Open davidmurdoch opened 10 months ago
Update: I tried using the built-in "notarize" option in electron-builder
and it notarized and stapled successfully, just like before, but the app is still unable to be opened on Mac. So perhaps this is indeed a bug.
I can launch the .dmg, which Mac briefly says "Verifying" before successfully opening the installer screen (drag to "Applications"). It then installs, but when I try to open the app it again says "Verifying [...]", but for a minute or two, before failing with the message "Ganache" cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware. [...]
.
Logs:
• signing file=dist/mac/Ganache.app identityName=Developer ID Application: ConsenSys AG (48XVW22RCG) identityHash=C927DD3B556DC334E4573E643FB6F2F142E5FC5F provisioningProfile=none
2023-09-02T14:51:51.458Z electron-notarize:spawn spawning cmd: xcrun args: [ '--find', 'notarytool' ] opts: {}
2023-09-02T14:51:54.462Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T14:51:54.462Z electron-notarize:notarytool starting notarize process for app: /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-02T14:51:54.463Z electron-notarize:helpers doing work inside temp dir: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U
2023-09-02T14:51:54.464Z electron-notarize:notarytool zipping application to: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip
2023-09-02T14:51:54.464Z electron-notarize:spawn spawning cmd: ditto args: [
'-c',
'-k',
'--sequesterRsrc',
'--keepParent',
'Ganache.app',
'/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip'
] opts: { cwd: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac' }
2023-09-02T14:53:33.252Z electron-notarize:spawn cmd ditto terminated with code: 0
2023-09-02T14:53:33.252Z electron-notarize:notarytool zip succeeded, attempting to upload to Apple
2023-09-02T14:53:33.252Z electron-notarize:spawn spawning cmd: xcrun args: [
'notarytool',
'submit',
'/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip',
'--apple-id',
'*********',
'--password',
'*********',
'--team-id',
'*********',
'--wait',
'--output-format',
'json'
] opts: {}
2023-09-02T15:19:19.320Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T15:19:19.322Z electron-notarize:notarytool notarization success
2023-09-02T15:19:19.323Z electron-notarize:helpers work succeeded
2023-09-02T15:19:19.422Z electron-notarize:staple attempting to staple app: /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-02T15:19:19.423Z electron-notarize:spawn spawning cmd: xcrun args: [ 'stapler', 'staple', '-v', 'Ganache.app' ] opts: { cwd: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac' }
2023-09-02T15:19:23.628Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T15:19:23.629Z electron-notarize:staple staple succeeded
• notarization successful
• building target=macOS zip arch=x64 file=dist/Ganache-2.7.2-mac.zip
• building target=DMG arch=x64 file=dist/Ganache-2.7.2-mac.dmg
• building block map blockMapFile=dist/Ganache-2.7.2-mac.zip.blockmap
• publishing publisher=Github (owner: trufflesuite, project: ganache-ui, version: 2.7.2)
• uploading file=Ganache-2.7.2-mac.zip.blockmap provider=github
• uploading file=Ganache-2.7.2-mac.zip provider=github
• overwrite published file file=Ganache-2.7.2-mac.zip.blockmap reason=already exists on GitHub
• overwrite published file file=Ganache-2.7.2-mac.zip reason=already exists on GitHub
• copy files from=/Users/runner/work/ganache-ui/ganache-ui/static/icons/mac/icon.icns to=/Volumes/Ganache 2.7.2/.VolumeIcon.icns isUseHardLinks=false
• copy files from=/Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff to=/Volumes/Ganache 2.7.2/.background/background.tiff isUseHardLinks=false
• execute command command=sips -g pixelHeight -g pixelWidth /Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff workingDirectory=
• command executed executable=sips out=/Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff
pixelHeight: 498
pixelWidth: 658
• building block map blockMapFile=dist/Ganache-2.7.2-mac.dmg.blockmap
• uploading file=Ganache-2.7.2-mac.dmg.blockmap provider=github
• uploading file=Ganache-2.7.2-mac.dmg provider=github
• overwrite published file file=Ganache-2.7.2-mac.dmg.blockmap reason=already exists on GitHub
• overwrite published file file=Ganache-2.7.2-mac.dmg reason=already exists on GitHub
• overwrite published file file=latest-mac.yml reason=already exists on GitHub
I've opened an issue on electron-builder as well: https://github.com/electron-userland/electron-builder/issues/7755
Hi David
I got similar problems with an App, quite like yours. Using electron/notarize seems to complete successfully.
On my development/signing machine I validate the resulting files with:
Codesigning:
codesign --verify --verbose=2 our.app
--prepared:/Users/mac20rd01/Source/DPA Audio Controller Test/DPA%20Audio%20Controller/release/build/mac/DPA Audio Controller.app/Contents/Frameworks/DPA Audio Controller Helper (GPU).app
--validated:/Users/mac20rd01/Source/DPA Audio Controller Test/DPA%20Audio%20Controller/release/build/mac/DPA Audio Controller.app/Contents/Frameworks/DPA Audio Controller Helper (GPU).app
--prepared:/Users/mac20rd01/Source/DPA Audio Controller Test/DPA%20Audio%20Controller/release/build/mac/DPA Audio Controller.app/Contents/Frameworks/DPA Audio Controller Helper (Renderer).app
...
./release/build/mac/DPA Audio Controller.app: valid on disk
./release/build/mac/DPA Audio Controller.app: satisfies its Designated Requirement
codesign --verify --verbose=2 ./release/build/DPA\ Audio\ Controller-1.0.0.dmg
./release/build/DPA Audio Controller-1.0.0.dmg: valid on disk
./release/build/DPA Audio Controller-1.0.0.dmg: satisfies its Designated Requirement
Checking the notarization spctl -a -v --assess --type execute ./release/build/mac/DPA\ Audio\ Controller.app ./release/build/mac/DPA Audio Controller.app: accepted source=Notarized Developer IDChecking the stapling: spctl -a -v --assess --type execute ./release/build/mac/DPA\ Audio\ Controller.app ./release/build/mac/DPA Audio Controller.app: accepted source=Notarized Developer ID
I'm not able to check the stabling on the dmg file, I havent found out why... And it's hard to tell from the net if a dmg should be notarized or not. I read 50/50 arguments for or against:-) Moving the dmg or app file to another mac and cleaning Gatekeeper cache before trying to execute using: sudo spctl --reset-default And I'm still getting the gatekeeper "unidentified develop" on another machine. Pretty strange...
I have to get this solved, so I'll keep you updated if I get it solved.
Best regards from Peter
~bump~
my fault, in my case, i removed com.apple.security.cs.disable-library-validation
in my plist file, then it worked
There's a solution here: https://github.com/electron-userland/electron-builder/issues/7755
I've been trying to get this to work for a week but can't seem to appease Apple. This is probably not even an issue with @electron/notarize, but I'm at my wits ends here and don't know what else to do.
Anyone able to point me in the right direction or suggest possible reasons?
Full logs are here: https://github.com/trufflesuite/ganache-ui/actions/runs/6054222144/job/16431228939#step:11:4484
Code that runs electron notarize: https://github.com/trufflesuite/ganache-ui/blob/chore/github_actions/scripts/build/afterSignHook.js
@electron/notarize DEBUG logs: