Open daniboomerang opened 2 years ago
mmaietta
commented
2 years ago Not sure I can help much here, electron-builder uses the core package https://github.com/electron/electron-osx-sign underneath, so we're just running that on top of the packaged dist. And not sure how you've set up your electron-notarize either
What build machine are you using? Apple Silicon/M1?
daniboomerang
commented
2 years ago Hi @mmaietta. Thanks a lot for your answer
The *.pkg file generated by electron-builder is correctly signed
The problem is at the time of notarising. Something is wrong with the built code that doesn't pass the notarization process
In order to check that the pkg is actually signed I've used the macOS pkgutil as follows
pkgutil --check-signature Elixir\ Gaming.setup.pkg
Package "Elixir Gaming.setup.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Signed with a trusted timestamp on: 2022-02-02 05:09:03 +0000
Certificate Chain:
1. Developer ID Installer: Satoshis Games, SL (xxxxxxxx)
Expires: 2027-01-29 07:25:34 +0000
SHA256 Fingerprint:
9E 09 6E 49 54 1A 6F A6 28 48 37 37 C9 80 61 5B E3 C6 8B 08 85 2A
BB E5 81 25 D2 7B CD 16 24 86
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24However when trying to notarize I get the requiest as denied, and the logs presented above in the description of the issue. It seems that electron-builder properly signs the pkg but the code that outputs isn't fulfilling the notatization requirements of apple
Highly inspired in the post you point out in your own docs -> https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/
After the build is done I invoke notarize.js ("afterSign": "scripts/notarize.js",)
notarize.js
require('dotenv').config()
const { notarize } = require('electron-notarize')
exports.default = async function notarizing (context) {
const { electronPlatformName, appOutDir } = context
if (electronPlatformName !== 'darwin') {
return
}
const appName = context.packager.appInfo.productFilename
const password = '@keychain:ELIXIR_LAUNCHER'
return await notarize({
appBundleId: 'launcher.elixir.app',
appPath: `${appOutDir}/${appName}.app`,
appleId: 'myEmail@gmail.com',
appleIdPassword: password,
teamId: 'xxxxxxxxx'
})
}My computer is Apple silicon -> 2,3 GHz Quad-Core Intel Core i7
But there is something wrong in the built process Maybe some info missing in the electron-builder configuration?
Thanks a lot for looking into that
mmaietta
commented
2 years ago Hmmm, I have the same notarization setup.
If you use patch-package you can create this patch to force all packages to be signed. It'd at least unblock you for the interim. I don't know why (or how) the signing works on pkg dists, but force signing deep should do the trick.
electron-osx-sign+0.5.0.patch
diff --git a/node_modules/electron-osx-sign/sign.js b/node_modules/electron-osx-sign/sign.js
index e227c0e..2aedc85 100644
--- a/node_modules/electron-osx-sign/sign.js
+++ b/node_modules/electron-osx-sign/sign.js
@@ -145,7 +145,8 @@ function signApplicationAsync (opts) {
var args = [
'--sign', opts.identity.hash || opts.identity.name,
- '--force'
+ '--force',
+ '--deep'
]
if (opts.keychain) {
args.push('--keychain', opts.keychain)
Hi @mmaietta thank you very much for your answer
I just applied the patch However apple notarization service still complains. Here the logs of my notarization:
I first would like to be sure that I've applied the patch correctly What I did
npx patch-package electron-osx-sign
patch-package 6.4.7
• Creating temporary folder
• Installing electron-osx-sign@0.5.0 with npm
• Diffing your files with clean files
✔ Created file patches/electron-osx-sign+0.5.0.patch💡 electron-osx-sign is on GitHub! To draft an issue based on your patch run
npx patch-package electron-osx-sign --create-issue
- A new folder `patches` with a file inside it called `eletron-osx-sign+0.5.0.patch` was created in my project
- I just deployed a new build of my electron project, expecting/assuming the new --force --deep was going to apply.
Was my assumption right? Is there something else I had to do?Also I wonder...have you ever tested notarizing a pkg file? Is notarization working for you? in that case...what are you signing/notarizing?
daniboomerang
commented
2 years ago Hi @mmaietta Getting crazy with this...
I've tried notarizing a pkg file
electron-notarize So far I have no other conclusion than electron builder is building the pkg file in a way is not accepted by apple notarise service.
May be I'm missing some config in my package.json? something in the info.plist? in the entitlements ???
