electron-builder: Notarization and staple succeeds but app is not able to be verified by Apple
- Electron-Builder Version:
- Node Version: 18.16.1
- Electron Version: 26.1.0
- Electron Type (current, beta, nightly): current
24.6.3
- Target: mac
trying to open on macOS Montery 12.6.3 (21G419)
Using the built-in “notarize” option in `electron-builder it notarize and stapled successfully, according to the logs (see below), but the app is unable to be opened on Mac.
I can launch the .dmg, which Mac briefly says “Verifying” before successfully opening the installer screen (drag to “Applications”). It then installs, but when I try to open the app it again says “Verifying […]”, but this time for a minute or two, and then fails to open with the message "Ganache" cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware. [...]. (Ganache is the app name).
Logs:
• signing file=dist/mac/Ganache.app identityName=Developer ID Application: ConsenSys AG (48XVW22RCG) identityHash=C927DD3B556DC334E4573E643FB6F2F142E5FC5F provisioningProfile=none
2023-09-02T14:51:51.458Z electron-notarize:spawn spawning cmd: xcrun args: [ '--find', 'notarytool' ] opts: {}
2023-09-02T14:51:54.462Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T14:51:54.462Z electron-notarize:notarytool starting notarize process for app: /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-02T14:51:54.463Z electron-notarize:helpers doing work inside temp dir: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U
2023-09-02T14:51:54.464Z electron-notarize:notarytool zipping application to: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip
2023-09-02T14:51:54.464Z electron-notarize:spawn spawning cmd: ditto args: [
'-c',
'-k',
'--sequesterRsrc',
'--keepParent',
'Ganache.app',
'/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip'
] opts: { cwd: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac' }
2023-09-02T14:53:33.252Z electron-notarize:spawn cmd ditto terminated with code: 0
2023-09-02T14:53:33.252Z electron-notarize:notarytool zip succeeded, attempting to upload to Apple
2023-09-02T14:53:33.252Z electron-notarize:spawn spawning cmd: xcrun args: [
'notarytool',
'submit',
'/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip',
'--apple-id',
'*********',
'--password',
'*********',
'--team-id',
'*********',
'--wait',
'--output-format',
'json'
] opts: {}
2023-09-02T15:19:19.320Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T15:19:19.322Z electron-notarize:notarytool notarization success
2023-09-02T15:19:19.323Z electron-notarize:helpers work succeeded
2023-09-02T15:19:19.422Z electron-notarize:staple attempting to staple app: /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-02T15:19:19.423Z electron-notarize:spawn spawning cmd: xcrun args: [ 'stapler', 'staple', '-v', 'Ganache.app' ] opts: { cwd: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac' }
2023-09-02T15:19:23.628Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T15:19:23.629Z electron-notarize:staple staple succeeded
• notarization successful
• building target=macOS zip arch=x64 file=dist/Ganache-2.7.2-mac.zip
• building target=DMG arch=x64 file=dist/Ganache-2.7.2-mac.dmg
• building block map blockMapFile=dist/Ganache-2.7.2-mac.zip.blockmap
• publishing publisher=Github (owner: trufflesuite, project: ganache-ui, version: 2.7.2)
• uploading file=Ganache-2.7.2-mac.zip.blockmap provider=github
• uploading file=Ganache-2.7.2-mac.zip provider=github
• overwrite published file file=Ganache-2.7.2-mac.zip.blockmap reason=already exists on GitHub
• overwrite published file file=Ganache-2.7.2-mac.zip reason=already exists on GitHub
• copy files from=/Users/runner/work/ganache-ui/ganache-ui/static/icons/mac/icon.icns to=/Volumes/Ganache 2.7.2/.VolumeIcon.icns isUseHardLinks=false
• copy files from=/Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff to=/Volumes/Ganache 2.7.2/.background/background.tiff isUseHardLinks=false
• execute command command=sips -g pixelHeight -g pixelWidth /Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff workingDirectory=
• command executed executable=sips out=/Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff
pixelHeight: 498
pixelWidth: 658
• building block map blockMapFile=dist/Ganache-2.7.2-mac.dmg.blockmap
• uploading file=Ganache-2.7.2-mac.dmg.blockmap provider=github
• uploading file=Ganache-2.7.2-mac.dmg provider=github
• overwrite published file file=Ganache-2.7.2-mac.dmg.blockmap reason=already exists on GitHub
• overwrite published file file=Ganache-2.7.2-mac.dmg reason=already exists on GitHub
• overwrite published file file=latest-mac.yml reason=already exists on GitHub
full logs here: https://github.com/trufflesuite/ganache-ui/actions/runs/6058926364/job/16441511002#step:11:4295
About this issue
- Original URL
- State: open
- Created 10 months ago
- Reactions: 2
- Comments: 18 (2 by maintainers)
@mfranzs, looks like you’re running into https://github.com/nodejs/node-gyp/issues/2713.
This symlinking behavior was introduced with only good intentions … (by me, sorry!) in node-gyp 9.1.0, and a fix has landed on node-gyp
mainbranch since thenbut hasn’t been released in any new tagged version of node-gyp just yet… [UPDATE: It’s included in node-gyp 10, which is in npm 10.2.2 or newer.]The solution is to use older node-gyp [UPDATE: or node-gyp 10 or newer], or use the revision of node-gyp straight from its
mainbranchuntil a newer release is put out…Most people get node-gyp bundled with npm, so your easiest point of control over this is to use a copy of npm that bundles node-gyp older than 9.1.0… So, based on the changes in npm’s
package.jsonwhen the node-gyp version was bumped… (blame view) You can try downgrading npm to 8.16.0 or older, and see if that makes the problem go away?[UPDATE: Or upgrade to npm 10.2.2 or newer.]
And longer-term, I really hope node-gyp puts out a newer version and npm adopts it, soon![UPDATE: Done!]EDIT: I see you commented on the pending release PR over at node-gyp repo. I guess this info isn’t news to you, then. And once again, sorry for not foreseeing the breakage the symlinking would cause.
@davidmurdoch Alright, I take this back slightly.
One of our awesome developers was able to find the exact cause, and fix our issues with a single commit diff.
Turns out the solution wasn’t removing
setup-nodeit lied withinsetup-python.Seems that our version of
3.10Python (Which we used due to some issues with a specific version ofnode-gypwe were using, but have since upgraded. But when we bumped to Python3.11we were able to resolve our issues!So I hope this helps you, feel free to take a look at their PR that fixes this here: https://github.com/pulsar-edit/pulsar/pull/743
@davidmurdoch I want to let you know, we just had a successful build on GitHub Actions with
electron-builderon macOS, by one weird thing.We skipped the
setup-nodeaction and instead installed it via HomeBrew. We also did this forgit, andpythonbut we are thinking it likely has something to do with NodeJS.So I hope our workflow may prove to be useful to you as well!
@DeeDeeG. Downgrading to
npm@8.16.0worked! It broke my windows build though (npm cinow fails), so I have to conditionally downgrade based on the OS.Hey -
We’re running into this same issue. For us, the problem is that
node-gypis internally linking to a python3 absolute-path symlink on our build instance.You can run
syspolicy_check distribution YourAppName.appto see the bad file.We’re trying to delete this bad symlink to see if that fixes the issue. Not sure if it will work yet, but it sounds similar to what you found!
@mmaietta I really do appreciate your support here, even if not your primary area of focus.
I’ll go ahead and give a try to what you’ve suggested, but I really appreciate your time!