osx-sign: App does not launch after sign - macOS 10.14.5 (Code Signature Invalid)

Development app does not launch after sign - macOS 10.14.5 It runs fine before signing.

Signing:

DEBUG=electron-osx-sign* electron-osx-sign "dist_electron/mas-dev/AppName.app" --platform=mas --type=development --identity="***@gmail.com (***)" --entitlements="entitlements.mas.plist" --entitlements-inherit="entitlements.mas.inherit.plist" --provisioning-profile="development.provisionprofile" --hardened-runtime                                                                                                                                                              electron-osx-sign electron-osx-sign@0.4.11 +0ms
  electron-osx-sign `identity` passed in arguments. +12ms
  electron-osx-sign Executing... security find-identity -v +0ms
  electron-osx-sign Identity: 
 > Name: Mac Developer: ***@gmail.com (***) 
 > Hash: F9E676C025F153B486DECA3F69881B389C905FAC +157ms
  electron-osx-sign Found 1 identity. +0ms
  electron-osx-sign Pre-sign operation enabled for provisioning profile: 
 * Disable by setting `pre-embed-previsioning-profile` to `false`. +1ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`: 
 * Disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign `provisioning-profile` passed in arguments. +0ms
  electron-osx-sign Executing... security cms -D -i development.provisionprofile +1ms
  electron-osx-sign Provisioning profile: 
 > Name: development 
 > Platforms: [ 'darwin', 'mas' ] 
 > Type: development 
 > Path: development.provisionprofile 
 > Message: { AppIDName: 'AppName Desktop Application',
  ApplicationIdentifierPrefix: [ 'xxx' ],
  CreationDate: 2019-07-19T16:37:31.000Z,
  Platform: [ 'OSX' ],
  IsXcodeManaged: false,
  DeveloperCertificates:
   [ <Buffer 30 82 05 8b 30 82 04 73 a0 03 02 01 02 02 08 61 3d dd 51 06 9a 11 6b 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 96 31 0b 30 09 06 03 55 04 06 ... 1373 more bytes> ],
  Entitlements:
   { 'com.apple.application-identifier': 'xxx.com.appname.AppName',
     'keychain-access-groups': [ 'xxx.*' ],
     'com.apple.developer.team-identifier': 'xxx' },
  ExpirationDate: 2020-07-18T16:37:31.000Z,
  Name: 'development',
  ProvisionedDevices: [ 'xxx' ],
  TeamIdentifier: [ 'xxx' ],
  TeamName: 'AppName AS',
  TimeToLive: 365,
  UUID: 'xxx',
  Version: 1 } +54ms
  electron-osx-sign Looking for existing provisioning profile... +5ms
  electron-osx-sign Found embedded provisioning profile: 
 * Please manually remove the existing file if not wanted. 
 * Current file at: dist_electron/mas-dev/AppName.app/Contents/embedded.provisionprofile +0ms
  electron-osx-sign Automating entitlement app group... 
 > Info.plist: dist_electron/mas-dev/AppName.app/Contents/Info.plist 
 > Entitlements: entitlements.mas.plist +0ms
  electron-osx-sign `ElectronTeamID` found in `Info.plist`: xxx +5ms
  electron-osx-sign `com.apple.application-identifier` found in entitlements file: xxx.com.appname.AppName +0ms
  electron-osx-sign `com.apple.developer.team-identifier` found in entitlements file: xxx +0ms
  electron-osx-sign `com.apple.security.application-groups` found in entitlements file: xxx.com.appname.AppName +0ms
  electron-osx-sign Entitlements file updated: 
 > Entitlements: /var/folders/zh/7d9c784d5mb2wd4tmmw6jj0m0000gn/T/tmp-entitlements-1c70-0.plist +7ms
  electron-osx-sign Signing application... 
 > Application: dist_electron/mas-dev/AppName.app 
 > Platform: mas 
 > Entitlements: /var/folders/zh/7d9c784d5mb2wd4tmmw6jj0m0000gn/T/tmp-entitlements-1c70-0.plist 
 > Child entitlements: entitlements.mas.inherit.plist 
 > Additional binaries: [] 
 > Identity: { name: 'Mac Developer: ***@gmail.com (***)',
