Order of operation for EVS signing, MacOS code signing, MacOS notarization

[gligon101]

I have an app that involves streaming DRM capabilities with Spotify using the castLabs build here. Here's the problem I'm currently having:

• I build the app with electron-packager and have the python EVS script executing as a postPackage function
• It generates myApp.app and I'm able to launch it and stream Spotify music with no problems.
• If I manually run the EVS signing script, it says the signature is valid and foregoes signing.

Then I take it a step further:

• Enable osx-sign for electron-packager and include the <key>com.apple.security.cs.disable-library-validation</key> <true/> entitlement as I'd also be notarizing this later.
• Run electron-packager and it generates myApp.app
• If I launch myApp.app I get a DRM streaming error and streaming Spotify won't work. (This is a built in error that surfaces after a widevine check)
• If I manually run the EVS signing script, it says the signature is valid and foregoes signing.
• If I run codesign -vvv -strict ./myApp.app it comes back as "valid on disk" and "satisfies its Designated Requirement"
• From this perspective, it should be EVS signed AND MacOS code signed

EVS signing signs the top level of myApp.app where Electron's osx-sign goes in and signs every aspect of the built app. Should I only be osx-signing certain portions of the app? i.e. myApp.app\ Contents/Frameworks/myApp Helper ??

Ultimately if I EVS sign and successfully codesign without breaking EVS signing, will the notarization process break the EVS signing?

[khwaaj]

Looks like you are doing most things right, and the entitlements is the likely culprit. Notarization should not break anything, in fact I know of several projects using this successfully. There are however some potential complications related to what needs to be notarized, e.g. see here:

https://github.com/castlabs/electron-releases/issues/161#issuecomment-1609020079

[eXhumer]

Hello @khwaaj. If I am not mistaken, I have to first VMP sign a package first, then OSX sign the package correct? It seems like using the osxSign from the electron-forge config is out of the question and I instead have to use signAsync from @electron/osx-sign package inside the postPackage hook as the OSX signing process in electron-forge appears to happen before postPackage hook is reached. Using osxSign instead of signAsync causes the package to appear as damaged.

[khwaaj]

Yes, on macOS you should VMP-sign first and code-sign after (on Windows the reverse is true). I'm not familiar with integrating this in electron-forge, but I know there have been some previous threads on the topic that might provide some hints if you get stuck.

[khwaaj]

Closing due to inactivity.