osx-sign: Signed app should allow JIT on correct helpers to not crash

After I signed my application, the blank screen is displayed when I launch it. Could you give me some advice to fix this problem? This problem only occurs on the macOS 10.14(Mojave). This app run on other version of macOS are normal. By the way, I’m using electron-packager to package my app. Using electron-osx-sign to sign the app.

electron: 1.7.9
electron-packager: 8.7.2
electron-osx-sign: 0.4.11

I sign my app with the following command:

electron-osx-sign "xxx.app" --platform=darwin --type=distribution --identity="Developer ID Application: xxx (xxxxx)" --keychain="xxx.keychain" --entitlements="entitlements.plist" --hardened-runtime

I’m attempt to distribute my app outside the Mac App Store. And I don’t want to enable App Sandbox.

entitlements.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
  </dict>
</plist>

The final result: ① sign -> success ② launch -> blank screen ③ notarization -> success

Then I sign different version(v1.7.9 & v4.0.1) of electron sample application(electron-quick-start). When I launch these two applications, the problem with the blank screen still occurs. P.S. This problem still only occurs on the macOS 10.14(Mojave).

electron: 1.7.9 / 4.0.1
electron-packager: 13.0.1
electron-osx-sign: 0.4.11

I package these two apps with the following command:

node release.js

release.js

var packager = require('electron-packager');
var config = require('./package.json');
var app_name = 'xxxxx';

packager({
    dir: './',
    out: './dist/osx',
    name: app_name,
    platform: 'darwin',
    arch: 'x64',
    icon: './Appicon.icns',
 
    'appBundleId': 'xx.xxx.app',
    'appVersion': config.version,
    'appCopyright': 'Copyright (c) xxxx All rights reserved.',
    appCategoryType: 'public.app-category.graphics-design',
    overwrite: true,
    asar: {unpackDir: 'testUnpack'},
    prune: true,
    ignore: 'unpacked|node_modules/(electron-packager|electron|\.bin)|release\.js',
    electronVersion: 'x.x.x'
}).then(function (appPaths) {
    console.log('\n' + appPaths + ' Done!\n');
}).catch(function (err) {
    if(err) {
        throw new Error(err);
    }
});

p.s. ① v1.7.9: app_name -> ‘sample(current_v1.7.9)’ electronVersion -> ‘1.7.9’ ② v4.0.1: app_name -> ‘sample(latest_v4.0.1)’ electronVersion -> ‘4.0.1’

I sign these two apps with the following commands:

(1) export DEBUG=electron-osx-sign*
(2) electron-osx-sign "xxx.app" --platform=darwin --type=distribution --identity="Developer ID Application: xxx (xxxxx)" --keychain="xxx.keychain" --entitlements="entitlements.plist" --hardened-runtime > sample.log

entitlements.plist

It’s the same as the above file(entitlements.plist)

sample1_7_9.log

  electron-osx-sign electron-osx-sign@0.4.11 +0ms
  electron-osx-sign `identity` passed in arguments. +25ms
  electron-osx-sign Executing... security find-identity -v /Library/Keychains/xxx.keychain +1ms
  electron-osx-sign Identity: 
 > Name: Developer ID Application: xxx (xxxxx) 
 > Hash: 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE +68ms
  electron-osx-sign Found 1 identity. +0ms
  electron-osx-sign Pre-sign operation enabled for provisioning profile: 
 * Disable by setting `pre-embed-previsioning-profile` to `false`. +1ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`: 
 * Disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign No `provisioning-profile` passed in arguments, will find in current working directory and in user library... +0ms
  electron-osx-sign No provisioning profile found, will not embed profile in app contents. +2ms
  electron-osx-sign Automating entitlement app group... 
 > Info.plist: sample(current_v1.7.9).app/Contents/Info.plist 
 > Entitlements: entitlements.plist +0ms
  electron-osx-sign Signing application... 
 > Application: sample(current_v1.7.9).app 
 > Platform: darwin 
 > Entitlements: entitlements.plist 
 > Child entitlements: /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist 
 > Additional binaries: [] 
 > Identity: { name: 'Developer ID Application: xxx (xxxxx)',
  hash: '6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE' } +6ms
  electron-osx-sign Walking... sample(current_v1.7.9).app/Contents +2ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +20ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +3s
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +401ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler +996ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler +1ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework +341ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle +3s
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Mantle.framework +732ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Mantle.framework +1ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/ReactiveCocoa.framework/Versions/A/ReactiveCocoa +735ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/ReactiveCocoa.framework/Versions/A/ReactiveCocoa +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/ReactiveCocoa.framework +364ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/ReactiveCocoa.framework +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt +362ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel +737ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework +735ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper EH.app/Contents/MacOS/sample(current_v1.7.9) Helper EH +350ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper EH.app/Contents/MacOS/sample(current_v1.7.9) Helper EH +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper EH.app +335ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper EH.app +1ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper NP.app/Contents/MacOS/sample(current_v1.7.9) Helper NP +349ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper NP.app/Contents/MacOS/sample(current_v1.7.9) Helper NP +1ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper NP.app +334ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper NP.app +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper.app/Contents/MacOS/sample(current_v1.7.9) Helper +340ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper.app/Contents/MacOS/sample(current_v1.7.9) Helper +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper.app +335ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper.app +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app +340ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements entitlements.plist sample(current_v1.7.9).app +0ms
  electron-osx-sign Verifying... +357ms
  electron-osx-sign Verifying application bundle with codesign... +1ms
  electron-osx-sign Executing... codesign --verify --deep --strict --verbose=2 sample(current_v1.7.9).app +0ms
  electron-osx-sign Verifying Gatekeeper acceptance for darwin platform... +958ms
  electron-osx-sign Executing... spctl --assess --type execute --verbose --ignore-cache --no-cache sample(current_v1.7.9).app +0ms
  electron-osx-sign Verified. +828ms
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Executing... codesign --display --entitlements :- sample(current_v1.7.9).app +0ms
  electron-osx-sign Entitlements: 
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
  </dict>
</plist>

