AM_1D)"
# The path of your app to sign.
APP_PATH="./release/build/mas/$APP.app"
# The path to the location you want to put the signed package.
RESULT_PATH="./release/build/mas/$APP-mac_store.pkg"
# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: $CERT"
INSTALLER_KEY="3rd Party Mac Developer Installer: $CERT"
# The path of your plist files.
PARENT_PLIST="assets/entitlements.mas.plist"
CHILD_PLIST="assets/entitlements.mas.inherit.plist"
LOGINHELPER_PLIST="assets/entitlements.mas.loginhelper.plist"
FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"
ELECTRON_FRAMEWORK_RESOURCES_PATH="$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Resources"
RESOURCES_PATH="$APP_PATH/Contents/Resources"
PROVISIONING_PROFILE_PATH="$APP_PATH/Contents/embedded.provisionprofile"

# added begin
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (GPU).app/Contents/MacOS/$APP Helper (GPU)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Renderer).app/Contents/MacOS/$APP Helper (Renderer)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Plugin).app/Contents/MacOS/$APP Helper (Plugin)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib"
find "$ELECTRON_FRAMEWORK_RESOURCES_PATH" -type f -exec codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" {} \;
find "$RESOURCES_PATH" -type f -exec codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" {} \;
codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$PROVISIONING_PROFILE_PATH"
# added end

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/Contents/MacOS/$APP Login Helper"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"
codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"
productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

printf "\nresignAndPackage end\n......................\n"

Edit: resources must be signed AND --deep is depracated, the following script resulted in a successful submission for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests