Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Invalid Signature and signed app isn't running correctly

See original GitHub issue

Sorry in advance if I overlooked something obvious. I’ve tried to make this work for some hours now, and I’m out of ideas.

I developed a Mac app using electron and everything works as expected after packaging with electron-packager. Now I want to submit the app to the mac app store.

After packaging I’m signing the app using electron-osx-sign --identity="xyz" name.app and then I’m flattening it with electron-osx-flat --identity="xyz" name.app (it doesn’t work without me specifying the identity, although this is the first app that I’m signing) and submit the created .pkg file to Application Loader.

The first problem is that the signed .app file doesn’t work correctly anymore. If I try to execute it, the app starts with a window it usually doesn’t have and doesn’t respond at all:

I’m not sure if I’m still supposed to be able to execute apps that were signed for the MAS, so maybe this is just expected behaviour? Otherwise this may hint to something going wrong when signing.

The second problem: Application Loader accepts the .pkg file without any errors and uploads it to iTunes, but afterwards I get an email stating this error:

Invalid Signature - This error occurs when you have signed your app’s installer incorrectly. There are two certs required for this process: the “3rd Party Mac Developer Application” cert and the “3rd Party Mac Developer Installer” cert. When signing your package, you need to ensure that you are using the Installer cert to sign your package. Ensure that you are specifying this cert when submitting your app via the Xcode Organizer or when running productbuild from the command line.

I do have those two certs and when signing/flattening several certs were requested, so I’m not sure what’s going wrong. I’m not calling productbuild myself, electron-osx-flat is doing that right?

Do you guys have any idea what I might do wrong?

(The xyz in --identity="xyz" from above is the string in the parentheses of "3rd Party Mac Developer Installer: myname (xyz)".)

Issue Analytics

State:
Created 7 years ago
Comments:46 (23 by maintainers)

Top GitHub Comments

2reactions

floriancommented, Jun 27, 2016

Yeah, I just did that and it worked. 😃 Finally! However I wasn’t sure what default entitlements from this repo I should extend, default.entitlements.mas.inherit.plist or default.entitlements.mas.plist?

And after all, there also seems to be a bug in electron-packager, right? The signing is only working when using electron-osx-sign on its own.

1reaction

floriancommented, Jul 3, 2016

I submitted the HN app to the MAS today and everything seemed to work fine. So it looks like the original issue is solved 😃

@sethlu This isn’t regarding electron-osx-sign not working, but I thought I’d ask you since you seem to be very knowledgeable with signing/entitlements. I’ll try on StackOverflow if you don’t have any advice or no time for this. So feel free to ignore this if you don’t want to spend time on it. 😃

My app executes AppleScript, e.g. to copy the currently selected text to the clipboard. Executing AppleScript in node is only possible by using /usr/bin/osascript. I’ve spent quite some time trying different entitlements, but I found none that stop this console errors:

03.07.16 21:06:06,358 appleeventsd[61]: rdar://problem/11489077 A sandboxed application with pid 30507, “osascript” checked in with appleeventsd, but its code signature could not be read and validated by appleeventsd, and so it cannot receive AppleEvents targeted by name, bundle id, or signature. Install the application in /Applications/ or some other world readable location to resolve this issue. Error=ERROR: #100001 { “NSDescription”=“SecCodeCopyGuestWithAttributes() returned 100001, -.” } (handleMessage()/appleEventsD.cp #2098) com.apple.root.default-qos 03.07.16 21:06:06,403 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-data /usr/bin 03.07.16 21:06:06,434 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-metadata /usr/bin 03.07.16 21:06:06,465 sandboxd[146]: ([61]) appleeventsd(61) deny file-read-data /usr/bin/osascript

I guess the problem is also that running /usr/bin/osascript spawns a new process that doesn’t have the same entitlements.

My entitlements:

    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.scripting-targets</key>
    <dict>
        <key>com.apple.systemevents</key>
        <true/>
    </dict>

The AppleScripts tell “System Events” to do stuff, thus the scripting target.

Top Results From Across the Web

Invalid Signature and signed app isn't running correctly #61

Invalid Signature - This error occurs when you have signed your app's installer incorrectly. There are two certs required for this process: the ......

How to troubleshoot app package signature errors - Win32 apps

Step 1: Examine event logs for diagnostic information · Step 2: Determine the certificate chain used to sign the app package · Step...

Invalid Signature - This error occ… | Apple Developer Forums

Invalid Signature - This error occurs when you have signed your app's installer incorrectly. There are two certs required for this process: the...

Invalid Signature Code object is not signed at all for Pythonista

This is a pretty common error and I find it's often caused by Info.plist being misconfigured. Check CFBundleExecutable matches the name of ...

How To Fix Error “iTunes Has An Invalid Signature” - iKream

SOLUTION 2: Change Security Settings · On your windows computer, press Windows + R (Run). · Type in inetcpl. · In the internet...