mmaietta
commented
2 years ago I thought hardenedRuntime was required to be true for all modern versions of macOS, regardless of mac or mas target.
Open hisnameisjimmy opened 2 years ago
mmaietta
commented
2 years ago I thought hardenedRuntime was required to be true for all modern versions of macOS, regardless of mac or mas target.
hisnameisjimmy
commented
2 years ago Not sure, but changing it to true didn't solve the issue unfortunately 🫤
Multiple places where people have disabled hardenedRuntime, apparently successfully:
hisnameisjimmy
commented
2 years ago After looking through all these, and just playing around with adding different entitlements, it was resolved with the following settings. I honestly have no idea which of these is relevant at this point, and after days of debugging I am beyond the point of caring haha. But for future internet travelers who find themselves stuck, here is what I have that got me through:
"build": {
"appId": "com.xxxxxx.xxxxxx",
"afterSign": "electron-builder-notarize",
"mac": {
"category": "public.app-category.entertainment",
"darkModeSupport": true,
"hardenedRuntime": true,
"gatekeeperAssess": false,
"entitlements": "build/entitlements.mac.plist",
"entitlementsInherit": "build/entitlements.mac.plist",
"icon": "build/icon.icns",
"target": [
{
"target": "mas",
"arch": "universal"
},
"dmg"
]
},
"mas": {
"type": "distribution",
"hardenedRuntime": false,
"provisioningProfile": "embedded.provisionprofile",
"entitlements": "build/entitlements.mas.plist",
"entitlementsInherit": "build/entitlements.mas.inherit.plist",
"entitlementsLoginHelper": "build/entitlements.mas.loginhelper.plist"
}
}<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<string>TEAMID.com.app.appname</string>
<key>com.apple.application-identifier</key>
<string>TEAMID.com.app.appname</string>
<key>com.apple.developer.team-identifier</key>
<string>TEAMID</string>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
</dict>
</plist><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>lol, then I immediately run into this: https://github.com/electron/electron/issues/33054
So close, yet so far.
stephan-fischer
commented
2 years ago After looking through all these, and just playing around with adding different entitlements, it was resolved with the following settings. I honestly have no idea which of these is relevant at this point, and after days of debugging I am beyond the point of caring haha. But for future internet travelers who find themselves stuck, here is what I have that got me through:
package.json relevant section (added loginhelper!)
"build": { "appId": "com.xxxxxx.xxxxxx", "afterSign": "electron-builder-notarize", "mac": { "category": "public.app-category.entertainment", "darkModeSupport": true, "hardenedRuntime": true, "gatekeeperAssess": false, "entitlements": "build/entitlements.mac.plist", "entitlementsInherit": "build/entitlements.mac.plist", "icon": "build/icon.icns", "target": [ { "target": "mas", "arch": "universal" }, "dmg" ] }, "mas": { "type": "distribution", "hardenedRuntime": false, "provisioningProfile": "embedded.provisionprofile", "entitlements": "build/entitlements.mas.plist", "entitlementsInherit": "build/entitlements.mas.inherit.plist", "entitlementsLoginHelper": "build/entitlements.mas.loginhelper.plist" } }entitlements.mas.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <string>TEAMID.com.app.appname</string> <key>com.apple.application-identifier</key> <string>TEAMID.com.app.appname</string> <key>com.apple.developer.team-identifier</key> <string>TEAMID</string> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> </dict> </plist>entitlements.mas.inherit.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> </dict> </plist>entitlements.mas.loginhelper.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> </dict> </plist>
finally this works 😉 Thank you very much!!!
mikekreeki
commented
1 year ago In case anyone bumps into this in the future, it issue for me was also missing entitlements entry for loginhelper. Adding those resolved the issue 🎉
hayr-hotoca
commented
1 year ago @hisnameisjimmy Where can I download the build/entitlements.mac.plist file?
BlackHole1
commented
1 year ago 
pauljonescodes
commented
7 months ago Another thing to consider is I believe I've determined that on my particular configuration, com.apple.security.application-groups must be an array of strings.
Related thread:
https://github.com/electron/osx-sign/issues/281#issuecomment-1967719627
bkervaski
commented
6 months ago This resolved it for me:
"entitlementsLoginHelper": "build/entitlements.mas.loginhelper.plist"
I'm working on a universal MacOS app in Electron, and while I've gotten pretty far, I can't seem to figure out how to enable it for testing in Testflight.
I keep running into the following error in App Store Connect no matter what I do:
Varying useful stuff I've found:
Why does this issue happen? What can I do to help debug?
My setup
package.json relevant build section
entitlements.mas.plist
entitlements.mas.inherit.plist