Electron window is blank in sandbox

[Alexandra1337]

The app is on Electron with react

electron: 1.6.11
electron-packager: 8.7.2
react: 15.4.2
electron-osx-sign: 0.4.7

I create and sign my build with

electron-packager . --ignore=./.gitignore --ignore=./.node_modules --ignore=./webpack.config.js --platform=mas --arch=all --icon='./electron.icns' --app-bundle-id=com.smarterback.desktop --helper-bundle-id=com.smarterback.desktop.helper --app-category-type=public.app-category.utilities --overwrite --asar=true --app-version=1.0.5 --build-version=666 --electronVersion=1.6.11 --out=release-builds && electron-osx-sign release-builds/SmarterBack-mas-x64/SmarterBack.app --entitlements=parent.plist --entitlements-inherit=mas.inherit.default.entitlements --identity='3rd Party Mac Developer Application: JENGO LLC (63UV74H5Q5)' --platform='mas' --embedded-binary=release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Resources/app.asar

parent.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.temporary-exception.sbpl</key>
    <array>
        <string>(allow mach-lookup (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))</string>
        <string>(allow mach-register (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))</string>
    </array>
  </dict>
</plist>

mas.inherit.default.entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.scripting-targets</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.temporary-exception.sbpl</key>
    <array>
        <string>(allow mach-lookup (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))</string>
        <string>(allow mach-register (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))</string>
    </array>
</dict>
</plist>

And after i sign my app I start to get blank screen on my browser window and nothing can load. After some debugging I notice that I can't use require to import my js, css in my index.html . I started to research more and I found that I had to use "sandbox: true" in my window

window = new BrowserWindow({
    webPreferences: {
        sandbox: true,
        nodeIntegration: false
    }
})

I even tried to use preload.js to the webPreferences

var hostProcess = process;
var hostRequire = require;

process.once('loaded', function(){

  global.host = {
    process: hostProcess,
    crash: function () {
      hostProcess.crash();
    },
  };

  global.host.ipc = hostRequire('ipc');
  global.host.ipc = hostRequire('fs');
});

My Index.html

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://platform.linkedin.com ">
    <title>SmarterBack Preferences</title>
    <link rel="stylesheet" type="text/css" href="bootstrap.min.css">
    <link rel="stylesheet" type="text/css" href="quill.snow.css">
    <link rel="stylesheet" type="text/css" href="Main.css">
</head>

<body>
    <div id="main"></div>
</body>

<script src="js/libs/createjs/preloadjs-0.6.2.min.js"></script>
<script src="js/BRFv4Demo.js"></script>
<script src="js/jquery.min.js"></script>
<script src="js/jquery-3.2.1.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="./Main.js"></script>
</html>

For now I think I've tried everything, but nothing seems to work. The app works perfect if it's not in sandbox mode, but then I can't submit it to the apple store. After I sign it everything in the index.html stops working. At some cases I got error "helper not found" when I started the app. I think the main problem is the signing, because it a lot of topics on this issue people said that they fixed the problem with a simple signing....

Any kind of help will be appreciated.

[sethlu]

Hi @Alexandra1337, thanks for reporting this issue! Here are some of my advice based on your description:

If your app runs successfully before code signing, probably it's just the code signing part that needs tweaking. Let's first check if the app can launch locally successfully.

Since you will be distributing your app on the Mac App Store, it'll be handy if you can generate a provisioning profile (.provisionprofile) for development from Apple Developer and put it in the same directory with the other assets like the entitlements file. This file allows only the provisioned devices to launch the app for development purposes.

electron-osx-sign 'release-builds/SmarterBack-mas-x64/SmarterBack.app' 'release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Resources/app.asar'
    --entitlements='parent.plist'
    --provisioning-profile='development.provisionprofile'
    --identity='3rd Party Mac Developer Application: JENGO LLC (XXXXXXXXXX)'
    --platform='mas'
    --type='development'

(I've removed the inherit entitlements file from the command above since it is rarely used, as all properties specified in parent.plist will be inherited.)

parent.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.scripting-targets</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
  </dict>
</plist>

Once the app is signed for development, let me know if it launches as expected!

[Alexandra1337]

Thank you for the fast reply @sethlu. I changed the parent.plist like you you told me with the new signing command, I used new cert and provision profile for development and after the signing I had no problems starting the app. Now I have to see if I can submit it to the apple store ( still haven't tried )

I will keep you updated with the submitting. Submitting update: ERROR ITMS-90283: "Invalid Provisioning Profile.", but I guess this is expected. Update 2: I tested the app on another pc, but I got error Killed: 9

By the way, why do I use provision profile for development, don't I need for distribution?

[sethlu]

@Alexandra1337 There's a part (b) to setting this up I forgot to mention. If the app runs successfully in the local locally when code signed, then great! And moving on to submitting the app to the Mac App Store takes just one extra step.