  hash: 'F9E676C025F153B486DECA3F69881B389C905FAC' } +0ms
  electron-osx-sign Walking... dist_electron/mas-dev/AppName.app/Contents +12ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +20ms
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements entitlements.mas.inherit.plist dist_electron/mas-dev/AppName.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +0ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +3s
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements entitlements.mas.inherit.plist dist_electron/mas-dev/AppName.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +1ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app/Contents/Frameworks/Electron Framework.framework +170ms
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements entitlements.mas.inherit.plist dist_electron/mas-dev/AppName.app/Contents/Frameworks/Electron Framework.framework +0ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app/Contents/Frameworks/AppName Helper.app/Contents/MacOS/AppName Helper +2s
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements entitlements.mas.inherit.plist dist_electron/mas-dev/AppName.app/Contents/Frameworks/AppName Helper.app/Contents/MacOS/AppName Helper +0ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app/Contents/Frameworks/AppName Helper.app +121ms
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements entitlements.mas.inherit.plist dist_electron/mas-dev/AppName.app/Contents/Frameworks/AppName Helper.app +0ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app/Contents/Library/LoginItems/AppName Login Helper.app/Contents/MacOS/AppName Login Helper +118ms
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements entitlements.mas.inherit.plist dist_electron/mas-dev/AppName.app/Contents/Library/LoginItems/AppName Login Helper.app/Contents/MacOS/AppName Login Helper +1ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app/Contents/Library/LoginItems/AppName Login Helper.app +111ms
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements entitlements.mas.inherit.plist dist_electron/mas-dev/AppName.app/Contents/Library/LoginItems/AppName Login Helper.app +0ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app/Contents/MacOS/AppName +114ms
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements entitlements.mas.inherit.plist dist_electron/mas-dev/AppName.app/Contents/MacOS/AppName +1ms
  electron-osx-sign Signing... dist_electron/mas-dev/AppName.app +317ms
  electron-osx-sign Executing... codesign --sign F9E676C025F153B486DECA3F69881B389C905FAC --force --options runtime --entitlements /var/folders/zh/7d9c784d5mb2wd4tmmw6jj0m0000gn/T/tmp-entitlements-1c70-0.plist dist_electron/mas-dev/AppName.app +0ms
  electron-osx-sign Verifying... +295ms
  electron-osx-sign Verifying application bundle with codesign... +1ms
  electron-osx-sign Executing... codesign --verify --deep --strict --verbose=2 dist_electron/mas-dev/AppName.app +0ms
  electron-osx-sign Verified. +896ms
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Executing... codesign --display --entitlements :- dist_electron/mas-dev/AppName.app +0ms
  electron-osx-sign Entitlements: 
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.application-identifier</key>
    <string>xxx.com.appname.AppName</string>
    <key>com.apple.developer.team-identifier</key>
    <string>xxx</string>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>xxx.com.appname.AppName</string>
    </array>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist> +34ms
  electron-osx-sign Application signed. +1ms
  electron-osx-sign Application signed: dist_electron/mas-dev/AppName.app +0ms
Application signed: dist_electron/mas-dev/AppName.app

