search

electron-userland / electron-builder

A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box
https://www.electron.build
MIT License
13.61k stars 1.74k forks source link

MAS is notarized which results in broken signature #8102

Closed idoodler closed 1 month ago

idoodler commented 7 months ago

When building the MAS target with the artifacts are notarized which then results in The executable must be signed with the certificate that is contained in the provisioning profile.

Here is the building output:

• electron-builder  version=24.13.3 os=23.3.0
  • artifacts will be published if draft release exists  reason=CI detected
  • loaded configuration  file=/Users/appdev/builds/iu3Przmy/3/App/monorepo/apps/raptor-electron/build/electron-builder.mas.cjs
  • description is missed in the package.json  appPackageFile=/Users/appdev/builds/iu3Przmy/3/App/monorepo/apps/raptor-electron/package.json
  • packaging       platform=mas arch=x64 electron=25.2.0 appOutDir=dist/mas-universal-x64-temp
  • packaging       platform=mas arch=arm64 electron=25.2.0 appOutDir=dist/mas-universal-arm64-temp
  • packaging       platform=mas arch=universal electron=25.2.0 appOutDir=dist/mas-universal
  • signing         file=dist/mas-universal/<REDACTED>.app platform=darwin type=distribution identity=<REDACTED> provisioningProfile=build/embedded.mas.provisionprofile
  • notarization successful
  • signing         file=dist/mas-universal/<REDACTED>.app platform=mas type=distribution identity=<REDACTED> provisioningProfile=build/embedded.mas.provisionprofile
[20:43:37] Processing pkg [started]
[20:43:58] Processing pkg [completed]

As you can see the notarization step should not be here.

In Addition I do have an electron-builder.env file in the projects root directory, it has the following structure:


WIN_CSC_KEY_PASSWORD="<REDACTED>"
APPLE_API_KEY="<REDACTED>"
APPLE_API_KEY_ID="<REDACTED>"
APPLE_API_KEY_ISSUER="<REDACTED>" // This works with electron-builder 24.9.1
APPLE_API_ISSUER="<REDACTED>" // This works with electron-builder 24.13.3
idoodler commented 7 months ago

@mmaietta As mention in #8087

mmaietta commented 7 months ago

Thanks @idoodler ! Quick Q, are mas targets ever supposed to be notarized? (Meaning it should always be skipped by electron-builder logic) Or is that limited to mac target?

idoodler commented 7 months ago

Thanks @idoodler ! Quick Q, are mas targets ever supposed to be notarized? (Meaning it should always be skipped by electron-builder logic) Or is that limited to mac target?

Only apps distributed outside of the mac app store must be notarized.

I don't know of any reason why one would need to notarize a MAS target.

mmaietta commented 7 months ago

Soooo im genuinely not sure why mas builds are being notarized as there's an explicit if-statement to avoid doing so 🤔 https://github.com/electron-userland/electron-builder/blob/27953bbe308d196adb0162f86caf5222666bd132/packages/app-builder-lib/src/macPackager.ts#L335-L337

I don't have an active Apple Developer Subscription to write a notarization unit test for either, but debating on reopening my account

Can you post your electron-builder config?

idoodler commented 7 months ago

@mmaietta I just checked, the masOptions are undefined for me:

https://github.com/electron-userland/electron-builder/blob/27953bbe308d196adb0162f86caf5222666bd132/packages/app-builder-lib/src/macPackager.ts#L209C1-L210C1

Here is the effective config (dist/builder-effective-config.yaml) which is generated based on the baseconfig which doesn't include the mas target for the mac platform. This is something I also do in the our legacy project due to some changes we have to do specific to mas. **Note that I removed protocols, linux, deb, win, appx and the files property

directories:
  output: dist
  buildResources: build
appId: <REDACTED>
afterAllArtifactBuild: ./build/hooks/afterAllArtifactBuildHook.js
buildVersion: '1'
electronVersion: 25.2.0
artifactName: ${productName}.${ext}
mac:
  category: public.app-category.utilities
  hardenedRuntime: true
  gatekeeperAssess: true
  target:
    target: mas
    arch:
      - universal
  provisioningProfile: build/embedded.mas.provisionprofile
  extendInfo:
    ITSAppUsesNonExemptEncryption: false
    LSMultipleInstancesProhibited: true
mas:
  entitlements: build/entitlements.mas.plist
  entitlementsInherit: build/entitlements.mas.inherit.plist
dmg:
  title: ${productName}
  window:
    width: 700
    height: 400
    x: 200
    'y': 200
  contents:
    - x: 450
      'y': 190
      type: link
      path: /Applications
    - x: 230
      'y': 190
      type: file

Here is the script (build/electron-builder.mas.js) which takes the base and adopts the config. This script is then fed into electron-builder via the -c argument:

const YAML = require('yaml');
const fs = require('fs');
const path = require('path');

module.exports = context => {
    const config = YAML.parse(
        fs.readFileSync(
            path.join(__dirname, 'electron-builder.base.yml'),
            'utf8',
        ),
    );
    delete config.afterSign;

    config.mac.target = {
        target: 'mas',
        arch: ['universal'],
    };
    config.mac.provisioningProfile = `build/embedded.mas.provisionprofile`;
    config.mac.extendInfo = {
        ITSAppUsesNonExemptEncryption: false,
        LSMultipleInstancesProhibited: true,
    };

    config.mas = {
        entitlements: `build/entitlements.mas.plist`,
        entitlementsInherit: `build/entitlements.mas.inherit.plist`,
    };

    return config;
};

So in total to build mas we use the following command: USE_HARD_LINKS=false electron-builder -c build/electron-builder.mas.js -m

dpatra commented 5 months ago

Any update! Please!

github-actions[bot] commented 2 months ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] commented 1 month ago

This issue was closed because it has been stalled for 30 days with no activity.