Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Signed app should allow JIT on correct helpers to not crash

See original GitHub issue

After I signed my application, the blank screen is displayed when I launch it. Could you give me some advice to fix this problem? This problem only occurs on the macOS 10.14(Mojave). This app run on other version of macOS are normal. By the way, I’m using electron-packager to package my app. Using electron-osx-sign to sign the app.

electron: 1.7.9
electron-packager: 8.7.2
electron-osx-sign: 0.4.11

I sign my app with the following command:

electron-osx-sign "xxx.app" --platform=darwin --type=distribution --identity="Developer ID Application: xxx (xxxxx)" --keychain="xxx.keychain" --entitlements="entitlements.plist" --hardened-runtime

I’m attempt to distribute my app outside the Mac App Store. And I don’t want to enable App Sandbox.

entitlements.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
  </dict>
</plist>

The final result: ① sign -> success ② launch -> blank screen ③ notarization -> success

Then I sign different version(v1.7.9 & v4.0.1) of electron sample application(electron-quick-start). When I launch these two applications, the problem with the blank screen still occurs. P.S. This problem still only occurs on the macOS 10.14(Mojave).

electron: 1.7.9 / 4.0.1
electron-packager: 13.0.1
electron-osx-sign: 0.4.11

I package these two apps with the following command:

node release.js

release.js

var packager = require('electron-packager');
var config = require('./package.json');
var app_name = 'xxxxx';

packager({
    dir: './',
    out: './dist/osx',
    name: app_name,
    platform: 'darwin',
    arch: 'x64',
    icon: './Appicon.icns',
 
    'appBundleId': 'xx.xxx.app',
    'appVersion': config.version,
    'appCopyright': 'Copyright (c) xxxx All rights reserved.',
    appCategoryType: 'public.app-category.graphics-design',
    overwrite: true,
    asar: {unpackDir: 'testUnpack'},
    prune: true,
    ignore: 'unpacked|node_modules/(electron-packager|electron|\.bin)|release\.js',
    electronVersion: 'x.x.x'
}).then(function (appPaths) {
    console.log('\n' + appPaths + ' Done!\n');
}).catch(function (err) {
    if(err) {
        throw new Error(err);
    }
});

p.s. ① v1.7.9: app_name -> ‘sample(current_v1.7.9)’ electronVersion -> ‘1.7.9’ ② v4.0.1: app_name -> ‘sample(latest_v4.0.1)’ electronVersion -> ‘4.0.1’

I sign these two apps with the following commands:

(1) export DEBUG=electron-osx-sign*
(2) electron-osx-sign "xxx.app" --platform=darwin --type=distribution --identity="Developer ID Application: xxx (xxxxx)" --keychain="xxx.keychain" --entitlements="entitlements.plist" --hardened-runtime > sample.log

entitlements.plist

It’s the same as the above file(entitlements.plist)

sample1_7_9.log

  electron-osx-sign electron-osx-sign@0.4.11 +0ms
  electron-osx-sign `identity` passed in arguments. +25ms
  electron-osx-sign Executing... security find-identity -v /Library/Keychains/xxx.keychain +1ms
  electron-osx-sign Identity: 
 > Name: Developer ID Application: xxx (xxxxx) 
 > Hash: 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE +68ms
  electron-osx-sign Found 1 identity. +0ms
  electron-osx-sign Pre-sign operation enabled for provisioning profile: 
 * Disable by setting `pre-embed-previsioning-profile` to `false`. +1ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`: 
 * Disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign No `provisioning-profile` passed in arguments, will find in current working directory and in user library... +0ms
  electron-osx-sign No provisioning profile found, will not embed profile in app contents. +2ms
  electron-osx-sign Automating entitlement app group... 
 > Info.plist: sample(current_v1.7.9).app/Contents/Info.plist 
 > Entitlements: entitlements.plist +0ms
  electron-osx-sign Signing application... 
 > Application: sample(current_v1.7.9).app 
 > Platform: darwin 
 > Entitlements: entitlements.plist 
 > Child entitlements: /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist 
 > Additional binaries: [] 
 > Identity: { name: 'Developer ID Application: xxx (xxxxx)',
  hash: '6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE' } +6ms
  electron-osx-sign Walking... sample(current_v1.7.9).app/Contents +2ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +20ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +3s
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +401ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler +996ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler +1ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework +341ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Electron Framework.framework +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle +3s
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Mantle.framework +732ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Mantle.framework +1ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/ReactiveCocoa.framework/Versions/A/ReactiveCocoa +735ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/ReactiveCocoa.framework/Versions/A/ReactiveCocoa +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/ReactiveCocoa.framework +364ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/ReactiveCocoa.framework +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt +362ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel +737ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework +735ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/Squirrel.framework +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper EH.app/Contents/MacOS/sample(current_v1.7.9) Helper EH +350ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper EH.app/Contents/MacOS/sample(current_v1.7.9) Helper EH +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper EH.app +335ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper EH.app +1ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper NP.app/Contents/MacOS/sample(current_v1.7.9) Helper NP +349ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper NP.app/Contents/MacOS/sample(current_v1.7.9) Helper NP +1ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper NP.app +334ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper NP.app +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper.app/Contents/MacOS/sample(current_v1.7.9) Helper +340ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper.app/Contents/MacOS/sample(current_v1.7.9) Helper +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper.app +335ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.darwin.inherit.plist sample(current_v1.7.9).app/Contents/Frameworks/sample(current_v1.7.9) Helper.app +0ms
  electron-osx-sign Signing... sample(current_v1.7.9).app +340ms
  electron-osx-sign Executing... codesign --sign 6E53C45AD76F3B1BFDFCC3E39A22082C1847FEEE --force --keychain /Library/Keychains/xxx.keychain --options runtime --entitlements entitlements.plist sample(current_v1.7.9).app +0ms
  electron-osx-sign Verifying... +357ms
  electron-osx-sign Verifying application bundle with codesign... +1ms
  electron-osx-sign Executing... codesign --verify --deep --strict --verbose=2 sample(current_v1.7.9).app +0ms
  electron-osx-sign Verifying Gatekeeper acceptance for darwin platform... +958ms
  electron-osx-sign Executing... spctl --assess --type execute --verbose --ignore-cache --no-cache sample(current_v1.7.9).app +0ms
  electron-osx-sign Verified. +828ms
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Executing... codesign --display --entitlements :- sample(current_v1.7.9).app +0ms
  electron-osx-sign Entitlements: 
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
  </dict>
</plist>

