Open ruettenm opened 4 years ago
@ruettenm can you tell me a bit more about your setup?
keytar
usedThanks for the quick answer 👍
OS version: Catalina 10.15.5
Electron version: 7.3.1
version of keytar used: 6.0.1
how the app is being signed: electron builder (https://www.electron.build/code-signing)
how you verify the signed app is correct: There are no issues in my pipeline. When the signing and notarizing is working for mac you don't receive a security alert when you try to open the app.
This is my app: https://github.com/codecentric/merge-request-notifier
I just found this post here: https://github.com/google/or-tools/issues/1858
and a link to this one: https://github.com/electron-userland/electron-builder/issues/3940#issuecomment-501702531
The suggested solution/workaround seems to work 🙌
So it looks like your library is not signed and/or notarized and in this case it's a problem when using it inside a signed and notarized app.
So I added this configuration (*.plist file)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
and configured it in my package.json
"build": {
"mac": {
[...],
"entitlements": "build/entitlements.mac.plist",
"entitlementsInherit": "build/entitlements.mac.plist"
},
},
and now it's working 🎉
So it looks like your library is not signed and/or notarized and in this case it's a problem when using it inside a signed and notarized app.
The keytar library itself is not signed because of how macOS works. From this resource (emphasis mine):
Typically, the Hardened Runtime’s library validation prevents an app from loading frameworks, plug-ins, or libraries unless they’re either signed by Apple or signed with the same team ID as the app.
Adding this new entitlement goes against the Hardened Runtime setting you have previously set, so I'm not sure that's the whole solution. electron-builder
should handle signing the native node modules you use in your project, and this workaround feels like it might introduce other problems if users are concerned about Library Validation. I skimmed the repository but couldn't spot anything obviously off about it, but I am very rusty on electron-builder
.
I‘m also only a user of electron-builder and don’t know any insights but I just found this issue which initially requested the option to set the „hardening“.
https://github.com/electron-userland/electron-builder/issues/3383
In the issue you find a screenshot from Xcode and for me it looks like this is some official option you have when using the hardening feature.
Same issue here. When setting the <key>com.apple.security.cs.disable-library-validation</key>
as suggested above, this works only when building+signing+notarizing for mac for distribution Outside the Mac App store (with electron-builder
)
However, for the Mac App Store (MAS), I assume the hardenedruntime needs to be set to 'false' resulting in errors when the app is started. I haven't found a solution for configuration for a build with node-keytar
for the MAS.
in package.json. set mas: {"asarUnpack": ["**/*.node"], ...others}
, node cannot packed into asar
Hi 👋
I'm trying to use your library to encrypt some access token used in my electron app into the mac keychain. I'm only using your library in the main process.
It's perfectly working in my dev mode. But when I try to use my packaged (and also signed app) I'm getting the following exception.
When I comment out all the usages and the import of your library everything is fine again.
Do you understand what is going wrong here?
Best regards and thanks in advance Matthias