electron-builder: App rejected when Mac Developer certificate is in keychain

Version: 7.25.0

Target: macOS

I wanted to get auto updates working by signing the macOS app so I installed Xcode and created a Mac Development certificate in the Preferences/Accounts panel on my Apple ID (don’t have a real Developer ID yet). Now electron-builder gives me an error in the build process. If I revoke the certificate the error goes away. It actually creates a working .app, but no .dmg or .zip as before.

⚠️  Application icon is not set, default Electron icon will be used
⚠️  Mac Developer is used to sign app — it is only for development and testing, not for production
Signing app (identity: Mac Developer: ****@**.** (LFH******))

Error: Exit code: 3. Command failed: spctl --assess --type execute --verbose --ignore-cache --no-cache /Users/el/code/electron/autotron/dist/mac/Autotron.app
/Users/el/code/electron/autotron/dist/mac/Autotron.app: rejected

/Users/el/code/electron/autotron/dist/mac/Autotron.app: rejected

    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/util.js:69:16
    at ChildProcess.exithandler (child_process.js:213:5)
    at emitTwo (events.js:106:13)
    at ChildProcess.emit (events.js:191:7)
    at maybeClose (internal/child_process.js:877:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:226:5)
From previous event:
    at module.exports.execFileAsync (/Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/util.js:48:10)
    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:99:16
From previous event:
    at verifySignApplicationAsync (/Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:97:8)
    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:181:25
    at runCallback (timers.js:574:20)
    at tryOnImmediate (timers.js:554:5)
    at processImmediate [as _immediateCallback] (timers.js:533:5)
From previous event:
    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:178:10
From previous event:
    at signApplicationAsync (/Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:121:6)
    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:330:14
From previous event:
    at module.exports.signAsync (/Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:322:6)
    at /Users/el/code/electron/autotron/node_modules/electron-builder/src/macPackager.ts:196:12
    at next (native)
    at MacPackager.doSign (/Users/el/code/electron/autotron/node_modules/electron-builder/out/macPackager.js:262:11)
    at /Users/el/code/electron/autotron/node_modules/electron-builder/src/macPackager.ts:169:56
    at next (native)
    at runCallback (timers.js:574:20)
    at tryOnImmediate (timers.js:554:5)
    at processImmediate [as _immediateCallback] (timers.js:533:5)

About this issue

Original URL
State: closed
Created 8 years ago
Comments: 22 (17 by maintainers)

Commits related to this issue

fix: App rejected when Mac Developer certificate is in keychain Closes #890 — committed to develar/electron-builder by develar 8 years ago
fix: App rejected when Mac Developer certificate is in keychain Closes https://github.com/electron-userland/electron-builder/issues/890 — committed to develar/electron-osx-sign by develar 8 years ago
Revert "Use latest electron-builder" This reverts commit 03c395d8cd853f99f298798f59cdf217c67c2f8a. See https://github.com/electron-userland/electron-builder/issues/890#issuecomment-261027078 — committed to salomvary/soundcleod by salomvary 8 years ago
fix(mac): App rejected when Mac Developer certificate is in keychain #890 — committed to develar/electron-builder by develar 8 years ago
Merge branch 'master' into feature/nsis-downloader * master: feat: electronDownload instead of download #921 feat: rename LICENSE from electron dist to LICENSE.electron.txt fix: snap support, d... — committed to voidbridge/electron-builder by deleted user 8 years ago

Most upvoted comments

Developer signing is fine for apps distributed out of stores.

The gatekeeper check that electron-builder runs in the pipeline fails though because of it with default OS settings.

Running ‘spctl --master-disable’ gets past that point.

electron-builder needs an option to disable setting gatekeeper-assess = true for electron-osx-sign, in macPackager.js

TimNZ on Apr 6, 2017

I just successfully signed one of my electron app to distribute it outside the Mac store. Let me know if you guys need any help. It took me months to completely understand the whole code sign process.

akashnimare on Apr 6, 2017

@TimNZ I don’t think a Mac Developer identity will pass the Gatekeeper. Only a valid Developer ID Application or an app re-signed by Apple (from submitting to the Mac App Store) could do so.

Like Gatekeeper, spctl will only accept Developer ID-signed apps and apps downloaded from the Mac App Store by default. It will reject apps signed with Mac App Store development or distribution certificates.

Ref: https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211

sethlu on Apr 6, 2017

Ran as root ‘spctl --master-disable’ for time being for testing.

TimNZ on Apr 4, 2017

Will be fixed tomorrow morning CET.

develar on Nov 8, 2016