Open hisnameisjimmy opened 2 years ago
I thought hardenedRuntime
was required to be true for all modern versions of macOS, regardless of mac or mas target.
Not sure, but changing it to true
didn't solve the issue unfortunately 🫤
Multiple places where people have disabled hardenedRuntime, apparently successfully:
After looking through all these, and just playing around with adding different entitlements, it was resolved with the following settings. I honestly have no idea which of these is relevant at this point, and after days of debugging I am beyond the point of caring haha. But for future internet travelers who find themselves stuck, here is what I have that got me through:
"build": {
"appId": "com.xxxxxx.xxxxxx",
"afterSign": "electron-builder-notarize",
"mac": {
"category": "public.app-category.entertainment",
"darkModeSupport": true,
"hardenedRuntime": true,
"gatekeeperAssess": false,
"entitlements": "build/entitlements.mac.plist",
"entitlementsInherit": "build/entitlements.mac.plist",
"icon": "build/icon.icns",
"target": [
{
"target": "mas",
"arch": "universal"
},
"dmg"
]
},
"mas": {
"type": "distribution",
"hardenedRuntime": false,
"provisioningProfile": "embedded.provisionprofile",
"entitlements": "build/entitlements.mas.plist",
"entitlementsInherit": "build/entitlements.mas.inherit.plist",
"entitlementsLoginHelper": "build/entitlements.mas.loginhelper.plist"
}
}
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<string>TEAMID.com.app.appname</string>
<key>com.apple.application-identifier</key>
<string>TEAMID.com.app.appname</string>
<key>com.apple.developer.team-identifier</key>
<string>TEAMID</string>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
lol, then I immediately run into this: https://github.com/electron/electron/issues/33054
So close, yet so far.
After looking through all these, and just playing around with adding different entitlements, it was resolved with the following settings. I honestly have no idea which of these is relevant at this point, and after days of debugging I am beyond the point of caring haha. But for future internet travelers who find themselves stuck, here is what I have that got me through:
package.json relevant section (added loginhelper!)
"build": { "appId": "com.xxxxxx.xxxxxx", "afterSign": "electron-builder-notarize", "mac": { "category": "public.app-category.entertainment", "darkModeSupport": true, "hardenedRuntime": true, "gatekeeperAssess": false, "entitlements": "build/entitlements.mac.plist", "entitlementsInherit": "build/entitlements.mac.plist", "icon": "build/icon.icns", "target": [ { "target": "mas", "arch": "universal" }, "dmg" ] }, "mas": { "type": "distribution", "hardenedRuntime": false, "provisioningProfile": "embedded.provisionprofile", "entitlements": "build/entitlements.mas.plist", "entitlementsInherit": "build/entitlements.mas.inherit.plist", "entitlementsLoginHelper": "build/entitlements.mas.loginhelper.plist" } }
entitlements.mas.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <string>TEAMID.com.app.appname</string> <key>com.apple.application-identifier</key> <string>TEAMID.com.app.appname</string> <key>com.apple.developer.team-identifier</key> <string>TEAMID</string> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> </dict> </plist>
entitlements.mas.inherit.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.inherit</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> </dict> </plist>
entitlements.mas.loginhelper.plist
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.app-sandbox</key> <true/> </dict> </plist>
finally this works 😉 Thank you very much!!!
In case anyone bumps into this in the future, it issue for me was also missing entitlements entry for loginhelper. Adding those resolved the issue 🎉
@hisnameisjimmy Where can I download the build/entitlements.mac.plist file?
Another thing to consider is I believe I've determined that on my particular configuration, com.apple.security.application-groups
must be an array of strings.
Related thread:
https://github.com/electron/osx-sign/issues/281#issuecomment-1967719627
This resolved it for me:
"entitlementsLoginHelper": "build/entitlements.mas.loginhelper.plist"
I'm working on a universal MacOS app in Electron, and while I've gotten pretty far, I can't seem to figure out how to enable it for testing in Testflight.
I keep running into the following error in App Store Connect no matter what I do:
Varying useful stuff I've found:
Why does this issue happen? What can I do to help debug?
My setup
package.json relevant build section
entitlements.mas.plist
entitlements.mas.inherit.plist