Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Hardened runtime causes app to crash on open. (Signed and notarized)

See original GitHub issue

Versions: electron: 5.0.6 electron-builder: 21.0.11 electron-notarize: 0.1.1 electron-webpack: 2.7.4 Working on: MacOS Catalina 10.15 Beta 3 (19A501i) Xcode: Xcode 11 beta 3
What I’m trying to do: Sign and notarize an electron, web-packed, react desktop application for distribution outside the mac store.
Problem and exact case of error:

Build the app unsigned, unnotarized, no hardened runtime: runs ✅
Build the app signed, no hardened runtime: runs ✅
Build the app signed, hardened runtime: (build and sign successful) error below when opening app ❌
Build the app signed, hardened runtime, notarize: (build, sign and notatrize successful) error below when opening app ❌

In both the error cases I’ve run: 1/ Verify code signing ✅

test.app: valid on disk
test.app: satisfies its Designated Requirement

2/ Verify code notarization ✅

test.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: XXX, Inc. (XXXXXXXXXX)

Entitlements for mac

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
  </dict>

Target: darwin
Error dump

Process:               Test [7467]
Path:                  /Users/USER/Documents/*/Test.app/Contents/MacOS/Test
Identifier:            ai.XXXX.desktop
Version:               0.0.4 (0.0.4)
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           Test [7467]
User ID:               501

Date/Time:             2019-07-10 16:44:52.073 -0400
OS Version:            Mac OS X 10.15 (19A501i)

Time Awake Since Boot: 27000 seconds
Time Since Wake:       11000 seconds

System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (Code Signature Invalid)
Exception Codes:       0x0000000000000032, 0x00001a9c2b202040
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x2

...

Logical CPU:     6
Error Code:      0x00000015 (invalid protections for user instruction write)
Trap Number:     14

Issue Analytics

State:
Created 4 years ago
Reactions:5
Comments:149 (15 by maintainers)

Top GitHub Comments

21reactions

davidleeecommented, Dec 31, 2019

@Blightysoft hi, did you find a way to sign with hardened runtime and runs fine eventually?

Since Apple is going to stop apps without hardened runtime from opening after February 2020, it’s worrying me very much…

Finally, the app went blank after hardened runtime code sign because my entitlements miss a key-value pair:

<key>com.apple.security.cs.disable-library-validation</key>
<true/>

Spent couples of days trying every possible solution…hope this would help someone like me.

20reactions

itsthisjustincommented, Jul 11, 2019

@UdaraJay Alright, I’ve finally got it working. The trick was two fold.

First:

Set both entitlements and entitlementsInherit in your mac build settings. Here’s mine:

"mac": {
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "artifactName": "${productName}-${version}-${arch}.${ext}",
      "entitlements": "mac_config/entitlements.mac.plist",
      "entitlementsInherit": "mac_config/entitlements.mac.plist",
      "target": [
        "dmg",
        "zip"
      ],

Then, in my entitlements file, I stripped it down to only what I need.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.device.audio-input</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-only</key>
	<true/>
</dict>
</plist>

com.apple.security.cs.allow-unsigned-executable-memory is really the key one here. Others mentioned adding another one, but I was back to the signing crash when I did that.