electron-builder: macOS Hardened runtime, notarization, code signing: app crashes and doesn't work at all

Many, many people are also having the same issue and it is unresolved…

• https://github.com/electron-userland/electron-builder/issues/4567
• https://github.com/electron-userland/electron-builder/issues/4040
• https://github.com/electron-userland/electron-builder/issues/4834
• https://github.com/electron/electron-osx-sign/issues/223
• https://github.com/electron/electron-osx-sign/issues/199#issuecomment-608339323
• https://github.com/electron/electron/issues/22656#issuecomment-602493525
• https://david.dev/electron-cannot-build-mas-on-os-x-mojave/

I believe it is still an issue

Has anyone had any luck figuring this out? Our prod build does not launch locally and our mas-dev builds are running into the same EXC_BAD_ACCESS (Code Signature Invalid) error.

Please reopen this issue.

Many, many people are also having the same issue and it is unresolved…

• #4567
• #4040
• #4834
• electron/electron-osx-sign#223
• electron/electron-osx-sign#199 (comment)
• electron/electron#22656 (comment)
• https://david.dev/electron-cannot-build-mas-on-os-x-mojave/

That’s not correct. You can in fact publish Electron apps to the Mac App store. But to do so you need the right entitlements in your entitlements.plist when app-sandbox is activated.

Please note: Entitlements for the mac app store are fundamentally different to the non-mac-app-store version you distribute via your website (using notarization).

# electron-builder.json
  "mas": {
    "hardenedRuntime": false,
    "entitlements": "entitlements/mas.plist",
    "entitlementsInherit": "entitlements/mas.inherit.plist"
  },

# entitlements/mas.inherit.plist
<?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

# entitlements/mas.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>TEAM_ID.com.company.app-id</string>
	</array>
</dict>
</plist>

If you forget one thing or add not exactly com.apple.security.app-sandbox + com.apple.security.inherit into the mas.inherit.plist because you thought you are smart and add more than necessary, then you did it wrong and the app will crash.

We are struggling with this too. Any suggestions would be really appreciated.

@greenimpala not sure what fixed the issue in the end to be honest (my guess is that it was adjusting the entitlements.inherit). But now it works. Thank you very much for your help!

This seemed to fix the Electron part of our app. Note that maybe I can remove these entitlements if I sign some dylibs included in the app, for example.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
    <key>com.apple.security.cs.disable-library-validation</key><true/>
  </dict>
</plist>

For example, the last thing I codesign is my app’s main program, which uses Electron, (inside out, by Apple’s rules) I use the entitlements defined above: codesign -o runtime --entitlement entitlements.plist --verbose --timestamp -s "Developer ID Application: My Company (IDNUMBER)" MyApp.app/Contents/MacOS/MyApp

As for the Electron Framework, I signed it this way. Not sure if the crashpad_handler needs any entitlements yet.

Note that $SIG would be our "Developer ID Application: My Company (IDNUMBER)"

codesign -o runtime --verbose --timestamp -s $SIG "MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler"
codesign --verbose --timestamp -s $SIG "MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib"
codesign --verbose --timestamp -s $SIG "MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib"
codesign --verbose --timestamp -s $SIG "MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib"
codesign --verbose --timestamp -s $SIG "MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib"
codesign --verbose --timestamp -s $SIG "MyApp.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign --verbose --timestamp -s $SIG "MyApp.app/Contents/Frameworks/Electron Framework.framework"

Note that Apple’s notarizing service complained about those dylibs being unsigned, so I specifically signed them.

NOTE: that I haven’t actually tried “crashpad_handler” and it almost definitely needs more entitlements. Our app required disk access and some other things before it started fully working.

For example:

    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
    <key>com.apple.security.files.user-selected.read-write</key><true/>
    <key>com.apple.security.network.client</key><true/>
    <key>com.apple.security.network.server</key><true/>

Sure! https://github.com/johannesjo/super-productivity/blob/master/electron-builder.yaml https://github.com/johannesjo/super-productivity/tree/master/build

@johannesjo Couple of things I can see

• No need to copy across provisioning profile.
• Are you using a dev provisioning profile configured with the machine ID of your exact machine for mas-dev? Both configs look like they use the same one which won’t work.
• Make sure entitlements.inherit just contains sandbox + inherit.

Using 22.7.0 I no longer need to resign plists and my mas-dev build works locally.

It probably is either your certificates (ensure your provisioning profile is configured for the exact device ID you are testing on) or entitlements (see #3989 (comment)).

Can the mas-dev target package run in your mashine?

@greenimpala could you by any chance please share a working config? I’ve been trying to get a working version of my electron app to the mac store for years now without any success…

@lanistor @DominikLevitsky I haven’t been keeping up with this problem but I did solve it by:

• Ensuring sandbox is in my entitlements.
• Never using hardened runtime for MAS builds.
• Realising that running valid MAS builds locally WILL give a codesign crash (this is correct behavior!!).
• You should test MAS builds locally with the mas-dev target and using correct Apple dev certs.
• ~Important one — Re-writing my plists for both mas and mas-dev (https://github.com/electron/electron-osx-sign/issues/223#issuecomment-611070794) AFTER a build and then RE-signing with electron-osx-sign. This is the weird undocumented issue that needs to be fixed :)~

Still an issue issue. The crash happens as soon as you use com.apple.security.app-sandbox for me. See also https://github.com/electron/electron/issues/22656.

Its the hardening that broke it for us. We have a notarised, code signed app, mac not MAS, that now works. After a fashion:

electron-builder/issues/4040#issuecomment-553327682

Hope this helps.