Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vendored version of electron-osx-builder is old and causes notarization to fail

See original GitHub issue

Version: 22.8.0
Electron Version: 6.1.5
Electron Type (current, beta, nightly): current
electron-updater: 4.1.2
Target: MacOS

This issue has been mentioned in #4934 and #4656, but the gist is that electron-builder isn’t signing certain binary files, which causes notarization to fail with errors like those below. This issue was fixed in electron/electron-osx-sign#169, but electron-builder vendors a copy of electron-osx-sign here. Updating the vendored version of electron-osx-sign promises to resolve this issue.

"issues": [
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.zip/MyApp.app/Contents/chrome-chromedriver/mac/node_modules/puppeteer/.local-chromium/chrome/Chromium.app/Contents/MacOS/Chromium",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.zip/MyApp.app/Contents/chrome-chromedriver/mac/node_modules/puppeteer/.local-chromium/chrome/Chromium.app/Contents/MacOS/Chromium",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.zip/MyApp.app/Contents/chrome-chromedriver/mac/node_modules/puppeteer/.local-chromium/chrome/Chromium.app/Contents/MacOS/Chromium",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
...

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:7 (1 by maintainers)

Top GitHub Comments

2reactions

manderson-tecommented, Sep 1, 2020

Dare I ask, why vendor electron-osx-sign at all?

1reaction

manderson-tecommented, Aug 3, 2020

Thankfully, I was able to develop a workaround for the issue:

Add electron-osx-sign as a dev dependency: yarn add --dev electron-osx-sign
Write an afterSign script that imports electron-osx-sign and invokes signAsync: https://github.com/electron/electron-osx-sign#from-the-api. This technically means that you’ll be signing everything twice (once with the broken version of electron-osx-sign that is bundled with electron-builder and once with the newer version you installed previously), but it did work for my case.

Here’s what my afterSign.js script looks like:

const electronBuilderConfig = require('../electron-builder.json');
const signAsync = require('electron-osx-sign').signAsync;

export.default = async function(context) {
    const { electronPlatformName, appOutDir } = context;  
    if (electronPlatformName !== 'darwin') {
        console.log('Skipping afterSign script for non-darwin target: ' + electronPlatformName);
        return;
    }
    if (electronBuilderConfig.mac.identity === null) {
        console.log('Skipping afterSign script because identity explicitly set to null');
        return;
    }
    const appName = context.packager.appInfo.productFilename;
    await signAgainFunction(appOutDir, appName);
}

// electron-builder vendors its own private version of electron-osx-sign, but unfortunately it is
// broken (https://github.com/electron-userland/electron-builder/issues/5190).  To get around this,
// we install electron-osx-sign ourselves and invoke it in electron-builder's afterSign callback:
// https://www.electron.build/configuration/configuration#aftersign.
async function signAgainFunction(appOutDir, appName) {
    const identity = 'Developer ID Application: ' + electronBuilderConfig.mac.identity;
    const entitlements = electronBuilderConfig.mac.entitlements;
    const entitlementsInherit = electronBuilderConfig.mac.entitlementsInherit;
    const hardenedRuntime = electronBuilderConfig.mac.hardenedRuntime;
    const gatekeeperAssess = electronBuilderConfig.mac.gatekeeperAssess;
    await signAsync({
        app: `${appOutDir}/${appName}.app`,
        entitlements,
        hardenedRuntime,
        identity,
        "entitlements-inherit": entitlementsInherit,
        "gatekeeper-assess": gatekeeperAssess
    }).then(() => {
        console.log("Second application of electron-osx-sign succeeded!");
    }).catch((err) => {
        console.error("Second application of electron-osx-sign failed");
        console.error(err);
    });
}

Popular guides for notarizing electron applications instruct you to create an afterSign.js file anyways, so this workaround isn’t a terrible inconvenience.