Code signing on MacOS should skip text files

[rpatrick00]

• Electron-Builder Version: 22.11.7

• Node Version: 14.17.3

• Electron Version: 12.0.14
• Electron Type (current, beta, nightly): current

• Target: MacOS

Our electron-based application is embedding installations of two other open source projects (not set up for Electron) that include a mixture of binary and text files (e.g., json files that the application expects to be at a fixed location and cannot be moved because it is the knowledge-base that drives the application behavior and is internal to the application). In trying to use electron-builder's MacOS code signing support (following https://www.electron.build/code-signing), we get an error when trying to sign the application due for the first non-binary file it finds (e.g., a JSON file, a LICENSE file, etc.).

While electron-osx-sign appears to have a -ignore option, it doesn't seem to be exposed by electron-builder. It would be a HUGE usability improvement to be able to tell electron-builder to exclude any non-binary file it finds in the application being signed. At an absolute minimum, the -ignore=path option of electron-osx-sign should be surfaced but this option seems pretty limiting so it would be better to support something where the user could either enumerate the files to skip (or even better, electron-builder just figured it out).

[mmaietta]

It seems to be exposed already but as signIgnore, and it appears it also is undocumented. (Our documentation is seriously out of date, but I've yet to understand how it's generated nor how to make it more easily maintainable during PR changes)

Anyways, signIgnore accepts an array of regexp
https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts#L230

Additionally, we upgraded electron-osx-sign in #6021. Please try 'next' @ 22.11.10 (hopefully soon to be latest)

[rpatrick00]

Thanks, I upgraded to 22.11.10. For whatever reason, the ignore() function does not appear to be being called on every file. For example, my signIgnore snippet is:

mac:
  signIgnore:
    - '\.txt$'
    - '\.json$'
  category: Utility
  target: dmg
  darkModeSupport: false
  type: development
  hardenedRuntime: true
  gatekeeperAssess: false
  entitlements: build/entitlements.mac.plist
dmg:
  sign: false

Through instrumentation of the ignore() function, I can see the ignore() function is being called for many different files (and the regex testing is being invoked properly). Unfortunately, signing is still failing on a file that matches one of the signIgnore regular expressions but the ignore() function was never called for the file /Users/rpatrick/Projects/wktui/dist/mac/WebLogic Kubernetes Toolkit UI.app/Contents/THIRD_PARTY_LICENSES.txt.

  ⨯ Command failed: codesign --sign 68307094FC5A34F9222D288F9ECAA8303C6B037E --force --timestamp --options runtime --entitlements build/entitlements.mac.plist /Users/rpatrick/Projects/wktui/dist/mac/WebLogic Kubernetes Toolkit UI.app/Contents/MacOS/WebLogic Kubernetes Toolkit UI
/Users/rpatrick/Projects/wktui/dist/mac/WebLogic Kubernetes Toolkit UI.app/Contents/MacOS/WebLogic Kubernetes Toolkit UI: code object is not signed at all
In subcomponent: /Users/rpatrick/Projects/wktui/dist/mac/WebLogic Kubernetes Toolkit UI.app/Contents/THIRD_PARTY_LICENSES.txt

In doing some experimentation, here is what I have found:

1. Files in the root MyApp.app/Contents directory cannot be filtered (i.e., the ignore() function is never called for them).
2. Files in the subdirectories of MyApp.app/Contents are already being filtered (e.g., the ignore() function is never called for MyApp.app/Contents/tools/weblogic-deploy/LICENSE.txt but code signing is skipping the file automatically).

Assuming I am not missing something, I am not sure I understand the rationale for this seemingly inconsistent behavior.

[mmaietta]

Unfortunately, the rationale was defined by the electron team themself. They own the upstream dependency that electron-builder is using
https://github.com/electron/electron-osx-sign

As a hack for you, you could try adding the --deep flag to the signing flow, it's kind of a shotgun approach for signing files without worrying about order/hierarchy. I think that could work.
Here's the patch file you can apply: electron-osx-sign+0.5.0.patch. (You can use patch-package to persist the changes in your repo for every npm install)

diff --git a/node_modules/electron-osx-sign/sign.js b/node_modules/electron-osx-sign/sign.js
index e227c0e..bf159b2 100644
--- a/node_modules/electron-osx-sign/sign.js
+++ b/node_modules/electron-osx-sign/sign.js
@@ -145,6 +145,7 @@ function signApplicationAsync (opts) {
 
       var args = [
         '--sign', opts.identity.hash || opts.identity.name,
+        '--deep',
         '--force'
       ]
       if (opts.keychain) {

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[ferenc-a]

Can the new additionalArguments option in v25.0.0-alpha.8 spare the patching for --deep now?

[mmaietta]

Yes, it should be able to handle that directly now with additionalArguments: ['--deep']. Haven't used it myself yet though but that's the example in @electron/osx-sign package IIRC