3 solutions sign the pkg and upload the signed file to apple notarise service ✅
3 solutions fail in exact the same way 🐛 🐛 🐛 👇 👇 👇 👇 👇 👇 👇
{
"logFormatVersion": 1,
"jobId": "7754bca6-df08-4de6-bef8-ae0e84d94d73",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "launcher_signed.pkg",
"uploadDate": "2022-03-17T07:08:21Z",
"sha256": "987fd83f462d206798a1f5cdf1d3c0ca014d971d2e79b704c5a3464998733cdf",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/MacOS/Elixir Gaming",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/MacOS/Elixir Gaming",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/MacOS/Elixir Gaming",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (GPU).app/Contents/MacOS/Elixir Gaming Helper (GPU)",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (GPU).app/Contents/MacOS/Elixir Gaming Helper (GPU)",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (GPU).app/Contents/MacOS/Elixir Gaming Helper (GPU)",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/ReactiveObjC.framework/Versions/A/ReactiveObjC",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/ReactiveObjC.framework/Versions/A/ReactiveObjC",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Renderer).app/Contents/MacOS/Elixir Gaming Helper (Renderer)",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Renderer).app/Contents/MacOS/Elixir Gaming Helper (Renderer)",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Renderer).app/Contents/MacOS/Elixir Gaming Helper (Renderer)",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper.app/Contents/MacOS/Elixir Gaming Helper",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper.app/Contents/MacOS/Elixir Gaming Helper",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper.app/Contents/MacOS/Elixir Gaming Helper",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Plugin).app/Contents/MacOS/Elixir Gaming Helper (Plugin)",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Plugin).app/Contents/MacOS/Elixir Gaming Helper (Plugin)",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Plugin).app/Contents/MacOS/Elixir Gaming Helper (Plugin)",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
}
]
}Talked with electron-notarize but no success so far
https://github.com/electron/electron-notarize/issues/60#issuecomment-1070420630
Any ideas?
mmaietta
commented
2 years ago Also I wonder...have you ever tested notarizing a pkg file? Is notarization working for you? in that case...what are you signing/notarizing?
I've never released a .pkg before, so I'm starting to think that either electron-notarize or electron-osx-sign don't support it?
daniboomerang
commented
2 years ago @mmaietta I'm starting to think it's an issue on electron-builder and the pkg file that builds
Could you read this comment? https://github.com/electron/electron-notarize/issues/60#issuecomment-1103429636
In short generate a pkg file with electron builder 1) Try the whole thing manually
xcrun altool --notarize-app
and I get a series of errors from apple notarise service2) Try the whole thing automatically
electron-notarise to send the file for notarisation
and I get a THE SAME series of errors from apple notarise serviceWhat do you guys think is happening? Isn't it the common factor here the pkg file?
@mmaietta
mmaietta
commented
2 years ago If you're signing it manually and manually notarizing with the same errors that signing via electron-builder is, then that sounds pretty affirming that it isn't related to electron-builder. How did you send to notarization manually? Did you use ditto for compressing the app?
daniboomerang
commented
2 years ago Hi @mmaietta thanks for your answer
But....Whether
I send the PKG file by myself or it's automatically sent
I get the same series of errors from apple notarisation service
Doesn't this mean that there is something wrong with the PKG?
It looks to me that it doesn't matter what I do or how I do it. The approach I follow, the result from apple notarisation service is always the same (Look at https://github.com/electron-userland/electron-builder/issues/6607#issuecomment-1070438531)
...
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Renderer).app/Contents/MacOS/Elixir Gaming Helper (Renderer)",
"message": "The binary is not signed.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Renderer).app/Contents/MacOS/Elixir Gaming Helper (Renderer)",
"message": "The signature does not include a secure timestamp.",
"docUrl": null,
"architecture": "x86_64"
},
{
"severity": "error",
"code": null,
"path": "launcher_signed.pkg/launcher.elixir.app.pkg Contents/Payload/Applications/Elixir Gaming.app/Contents/Frameworks/Elixir Gaming Helper (Renderer).app/Contents/MacOS/Elixir Gaming Helper (Renderer)",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
},
...
To answer your question
How did you send to notarisation manually? Did you use ditto for compressing the app?
I Followed these steps to do the whole manual process of Signing + Notarising the PKG file
https://www.davidebarranca.com/2019/04/notarizing-installers-for-macos-catalina/
Didn't use any compressor when uploading the pkg file
mmaietta
commented
2 years ago I'm sorry to say, I don't understand what is going wrong. If it happens both manually and automatically (via electron-builder), then there isn't much I can assist with.
daniboomerang
commented
2 years ago But...it happens with the PKG generated by electron builder Isn't is worrying that a PKG file generated by electron builder can't be notarised? 🤔
walkthunder
commented
1 year ago Electron builder system is just a toy and not supposed to be used under production. And you can see most cases are just for distribution outside of MAS.
For example there's NOT even one VALID example or toturial to show how to submit to MAS.
So drop it and dont waste your time on it.
The pkg file built is not accepted by apple notarise service