The message you received earlier:

Submitting update: ERROR ITMS-90283: "Invalid Provisioning Profile.", but I guess this is expected.
Update 2: I tested the app on another pc, but I got error Killed: 9

is somewhat expected because the code signing isn't set up for distribution just yet.

---

To continue from the previous post, I would recommend generating a provisioning profile for distribution on the Mac App Store from Apple Developer (where you created the one for development earlier) and putting that in the same directory as the development.provisionprofile. Usually I name it as distribution.provisionprofile.

And the command is then turned to:

electron-osx-sign 'release-builds/SmarterBack-mas-x64/SmarterBack.app' 'release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Resources/app.asar'
    --entitlements='parent.plist'
    --provisioning-profile='distribution.provisionprofile'
    --identity='3rd Party Mac Developer Application: JENGO LLC (XXXXXXXXXX)'
    --platform='mas'

The --type is set to distribution by default, so it's skipped in the command shown above. Note that the provisioning profile is set to the one for distribution.

Once your app is code signed with the instruction above, you should be able to submit it to iTunes Connect. However, a side issue with the distribution signing is that there's no way to run the app locally since the provisioning profile doesn't hint any provisioned devices.

Let me know how the app submission goes!

---

And why to use provisioning profiles?

See: https://github.com/electron-userland/electron-osx-sign/pull/84

[Alexandra1337]

Sorry for the slow reply. I signed the app with the new command and uploaded it to the apple store, so now I wait for their feedback. Before I could submit my app, but I was with blank screen, thats why they rejected it. I will keep you updated with my progress

Update:

2. 4 Performance: Hardware Compatibility (macOS)
Guideline 2.4.5(i) - Performance

We’ve determined that one or more temporary entitlement exceptions requested for this app are not appropriate and will not be granted:

com.apple.security.temporary-exception.sbpl:
(allow mach-register (global-name-regex #“^org.chromium.Chromium.rohitfork.[0-9]+$“))

com.apple.security.temporary-exception.sbpl:
(allow mach-lookup (global-name-regex #“^org.chromium.Chromium.rohitfork.[0-9]+$“))

We understand this may prevent the app from being approved for the Mac App Store. We encourage you to investigate other ways of implementing the desired functionality.

Next Steps

See App Sandboxing for links to essential video and documentation to learn how to sandbox your application.

Should you need code-level assistance implementing sandboxing, contact Apple Developer Technical Support.

[Alexandra1337]

After the last update I edited my parent.plist a little bit and tried to submit again, don't know if it was the right way tho.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.scripting-targets</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.security.temporary-exception.sbpl</key>
    <array>
        <string>(allow mach-lookup (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))</string>
        <string>(allow mach-register (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))</string>
    </array>
  </dict>
</plist>

[sethlu]

Hi @Alexandra1337, the following plist should work:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.scripting-targets</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
  </dict>
</plist>

There's no need to include the entry com.apple.security.temporary-exception.sbpl, or the app will end up being rejected. With that I think your app should be able to pass the app review.

[Alexandra1337]

The plist that you mentioned I used at the very start and got the rejection from apple. When I saw those lines.

We’ve determined that one or more temporary entitlement exceptions requested for this app are not appropriate and will not be granted:

com.apple.security.temporary-exception.sbpl:
(allow mach-register (global-name-regex #“^org.chromium.Chromium.rohitfork.[0-9]+$“))

com.apple.security.temporary-exception.sbpl:
(allow mach-lookup (global-name-regex #“^org.chromium.Chromium.rohitfork.[0-9]+$“))

I though I might need to change few things.

Update: @sethlu I just got the error from Apple.

Sep 26, 2017 at 11:22 AM
From Apple
2. 4 Performance: Hardware Compatibility (macOS)
Guideline 2.4.5(i) - Performance

Your app uses one or more entitlements which do not have matching functionality within the app. Apps should have only the minimum set of entitlements necessary for the app to function properly. Please remove all entitlements that are not needed by your app and submit an updated binary for review, including the following:

(allow mach-lookup (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))

(allow mach-register (global-name-regex #"^org.chromium.Chromium.rohitfork.[0-9]+$"))

Next Steps

For links to essential video and documentation to learn how to sandbox your application, please see App Sandboxing.

Commonly added entitlements that many apps don't need include:

"com.apple.security.network.server"
Apps that initiate outgoing connections (for example, to download new content from your server) only need to include "com.apple.security.network.client". The server entitlement is only necessary for apps that listen for and respond to incoming network connections (such as web or FTP servers).

"com.apple.security.device.usb"
Apps that interact with non-standard USB devices, including HID accessories such as joysticks, may need to include this entitlement. It is not necessary for accessing keyboards, mice, trackpads, printers or external drives such as thumb drives.