 +40ms
  electron-osx-sign Application signed. +0ms
  electron-osx-sign Application signed: sample(current_v1.7.9).app +0ms
Application signed: sample(current_v1.7.9).app

sample4_0_1.log

This log file is basically the same as sample1_7_9.log except the app name

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 30 (8 by maintainers)

Most upvoted comments

I have been able to reproduce this issue, getting a blank electron window after signing with the hardened runtime flag enabled.

I have found setting the “enetitlements-inherit” option along with the “entitlements” option as below allow my application to be signed successfully. The application is working correctly and can be notarized successfully.

app.entitlements(set these as required)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
	<key>com.apple.security.cs.disable-library-validation</key>
    <true/>
	<key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
</dict>
</plist>

And call the API using the following:

sign({
    app: 'myApp.app',
    entitlements: "app.entitlements",
     "hardened-runtime": true,
     platform: "darwin", 
     type: "distribution" ,
     "entitlements-inherit": "app.entitlements"
  }, async function done (err) {
    if (err) {
      console.log(err);
      return;
    }
    else{
      console.log("Application signed");
    } 
  })
+11
d-j-t on Apr 16, 2019

My issue was stemming from both sandbox and hardening being active in the build. I am working on offering my app outside the App Store, which is why I’m exploring notarization. Because of this, I assumed that because my app is already sandboxed, I should try to add hardening… but it seems that they are mutually exclusive at the moment. Further, reading about both of these (sandbox & hardening) at https://lapcatsoftware.com/articles/hardened-runtime-sandboxing.html makes me feel like I can continue to offer a sandboxed-only version in the App Store, and a hardened-only version outside the App Store. Electron-builder doesn’t make this easy, and perhaps I need to open another ticket there, but I’ll quickly describe the setup that allows me to build MAS (sandboxed-only) and MAC builds (hardened-only) side by side.

package.json scripts:

"package-mac": "npm run build && build --mac zip",
"package-mas": "npm run build && build --mac mas mas-dev --config.afterSign=build/do-nothing.js --config.mac.hardenedRuntime=false",

It’s not ideal to set afterSign to “do-nothing.js” but… =null (“null”), =undefined (“undefined”) and just plain = (‘’) results in strings.

package.json build:

"mac": {
      "category": "public.app-category.productivity",
      "target": [
        "mas",
        "mas-dev",
        "zip"
      ],
      "hardenedRuntime": true,
      "entitlements": "build/entitlements-lll.plist",
      "entitlementsInherit": "build/entitlements-lll.plist",
      "gatekeeperAssess": false
    },
    "afterSign": "build/notarize.js",
    "mas": {
      "provisioningProfile": "build/embeddedyesmas.provisionprofile",
      "entitlements": "build/entitlements-sandbox.plist",
      "entitlementsInherit": "build/entitlements-inherit.plist"
    },

entitlements-lll.plist (these 3, plus my normal entitlements for app-specific behavior)

<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>

entitlements-sandbox.plist (this 1 for sandboxing, plus my normal entitlements for app-specific behavior)

<key>com.apple.security.app-sandbox</key>
<true/>

entitlements-inherit.plist (just the default, only two, that’s it)

    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>

I hope this helps someone get both sandboxing and hardening setup with their builds. I’m eager to simplify this setup because overriding like this is a pain.