entitlements.mas.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.application-identifier</key>
    <string>XXX.com.appname.AppName</string>
    <key>com.apple.developer.team-identifier</key>
    <string>XXX</string>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>XXX.com.appname.AppName</string>
    </array>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

entitlements.mas.inherit.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

Crash log:

Process:               AppName [7616]
Path:                  /Users/USER/Documents/*/AppName.app/Contents/MacOS/AppName
Identifier:            com.appname.AppName
Version:               ???
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           AppName [7616]
User ID:               501

Date/Time:             2019-07-19 20:40:41.462 +0200
OS Version:            Mac OS X 10.14.5 (18F132)
Report Version:        12
Anonymous UUID:        xxx-xxx-xxx-xxx-xxx


Time Awake Since Boot: 100000 seconds

System Integrity Protection: enabled

Crashed Thread:        0

Exception Type:        EXC_CRASH (Code Signature Invalid)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x1

kernel messages:

VM Regions Near 0 (cr2):
--> 
    __TEXT                 00000001052d8000-0000000105301000 [  164K] r-x/rwx SM=COW  

Thread 0 Crashed:
0                                 	0x0000000112688000 _dyld_start + 0

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x0000000000000000  rcx: 0x0000000000000000  rdx: 0x0000000000000000
  rdi: 0x0000000000000000  rsi: 0x0000000000000000  rbp: 0x0000000000000000  rsp: 0x00007ffeea927b08
   r8: 0x0000000000000000   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000000
  r12: 0x0000000000000000  r13: 0x0000000000000000  r14: 0x0000000000000000  r15: 0x0000000000000000
  rip: 0x0000000112688000  rfl: 0x0000000000000200  cr2: 0x0000000000000000
  
Logical CPU:     0
Error Code:      0x00000000
Trap Number:     0


Binary Images:
       0x1052d8000 -        0x105300ff7 + (0) <3788637B-0A53-3737-B3B6-C827ABF3E314> 
       0x112687000 -        0x1126f16ef + (655.1.1) <CE635DB2-D47E-3C05-A0A3-6BD982E7E750> 

External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 3857626
    thread_create: 0
    thread_set_state: 0

VM Region Summary:
ReadOnly portion of Libraries: Total=776K resident=0K(0%) swapped_out_or_unallocated=776K(100%)
Writable regions: Total=8404K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8404K(100%)
 
                                VIRTUAL   REGION 
REGION TYPE                        SIZE    COUNT (non-coalesced) 
===========                     =======  ======= 
STACK GUARD                       56.0M        1 
Stack                             8192K        1 
__DATA                             244K        4 
__LINKEDIT                         184K        2 
__TEXT                             592K        2 
shared memory                        8K        2 
===========                     =======  ======= 
TOTAL                             65.0M       12 

Model: Macmini6,2, BootROM 278.0.0.0.0, 4 processors, Intel Core i7, 2,6 GHz, 12 GB, SMC 2.8f1
Graphics: kHW_IntelHD4000Item, Intel HD Graphics 4000, spdisplays_builtin
Memory Module: BANK 0/DIMM0, 8 GB, DDR3, 1600 MHz, 0x859B, 0x43543130323436344246313630422E433136
Memory Module: BANK 1/DIMM0, 4 GB, DDR3, 1600 MHz, 0x80CE, 0x4D34373142353137334442302D594B302020
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x10E), Broadcom BCM43xx 1.0 (7.21.190.33 AirPortDriverBrcm4360-1325.2)
Bluetooth: Version 6.0.12f1, 3 services, 27 devices, 1 incoming serial ports
Network Service: Wi-Fi, AirPort, en1
Serial ATA Device: APPLE SSD SM256E, 251 GB
USB Device: USB 2.0 Bus
USB Device: Hub
USB Device: Keyboard Hub
USB Device: USB Receiver
USB Device: Apple Keyboard
USB Device: USB 2.0 Bus
USB Device: Hub
USB Device: Hub
USB Device: IR Receiver
USB Device: BRCM20702 Hub
USB Device: Bluetooth USB Host Controller
USB Device: USB 3.0 Bus
USB Device: Hub
USB Device: Hub
USB Device: SHANG CHEN HID
USB Device: Hub
USB Device: Hub
Thunderbolt Bus: Mac mini, Apple Inc., 23.4

All certs and provisioning profile is just created:

Skjermbilde 2019-07-19 kl 20 19 08

When trying to do the same with a plain project, I got another error: https://github.com/electron/electron-osx-sign/issues/199

But the plain project (electron-quick-start) without manual sign gives the same crash log as this one.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 11
  • Comments: 41 (7 by maintainers)

Most upvoted comments

While you are trying with the asar unpack things… I think it may be nice to summarize the discussion above:

  • For distribution inside the Mac App Store
    • App sandbox required
    • No need for notarization (probably just don’t bother doing this) – the app review process will check for the suspicious code, so there’s no need to check that manually again
  • For distribution outside the Mac App Store
    • App sandbox not required (probably just don’t bother doing this)
    • Notarization required (therefore hardened runtime as a requirement) – this checks for suspicious code (link to Apple documentation)
      • Since we’re in hardened runtime, there are exception entitlements we need to add for Electron, otherwise the app will break upon launch (note: no need to include the app sandbox entitlement entries if you’re not making thee app sandboxed)
      • I haven’t confirmed this yet… but since we’re doing a custom codesigning workflow, we will need to include --timestamp when using codesign (electron-osx-sign --timestamp in the latest release should do this too)
+6
sethlu on Oct 26, 2019

This worked for me, which I used now temorarily instead of electron-osx-sign, all of these files should be placed in root of project.

Replace AppName, CompanyName (xxx) and /dist_electron/mas/$APP.app with your own.

sign-mas.sh

#!/bin/bash

CURRENT_PATH="$( cd "$(dirname "$0")" ; pwd -P )"

# Name of your app.
APP="AppName"
COMPANY_DEVELOPER_ID="CompanyName (xxx)"
# The path of your app to sign.
APP_PATH="$CURRENT_PATH/dist_electron/mas/$APP.app"
# The path to the location you want to put the signed package.
RESULT_PATH="$CURRENT_PATH/dist_electron/mas/$APP-Publish-Ready.pkg"

# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: $COMPANY_DEVELOPER_ID"
INSTALLER_KEY="3rd Party Mac Developer Installer: $COMPANY_DEVELOPER_ID"
# The path of your plist files.
CHILD_PLIST="$CURRENT_PATH/entitlements.mas.inherit.plist"
PARENT_PLIST="$CURRENT_PATH/entitlements.mas.plist"
LOGINHELPER_PLIST="$CURRENT_PATH/entitlements.mas.loginhelper.plist"

FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libnode.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/Contents/MacOS/$APP Login Helper"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"
codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"

productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

entitlements.mas.loginhelper.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

entitlements.mas.inherit.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

entitlements.mas.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>XXX.com.appname.AppName</string>
    </array>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

Then run sh sign-mas.shto create a valid file for publishment.

+6
steffanhalv on Jul 21, 2019

@johannesjo yeah I can sign and notarize the build without com.apple.security.app-sandbox. Works fine for distribution outside MAS.

This issue is specifically for MAS. It won’t be allowed to be uploaded to the AppStore without that entitlement. I am using electron-builder

+3
patrickmichalina on Oct 10, 2019

I resolved this issue by adding an allow-unsigned-executable-memory entitlement, as described in: https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

<dict>
  <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
  <true/>
</dict>
+3
javan on Jul 30, 2019

As we still can’t get this to work, here is an update for Electron 7.0.1 tweaked version (Which is required for MAS builds at the moment - ref. https://github.com/electron/electron/issues/20027#issuecomment-551913031) for the current workaround we are using.

Replace AppName, CompanyName (xxx) and /dist_electron/mas/$APP.app with your own.

sign-mas.sh

#!/bin/bash

CURRENT_PATH="$( cd "$(dirname "$0")" ; pwd -P )"

# Name of your app.
APP="AppName"
COMPANY_DEVELOPER_ID="CompanyName (xxx)"
# The path of your app to sign.
APP_PATH="$CURRENT_PATH/dist_electron/mas/$APP.app"
# The path to the location you want to put the signed package.
RESULT_PATH="$CURRENT_PATH/dist_electron/mas/$APP-Publish-Ready.pkg"

# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: $COMPANY_DEVELOPER_ID"
INSTALLER_KEY="3rd Party Mac Developer Installer: $COMPANY_DEVELOPER_ID"
# The path of your plist files.
CHILD_PLIST="$CURRENT_PATH/entitlements.mas.inherit.plist"
PARENT_PLIST="$CURRENT_PATH/entitlements.mas.plist"
LOGINHELPER_PLIST="$CURRENT_PATH/entitlements.mas.loginhelper.plist"

FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (GPU).app/Contents/MacOS/$APP Helper (GPU)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (GPU).app/"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Plugin).app/Contents/MacOS/$APP Helper (Plugin)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Plugin).app/"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Renderer).app/Contents/MacOS/$APP Helper (Renderer)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Renderer).app/"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/Contents/MacOS/$APP Login Helper"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"
codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"

productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

entitlements.mas.loginhelper.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

entitlements.mas.inherit.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

entitlements.mas.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>XXX.com.appname.AppName</string>
    </array>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.application-identifier</key>
    <string>XXX.com.appname.AppName</string>
  </dict>
</plist>

Then run sh sign-mas.shto create a valid file for publishment.