Should you need code-level assistance implementing sandboxing, contact Apple Developer Technical Support.

[sethlu]

@Alexandra1337 with that I believe the parent.plist should be as follows (with the removal of com.apple.security.network.server. I'm not sure though why com.apple.security.device.usb showed up from Apple's review.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.scripting-targets</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
  </dict>
</plist>

Since we did not have ...org.chromium.Chromium.rohitfork... anywhere in the settings, I'm surprised to see why Apple picked that up. I think just to make sure that --entitlements-inherit is not specified for the signing command.

electron-osx-sign 'release-builds/SmarterBack-mas-x64/SmarterBack.app' 'release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Resources/app.asar'
    --entitlements='parent.plist'
    --provisioning-profile='distribution.provisionprofile'
    --identity='3rd Party Mac Developer Application: JENGO LLC (XXXXXXXXXX)'
    --platform='mas'

---

Also, if you don't mind sharing a copy of the debug log (export DEBUG=electron-osx-sign*, include the asterisk) from code signing and posting it here, I can help figure out why the issue popped up.

[Alexandra1337]

@sethlu Okay I just signed my app with the new Plist and this is copy of the debug log. I will wait for your reply before I try to submit my app again.

  electron-osx-sign electron-osx-sign@0.4.7 +0ms
  electron-osx-sign `identity` passed in arguments. +8ms
  electron-osx-sign Executing... security find-identity -v +2ms
  electron-osx-sign Identity: 
 > Name: 3rd Party Mac Developer Application: JENGO LLC (XXXXXXXXXX) 
 > Hash: 913E398ECC4265DA298BE3B8A7E6628B8C47194E +101ms
  electron-osx-sign Found 1 identity. +3ms
  electron-osx-sign:warn No `entitlements-inherit` passed in arguments: 
 * Sandbox entitlements file for enclosing app files is default to: /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist +0ms
  electron-osx-sign Pre-sign operation enabled for provisioning profile: 
 * Disable by setting `pre-embed-previsioning-profile` to `false`. +1ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`: 
 * Disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign `provisioning-profile` passed in arguments. +1ms
  electron-osx-sign Executing... security cms -D -i SmarterBack_Desktop.provisionprofile +0ms
  electron-osx-sign Provisioning profile: 
 > Name: SmarterBack Desktop 
 > Platforms: [ 'mas' ] 
 > Type: distribution 
 > Path: SmarterBack_Desktop.provisionprofile 
 > Message: { AppIDName: 'Smarterback Desktop',
  ApplicationIdentifierPrefix: [ 'XXXXXXXXXX' ],
  CreationDate: 2017-09-12T11:01:28.000Z,
  Platform: [ 'OSX' ],
  DeveloperCertificates: [ <Buffer 30 82 05 a5 30 82 04 8d a0 03 02 01 02 02 08 04 ed 2e ec f9 3d fb 40 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 30 81 96 31 0b 30 09 06 03 55 04 06 ... > ],
  Entitlements: 
   { 'keychain-access-groups': [ 'XXXXXXXXXX.*' ],
     'com.apple.application-identifier': 'XXXXXXXXXX.com.smarterback.desktop',
     'com.apple.developer.team-identifier': 'XXXXXXXXXX' },
  ExpirationDate: 2018-09-12T10:50:08.000Z,
  Name: 'SmarterBack Desktop',
  TeamIdentifier: [ 'XXXXXXXXXX' ],
  TeamName: 'JENGO LLC',
  TimeToLive: 364,
  UUID: 'b01501d0-ad5b-4931-828b-1bf9bd0314b8',
  Version: 1 } +49ms
  electron-osx-sign Looking for existing provisioning profile... +3ms
  electron-osx-sign Embedding provisioning profile... +1ms
  electron-osx-sign Copying file... 
 > Source: SmarterBack_Desktop.provisionprofile 
 > Target: release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/embedded.provisionprofile +0ms
  electron-osx-sign Automating entitlement app group... 
 > Info.plist: release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Info.plist 
 > Entitlements: parent.plist +4ms
  electron-osx-sign `ElectronTeamID` found in `Info.plist`: XXXXXXXXXX +4ms
  electron-osx-sign `com.apple.application-identifier` not found in entitlements file, new inserted: XXXXXXXXXX.com.smarterback.desktop +0ms
  electron-osx-sign `com.apple.developer.team-identifier` not found in entitlements file, new inserted: XXXXXXXXXX +1ms
  electron-osx-sign `com.apple.security.application-groups` not found in entitlements file, new inserted: XXXXXXXXXX.com.smarterback.desktop +0ms
  electron-osx-sign Entitlements file updated: 
 > Entitlements: /var/folders/4c/kqj_tp0n4k7d4h5nny2qv9_40000gq/T/tmp-entitlements-508-0.plist +7ms
  electron-osx-sign Signing application... 
 > Application: release-builds/SmarterBack-mas-x64/SmarterBack.app 
 > Platform: mas 
 > Entitlements: /var/folders/4c/kqj_tp0n4k7d4h5nny2qv9_40000gq/T/tmp-entitlements-508-0.plist 
 > Child entitlements: /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist 
 > Additional binaries: [ 'release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Resources/app.asar' ] 
 > Identity: { name: '3rd Party Mac Developer Application: JENGO LLC (XXXXXXXXXX)',
  hash: '913E398ECC4265DA298BE3B8A7E6628B8C47194E' } +1ms
  electron-osx-sign Walking... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +34ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +2s
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +124ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/Electron Framework.framework +544ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/Electron Framework.framework +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper EH.app/Contents/MacOS/SmarterBack Helper EH +2s
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper EH.app/Contents/MacOS/SmarterBack Helper EH +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper EH.app +85ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper EH.app +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper NP.app/Contents/MacOS/SmarterBack Helper NP +123ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper NP.app/Contents/MacOS/SmarterBack Helper NP +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper NP.app +102ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper NP.app +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper.app/Contents/MacOS/SmarterBack Helper +90ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper.app/Contents/MacOS/SmarterBack Helper +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper.app +98ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Frameworks/SmarterBack Helper.app +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/MacOS/SmarterBack +100ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/MacOS/SmarterBack +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Resources/app.asar +679ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /usr/local/lib/node_modules/electron-osx-sign/default.entitlements.mas.inherit.plist release-builds/SmarterBack-mas-x64/SmarterBack.app/Contents/Resources/app.asar +0ms
  electron-osx-sign Signing... release-builds/SmarterBack-mas-x64/SmarterBack.app +901ms
  electron-osx-sign Executing... codesign --sign 913E398ECC4265DA298BE3B8A7E6628B8C47194E --force --entitlements /var/folders/4c/kqj_tp0n4k7d4h5nny2qv9_40000gq/T/tmp-entitlements-508-0.plist release-builds/SmarterBack-mas-x64/SmarterBack.app +1ms
  electron-osx-sign Verifying... +675ms
  electron-osx-sign Verifying application bundle with codesign... +1ms
  electron-osx-sign Executing... codesign --verify --deep --verbose=2 --strict release-builds/SmarterBack-mas-x64/SmarterBack.app +0ms
  electron-osx-sign Verified. +1s
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Executing... codesign --display --entitlements :- release-builds/SmarterBack-mas-x64/SmarterBack.app +0ms
  electron-osx-sign Entitlements: 
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.scripting-targets</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.application-identifier</key>
    <string> XXXXXXXXXX.com.smarterback.desktop</string>
    <key>com.apple.developer.team-identifier</key>
    <string> XXXXXXXXXX </string>
    <key>com.apple.security.application-groups</key>
    <array>
      <string> XXXXXXXXXX.com.smarterback.desktop</string>
    </array>
  </dict>
</plist> +31ms
  electron-osx-sign Application signed. +1ms
  electron-osx-sign Application signed: release-builds/SmarterBack-mas-x64/SmarterBack.app +0ms
Application signed: release-builds/SmarterBack-mas-x64/SmarterBack.app

