Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Hardened signed app not working: `container requires user-preference-write or file-write-data sandbox access`
See original GitHub issueProblem:
Starting with macos 10.14.5, Apple requires applications to be hardened-signed, uploaded to their notary service and stapled to be able to get verified by gatekeeper to run.
Signing an electron application the “hardened” way (tested with electron-osx-sign version 0.4.11) will result in the application to be signed successful, but it cannot be run either on macos 10.14.5 (most recent) and older versions (tested with 10.14.4).
Reproducing the problem:
1. Using electron-quick-start as reference project by cloning it and installing its dependencies to get it up and running:
git clone https://github.com/electron/electron-quick-start.git && cd electron-quick-start && npm i
2. Installing electron-builder
The current release of electron-builder (version 20.41.0) enables passing down the --hardened-runtime flag - but for this example, we are going to disable signing from electron-builder and running electron-osx-sign manually after building the app!
npm i -D electron-builder
3. Preparing needed files for signing
Creating entitlements.mac.plist in project directory and adding entitlements to it needed for hardened signing:
- Creating directory:
mkdir build - Creating plist file:
touch build/entitlements.mac.plist - Adding following content to
build/entitlements.mac./plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>TEAMID_MATCHING_CERTIFICATE.com.electronQuickStart.app</string>
</array>
</dict>
</plist>
- Creating inherit plist file:
touch build/entitlements.inherit.mac.plist - Adding following content to
build/entitlements.inherit.mac.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
Also adding the appId to package.json:
...
"build": {
"mac": {
"appId": "com.electronQuickStart.app"
}
}
4. Building application without signing:
npx electron-builder build -m -c.mac.identity=null
5. Extracting .app and signing it with electron-osx-sign
- Extract .app:
unzip dist/electron-quick-start-1.0.0-mac.zip - Sign .app:
npx electron-osx-sign "./electron-quick-start.app" --platform=darwin --type=distribution --identity="Developer ID Application: CERTIFICATE IDENTITY" --entitlements="./build/entitlements.mac.plist" --entitlements-inherit="./build/entitlements.inherit.mac.plist" --provisioning-profile="/PATH_TO/PROVISIONPROFILE.provisionprofile" --hardened-runtime --version="5.0.0"
6. Starting the application:
First, start Console.app and clear the current output to be able to monitor the error outputs the signed app will create.
Starting the signed application via finder or open electron-quick-start.app from the project dir.
Error Output:
The App will start and then silently crash, showing following erros in the Console.app:
process cfprefsd:
rejecting read of { kCFPreferencesAnyApplication, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 83356 because accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access
process taskgated-helper:
Couldn't read values in CFPrefsPlistSource<0x7fbff7f2c0a0> (Domain: kCFPreferencesAnyApplication, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: Yes): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access
process taskgated-helper:
com.electronQuickStart.app: Unsatisfied entitlements: com.apple.security.application-groups, com.apple.application-identifier
process taskgated-helper:
Disallowing: com.electronQuickStart.app
The following two outputs from kernel are appearing multiple times (around 10 times each)
process kernel:
Sandbox: electron-quick-s(83355) deny(1) mach-lookup com.apple.GameController.gamecontrollerd
process kernel:
Sandbox: electron-quick-s(83358) deny(1) mach-lookup com.apple.powerlog.plxpclogger.xpc
Does anyone experience similar issues?
EDIT:
Adding the following to build/entitlements.mac.plist removes the errors regarding GameController and powerlog:
<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
<array>
<string>com.apple.GameController.gamecontrollerd</string>
<string>com.apple.powerlog.plxpclogger.xpc</string>
</array>
Issue Analytics
- State:
- Created 4 years ago
- Comments:7 (2 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@puresick it’s fine, I’m working on this problem, I’ll let you know the progress if any.
@dadiorchen Unfortunately, I am not working at the company anymore where I worked on the project this error occured. Also I cannot recal for sure what I did back then, sorry. 😦