search

electron-userland / electron-builder

A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box
https://www.electron.build
MIT License
13.61k stars 1.74k forks source link

Not able to Pass Transporter & Notarization with same .pkg file #8382

Closed Devine-Davies closed 2 months ago

Devine-Davies commented 2 months ago

Help Request: Publishing to App Store

Hey community 👋

I am trying to summit an electron build to the Mac App Store. And while all was going good and was able to get my App into TestFlight, upon installing the app and running the app Apple return the flowing error:

Screenshot 2024-07-26 at 17 13 51

I believe this is due to the app not being notarize beforehand. After researching online i see that there seem to be mix understandings around whether apps submitted to the App Store need to be notarize. Although i couldn’t find anywhere that clearly states this, i was more under the impression that this was required due to the error message and apples docs on notarizing ‘.pkg’ files.

When running electron-build with the following configuration 

  mac: {
    type: 'distribution',
    cscLink: macCertificate,
    cscKeyPassword: macCertificatePassword,
    entitlements: macDistEntitlements,
    entitlementsInherit: macDistEntitlements,
    provisioningProfile: macDistProvisioningProfile,
    darkModeSupport: true,
    icon: 'build/icon-mac.icns',
    category: 'public.app-category.video',
    artifactName: '${productName}-${version}-${os}.${ext}',
    notarize: false,
    gatekeeperAssess: false,
    hardenedRuntime: true,
    extendInfo: {
      ElectronTeamID: appleTeamId,
    },
    target: [
      {
        target: 'mas',
        arch: ['universal'],
      },
      {
        target: 'pkg',
        arch: ['universal'],
      }
    ],
  },
  mas: {
    appId: appId,
    type: 'distribution',
    cscLink: macCertificate,
    cscKeyPassword: macCertificatePassword,
    entitlements: appStoreEntitlements,
    entitlementsInherit: appStoreEntitlements,
    provisioningProfile: appStoreProvisioningProfile,
    icon: 'build/icon-mac.icns',
    artifactName: '${productName}-${version}-${os}.${ext}',
    category: 'public.app-category.video',
    gatekeeperAssess: false,
    hardenedRuntime: true,
    darkModeSupport: true,
    target: ['mas'],
    notarize: false,
  },

It produces 2 .pkg files

The certificates i am using to sign these files are the following i have replaced names with ‘xxxxx’

XMac Installer Submission: xxxxx
`Mac Developer ID Application: xxxxx
\Mac Developer ID Installer: xxxxx
tApple Development: xxxxx (xxxxx)
LApple Distribution: xxxxx

Upon inspecting the signed certificates for each of the files i get the following:

PKG ONE: release/App-1.1.9-mac.pkg

pkgutil --check-signature release/App-1.1.9-mac.pkg 
Package "App-1.1.9-mac.pkg":
  Status: signed by a developer certificate issued by Apple for distribution
  Signed with a trusted timestamp on: 2024-07-25 23:03:31 +0000
  Certificate Chain:
    1. Developer ID Installer: xxxx (xxxxx)
      Expires: 2027-02-01 22:12:15 +0000
      SHA256 Fingerprint:
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
          00 00 00 00 00 00 00 00 00 00
      ------------------------------------------------------------------------
    2. Developer ID Certification Authority
      Expires: 2027-02-01 22:12:15 +0000
      SHA256 Fingerprint:
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
          00 00 00 00 00 00 00 00 00 00
      ------------------------------------------------------------------------
    3. Apple Root CA
      Expires: 2035-02-09 21:40:36 +0000
      SHA256 Fingerprint:
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
          00 00 00 00 00 00 00 00 00 00

PKG TWO: release/mas-universal/App-1.1.9-mac.pkg

pkgutil --check-sigxnature release/mas-universal/App-1.1.9-mac.pkg
Package "App-1.1.9-mac.pkg":
   Status: signed by a developer certificate issued by Apple (Development)
   Certificate Chain:
    1. 3rd Party Mac Developer Installer: xxxx (xxxxx)
       Expires: 2025-07-23 15:54:10 +0000
       SHA256 Fingerprint:
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
          00 00 00 00 00 00 00 00 00 00
       ------------------------------------------------------------------------
    2. Apple Worldwide Developer Relations Certification Authority
       Expires: 2030-02-20 00:00:00 +0000
       SHA256 Fingerprint:
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
          00 00 00 00 00 00 00 00 00 00
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
          00 00 00 00 00 00 00 00 00 00

It seems that i am able to get Transporter or Notarization to succeed but not both using the same PKG file. Am i going mad and this is not a requirement or should this be possible in order to resolve the error message listed above. If anyone have any experience with submitting electron builds to the Mac App Store that would be able to off some advise or guidance on this matter would be much appreciated.

The results of both Transporter and Notarization are listed below for each PKG file.

PKG ONE: 

Transporter Error

Asset validation failed (90284)
Invalid Code Signing. The executable 'App-1.1.9-mac.pkg 
/Payload/App-1.1.9-mac.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib' must be signed with the certificate that is contained in the provisioning profile. (ID: c331352d-aecd-479c-970d-a5c8cc4c0596)

Asset validation failed (90237)
The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate. (ID: e23d4034-eaca-4751-853f-44e35a0d92d5)

PKG TWO 

Notarization Error

{
  "severity": "error",
  "code": null,
  "path": "App-1.1.9-mac.pkg",
  "message": "The binary is not signed with a valid Developer ID certificate.",
  "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721",
  "architecture": null
},

Environment Dependencies

"electron": "28.2.9",
"electron-builder": "24.9.1",
"@electron/notarize": "2.3.2",

Cheers. 👍

Devine-Davies commented 2 months ago

Hello again 👋

After thorough research and numerous trials and errors, I was able to resolve the issues mentioned above. When enabling the electron-builder notarization config option, I believe it sends the .app file for notarization first, and then this gets bundled inside the .pkg file. Initially, I was only notarizing the .pkg separately after the Electron build was completed.

Closing this issue. Happy Coding.