electron: Electron broken on OS X in Apple Sandboxed apps (App Store)

🍎 Not sure if this is related to the Chromium itself. I’ve been trying and successfully packed and signed my app, but still there are logs in console like:

12/19/15 9:45:14.000 PM kernel[0]: Sandbox: Electron Helper(15181) deny(1) mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:14.000 PM kernel[0]: Sandbox: Electron Helper(15181) deny(1) mach-lookup org.chromium.Chromium.iosurfacemgr.15175
12/19/15 9:45:15.520 PM sandboxd[326]: ([15176]) Electron Helper(15176) deny mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:15.574 PM sandboxd[326]: ([15176]) Electron Helper(15176) deny mach-lookup org.chromium.Chromium.iosurfacemgr.15175
12/19/15 9:45:15.926 PM sandboxd[326]: ([15177]) Electron Helper(15177) deny mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:15.958 PM sandboxd[326]: ([15177]) Electron Helper(15177) deny mach-lookup org.chromium.Chromium.iosurfacemgr.15175
12/19/15 9:45:16.742 PM sandboxd[326]: ([15178]) Electron Helper(15178) deny mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:16.773 PM sandboxd[326]: ([15178]) Electron Helper(15178) deny mach-lookup org.chromium.Chromium.iosurfacemgr.15175
12/19/15 9:45:16.946 PM sandboxd[326]: ([15180]) Electron Helper(15180) deny mach-lookup org.chromium.Chromium.rohitfork.15175
12/19/15 9:45:16.977 PM sandboxd[326]: ([15180]) Electron Helper(15180) deny mach-lookup org.chromium.Chromium.iosurfacemgr.15175

The following extract from my entitlements doesn’t seem work work. I guess that Wildcards may not be accepted; however, the * bits keep changing every time I execute the application.

<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
<array>
  <string>org.chromium.Chromium.rohitfork.*</string>
  <string>org.chromium.Chromium.iosurfacemgr.*</string>
</array>

May there be any fixes on this in future releases? P.S.: I’ve found that the sandboxed app runs much slower and has some issues (like jittering graphics, the best way I could describe it). Again, I guess it is related to the denials from sandboxing. Thanks!

About this issue

Original URL
State: closed
Created 9 years ago
Comments: 109 (58 by maintainers)

Commits related to this issue

Updated default entitlements As per http://electron.atom.io/docs/tutorial/mac-app-store-submission-guide/#sign-your-app Its now necessary to have this second permission `temporary-exception` The ap... — committed to mcfedr/electron-osx-sign by mcfedr 8 years ago

Most upvoted comments

For people watching this issue, you can just follow the latest guide to get Electron sandboxed for Mac App Store, there is no need to wait for next release.

The key change is adding an entry to entitlements:

    <key>com.apple.security.temporary-exception.sbpl</key>
    <string>(allow mach-lookup (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))</string>

+11

zcbenz on Apr 19, 2016

@zcbenz Lemme try to get set up with building custom libchromiumcontent and I’ll have a go tomorrow

anaisbetts on Apr 7, 2016

@sethlu My app also started freezing when sandboxed after updating Electron from v1.1.0 to 1.2.0. The problem went away after I upgraded electron-packager to the latest version and I added com.apple.security.application-groups and ElectronTeamID keys as described in the updated MAS submission guide.

jarek-foksa on May 31, 2016

FYI: I submitted an app (electron 0.37.3) with these changes and it got approved.

herrmannplatz on Apr 27, 2016

This is a super important bug for us at Slack, we’ll probably have a look at this soon

anaisbetts on Apr 2, 2016

@sethlu Remember, many node.js / web devs have no idea about PLists so, being Opinionated and just filling out everything for them from the package.json info might be A Better Thing (as long as people can opt-out and choose their own way of course) - I would assume the input Info.plist is junk / incorrectly configured and prioritize info in package.json as much as possible

anaisbetts on Jul 6, 2016

It would be real neat if electron-osx-sign handled fixing up entitlements automatically /cc @sethlu

anaisbetts on Jul 5, 2016

sad thing I need API introduced at 0.36.11 and can’t just use old mas build. any workaround ideas?

tyv on Apr 2, 2016

Just tested some of the recent releases of Electron:

Electron v0.36.x darwin builds all work very well.
Electron v0.36.x mas builds work with some glitch in graphics after sandboxed (I assume with CSS transitions and animations, or for things related to GPU)?
Electron v0.37.0 darwin/mas fails to start (fixed in v0.37.1).
Electron v0.37.1 darwin build has some glitch like that in Electron v0.36.x mas builds (before and after code signed for distribution).
Electron v0.37.1 mas build has some glitch like that in Electron v0.36.x mas builds; however, it fails to load after sandboxed?

sethlu on Mar 14, 2016

okay, I found what kills app when it is signed http://electron.atom.io/docs/all/#appmakesingleinstancecallback shouldQuit === true in this example from old official doc:

const shouldQuit = app.makeSingleInstance(() => {
  const {mainWindow} = state
  // Someone tried to run a second instance, we should focus our window
  if (mainWindow) showMainWindow()
  return true
})

if (shouldQuit) quit()

tyv on Aug 5, 2016

@sethlu it looks like it is same as here: electron-userland/electron-osx-sign/issues/59 any update on that problem?

tyv on Jul 29, 2016

@sethlu as I said, my app after being signed can’t run and exit after launch, same things happen and on App Store reviews. and sandboxing is still rise questions from App Store, here is answer:

Performance - 2.1 We noticed that with a valid receipt installed, your app quits on launch. The Console reports the app “Exited with exit code: 173” and the OS states the app “is damaged and can’t be opened”. This generally indicates that the app is not verifying its receipt correctly.

Next Steps Please revise your app and test it to ensure that it runs as expected.

Performance - 2.4.5

We’ve determined that one or more temporary entitlement exceptions requested for this app are not appropriate and will not be granted:

com.apple.security.temporary-exception.sbpl - (allow mach-lookup (global-name-regex #“^org.chromium.Chromium.rohitfork.[0-9]+$”))

We understand this may prevent the app from being approved for the Mac App Store. We encourage you to investigate other ways of implementing the desired functionality.

tyv on Jul 21, 2016

@tyv I suspect a lot of people are getting caught up here: https://github.com/electron-userland/electron-osx-sign/blob/master/index.js#L155, which seems to require them to half fill-out their PList file. electron-osx-sign should just have a --mas option that does everything

anaisbetts on Jul 5, 2016

@sethlu - looks like one of the node modules that’s a required dependency is being ignored by electron-packager, the regex that used to work --ignore=.+\.o$ is now including anything that ends with o, rather than .o, which caused an uncaught javascript error (really need to look into how to handling those properly 😃 ) . changing it up to --ignore=.+\\.o$ fixed that, and it now works! 🎉

So now I guess the question is, from here, what do I need to change up to be able to submit it to the app store? I’m guessing I don’t include the provisionprofile?

Thanks for all your help!

jpittner on Jun 11, 2016

@jpittner The app should be launched correctly I think… May you try adding the following into your main.js, or equivalent, script someplace after the window’s created, just to confirm some web page is shown?

mainWindow.webContents.openDevTools()

If the dev tools shows, the loaded page should be found somewhere in the panels. Otherwise we may have to think about some other resolutions to this issue.

sethlu on Jun 11, 2016

@sethlu just a white screen, no spinning cursor. In fact can access the App menu (which just has Quit) and can quit.

jpittner on Jun 11, 2016