+2
steffanhalv on Dec 9, 2019

@JohnTendik Same issue here - with hardenedRuntime: true, mas-dev is still crashing. It is being signed with the correct certificate as well, which is different than the mas certificate. Without hardenedRuntime, it opens fine.

+2
patrickmichalina on Oct 24, 2019

@james-criscuolo Currently electron-osx-sign uses the plist package to parse & build plist files. If the user specified entitlement files are binary encoded, I guess then it won’t be parsed properly for electron-osx-sign & some of the automations for entitlements files could be affected?

+2
sethlu on Oct 8, 2019

@steffanhalv Unfortunately it did not work for me. I now figured out how to sign and publish with this guide from 2020. The crucial information is that it only seems to work with Electron 5.0.13 and 6.1.7 .

+1
michaelmika on Feb 4, 2020

@michaelmika Check that all executable binaries inside your mas build is included to be signed and is correct relative to the script file. If the script is in root of your project, the mas build should be exactly ./dist_electron/mas/APPNAME.app

CD into ./dist_electron/mas/APPNAME.app/... and look for extra binaries. When all binaries are added and signed, no errors should occur in the terminal and the app should run.

We did just got our app approved for the app store two days ago following this steps.

Ex. We had the same problem until we added this lines in the script:

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (GPU).app/Contents/MacOS/$APP Helper (GPU)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (GPU).app/"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Plugin).app/Contents/MacOS/$APP Helper (Plugin)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Plugin).app/"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Renderer).app/Contents/MacOS/$APP Helper (Renderer)"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Renderer).app/"

Also check that entitlements are correct

+1
steffanhalv on Dec 9, 2019

Im happy to report we have solved our build problems. All three builds are working as expected now. Our issue was a little bit different than some of you in this thread so I’m including our fix. It was thanks to the investigation of another user that we were able to move past this problem 😃

I’ve included my build configs there if anyone is interested in seeing how we were able to fix our problem.

https://github.com/electron-userland/electron-builder/issues/4040#issuecomment-547134627

Thanks everyone for all your help!

+1
JohnTendik on Oct 28, 2019

I had issues with immediate crashes when I had hardened runtime entitlements, with hardened runtime false. I believe the only necessary change (for the app store) is the asar unpack stuff, so I recommend going back to your last work build, and just adding asarUnpack option with your native modules.

+1
james-criscuolo on Oct 25, 2019

Same issue here! Applying the com.apple.security.app-sandbox entitlement is causing immediate crash.

+1
patrickmichalina on Oct 10, 2019

My comment was in regards to your question about electron-builder. Independent of that, I’ve switched my MAS build over to electron-packager and still cannot get it to work. I can make a DMG build work with electron-builder, and anticipate the same with electron-packager. It appears that adding app-sandbox leads to the issues, which is required for a MAS build.

A lot of solutions have been posted above, but it appears they are all for DMG builds, and nobody has had a MAS build work yet (please let us know if you’ve got it working).

+1
james-criscuolo on Oct 10, 2019

Sure.

entitlements.mac.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
  </dict>
</plist>

entitlements.mas.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true />
    <key>com.apple.application-identifier</key>
  	<string>1234ABCDEF.com.mycompany.MyApp</string>
    <key>com.apple.team-identifier</key>
  	<string>1234ABCDEF</string>
    <key>com.apple.developer.team-identifier</key>
  	<string>1234ABCDEF</string>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>1234ABCDEF.com.mycompany.MyApp</string>
    </array>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
  </dict>
</plist>
+1
ndtreviv on Sep 29, 2019
Read more comments on GitHub
← osx-sign: after sign the app,app crash
osx-sign: codesign failed 'No such file or directory'  →