+6
semireg on Jul 20, 2019

@d-j-t Just tested this out and it worked perfectly! I think I made a mistake with com.apple.security.inherit as it only inherits App Sandbox properties so these hardened-runtime entitlements need to restated again in the child entitlements file 👍

Also credits to @MarshallOfSound for bringing up that com.apple.security.cs.allow-unsigned-executable-memory alone should allow the JIT stuff. The snippet below should be the minimum required for both the app bundle entitlements and the child entitlements.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
</dict>
</plist>

@androidW Perhaps give this a try? Let us know if it works for you 😺 Afterwards we can update the docs on readme.

Excerpt from Apple documentation:

Allow Unsigned Executable Memory Entitlement A Boolean value that indicates whether the app may create writable and executable memory without using the MAP_JIT flag. Key: com.apple.security.cs.allow-unsigned-executable-memory

https://developer.apple.com/documentation/bundleresources/entitlements?language=objc

+5
sethlu on Oct 11, 2019

Prompting policy for hardened runtime: service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for ACC:{ID: com.myapp.app, PID[71862], auid: 501, euid: 501, binary path: ‘/Users/dev/Desktop/MyApp.app/Contents/MyApp’}, REQ: {ID: com.apple.appleeventsd, PID[51], auid: 55, euid: 55, binary path ‘/System/Library/CoreServices/appleeventsd’}

@puresick I ran into the same issue as well when trying to enable hardened runtime for my app. Even after adding com.apple.security.automation.apple-events, I got the following error:

{"error":"Error: dlopen(/var/folders/t1/khxbwjns5237jl5vmq8ky69w0000gp/T/.org.iota.trinity.m2dYyh, 1): no suitable image found.  Did find:
	/var/folders/t1/khxbwjns5237jl5vmq8ky69w0000gp/T/.org.iota.trinity.m2dYyh: code signature in (/var/folders/t1/khxbwjns5237jl5vmq8ky69w0000gp/T/.org.iota.trinity.m2dYyh) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
	/var/folders/t1/khxbwjns5237jl5vmq8ky69w0000gp/T/.org.iota.trinity.m2dYyh: stat() failed with errno=17
    at process.module.(anonymous function) [as dlopen] (ELECTRON_ASAR.js:160:31)
    at Object.Module._extensions..node (internal/modules/cjs/loader.js:722:18)
    at Object.module.(anonymous function) [as .node] (ELECTRON_ASAR.js:169:18)
    at Module.load (internal/modules/cjs/loader.js:602:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:541:12)
    at Function.Module._load (internal/modules/cjs/loader.js:533:3)
    at Module.require (internal/modules/cjs/loader.js:640:17)
    at require (internal/modules/cjs/helpers.js:20:18)
    at Object.<anonymous> (/Volumes/Trinity/Trinity.app/Contents/Resources/app.asar/node_modules/keytar/lib/keytar.js:1:169)
    at Object.<anonymous> (/Volumes/Trinity/Trinity.app/Contents/Resources/app.asar/node_modules/keytar/lib/keytar.js:61:3)"}

Adding the com.apple.security.cs.disable-library-validation entitlement fixed the issue for me, but I’m not entirely sure why

+4
rajivshah3 on Jun 11, 2019

I experienced this issue on macOS 10.15.1, too.

The solution outlined above in https://github.com/electron/electron-osx-sign/issues/188#issuecomment-483778579 fixed it! Thanks!

+1
outofambit on Nov 3, 2019

@d-j-t Thanks for your solution! I hope it can solve my problem.

@sethlu I will try it next week. After then I will give you the result. Thank you so much.

+1
androidW on Apr 19, 2019

@sethlu Thanks for the reply! Hope to you can find a good solution. And sorry to take up your time.

+1
androidW on Apr 9, 2019

@androidW Thanks for posting this issue! I just managed to reproduce this and it seems to be something with the hardened runtime option 🤔… without hardened runtime, thus also without notarization, everything seems working just fine.

I may have some time next week to take a closer look at this. Since it may be a while before anyone find out a good solution to the hardened runtime issue, we may expect to get app notarization working at a little later time.

I was playing with the following entitlements but the window is still blank after codesigned with hardened runtime (not notarized):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
</dict>
</plist>

As an extra note, last year the hardened runtime option worked pretty well out of the box; however, recent macOS updates may have strengthened the security protocols so the old solution presented is no longer working.

+1
sethlu on Oct 11, 2019
Read more comments on GitHub
← osx-sign: MAS build crashing on launch: Namespace SIGNAL, Code 0x4
osx-sign: Unable to write file even with right entitlement option. →