 +40ms
  electron-osx-sign Application signed. +0ms
  electron-osx-sign Application signed: sample(current_v1.7.9).app +0ms
Application signed: sample(current_v1.7.9).app

sample4_0_1.log

This log file is basically the same as sample1_7_9.log except the app name

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:30 (8 by maintainers)

github_iconTop GitHub Comments

11reactions
d-j-tcommented, Apr 16, 2019

I have been able to reproduce this issue, getting a blank electron window after signing with the hardened runtime flag enabled.

I have found setting the “enetitlements-inherit” option along with the “entitlements” option as below allow my application to be signed successfully. The application is working correctly and can be notarized successfully.

app.entitlements(set these as required)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
	<key>com.apple.security.cs.disable-library-validation</key>
    <true/>
	<key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
</dict>
</plist>

And call the API using the following:

sign({
    app: 'myApp.app',
    entitlements: "app.entitlements",
     "hardened-runtime": true,
     platform: "darwin", 
     type: "distribution" ,
     "entitlements-inherit": "app.entitlements"
  }, async function done (err) {
    if (err) {
      console.log(err);
      return;
    }
    else{
      console.log("Application signed");
    } 
  })
6reactions
semiregcommented, Jul 20, 2019

My issue was stemming from both sandbox and hardening being active in the build. I am working on offering my app outside the App Store, which is why I’m exploring notarization. Because of this, I assumed that because my app is already sandboxed, I should try to add hardening… but it seems that they are mutually exclusive at the moment. Further, reading about both of these (sandbox & hardening) at https://lapcatsoftware.com/articles/hardened-runtime-sandboxing.html makes me feel like I can continue to offer a sandboxed-only version in the App Store, and a hardened-only version outside the App Store. Electron-builder doesn’t make this easy, and perhaps I need to open another ticket there, but I’ll quickly describe the setup that allows me to build MAS (sandboxed-only) and MAC builds (hardened-only) side by side.

package.json scripts:

"package-mac": "npm run build && build --mac zip",
"package-mas": "npm run build && build --mac mas mas-dev --config.afterSign=build/do-nothing.js --config.mac.hardenedRuntime=false",

It’s not ideal to set afterSign to “do-nothing.js” but… =null (“null”), =undefined (“undefined”) and just plain = (‘’) results in strings.

package.json build:

"mac": {
      "category": "public.app-category.productivity",
      "target": [
        "mas",
        "mas-dev",
        "zip"
      ],
      "hardenedRuntime": true,
      "entitlements": "build/entitlements-lll.plist",
      "entitlementsInherit": "build/entitlements-lll.plist",
      "gatekeeperAssess": false
    },
    "afterSign": "build/notarize.js",
    "mas": {
      "provisioningProfile": "build/embeddedyesmas.provisionprofile",
      "entitlements": "build/entitlements-sandbox.plist",
      "entitlementsInherit": "build/entitlements-inherit.plist"
    },

entitlements-lll.plist (these 3, plus my normal entitlements for app-specific behavior)

<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>

entitlements-sandbox.plist (this 1 for sandboxing, plus my normal entitlements for app-specific behavior)

<key>com.apple.security.app-sandbox</key>
<true/>

entitlements-inherit.plist (just the default, only two, that’s it)

    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>

I hope this helps someone get both sandboxing and hardening setup with their builds. I’m eager to simplify this setup because overriding like this is a pain.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Signed app should allow JIT on correct helpers to not crash
After I signed my application, the blank screen is displayed when I launch it. Could you give me some advice to fix this...
Read more >
Application killed after entitled … | Apple Developer Forums
After signing my player (binary and its shared libraries) without any entitlements, the player runs but fails to play a stream. Failure is...
Read more >
JIT debugging 32-bit app crashing with access violation - MSDN
Got a new development machine with Win7 64-bit, VS 2010, using just-in-time debugging for 32-bit applications is crashing the application ...
Read more >
JIT debugger always shows up when my app crash instead of ...
Using the Exception Reporter on the computer I have VS installed it will show up but after I compile and send it to...
Read more >
"Application does not support just-in-time (JIT) debugging ...
In the 'Enable Just-In-Time' debugging of these types of code box, select or clear the relevant program types: 'Managed', 'Native', or 'Script'.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

App sandbox not enabled (ITMS-90296): For other binaries to be signed

Next page

Mas build notarization invalid