[sethlu]

@Alexandra1337 from what the debug log says, I think your app should be ready for submission. 👍

Let me know if Apple's still throwing the issue about ...org.chromium.Chromium.rohitfork...

[Alexandra1337]

@sethlu Okay I will submit it now. Will give you the feedback as soon as I get it.

[Alexandra1337]

@sethlu I just got the rejection from apple. And it seems that they got my issue with "Electron window is blank in sandbox"

screenshot: https://scontent-sof1-1.xx.fbcdn.net/v/t35.0-12/22095309_10214199413125650_2007913297_o.png?oh=5372e43a897c1f2714c4738b52994ad0&oe=59CDC768

From Apple

    2. 1 Performance: App Completeness (macOS)
    2. 4 Performance: Hardware Compatibility (macOS)

Guideline 2.1 - Performance

We discovered one or more bugs in your app when reviewed on Mac running macOS 10.10.

Specifically, the app only launches to a blank window and then freezes.

Next Steps

Please run your app on a device to identify the issue(s), then revise and resubmit your app for review.

Guideline 2.4.5(i) - Performance

All new applications must implement sandboxing. For an app to properly implement sandboxing, all Mach-O executables must have the "com.apple.security.app-sandbox" entitlement set to "True".

Next Steps

For links to essential video and documentation to learn how to sandbox your application, please see App Sandboxing

Should you need code-level assistance implementing sandboxing, contact Apple Developer Technical Support.

If you are unable to reproduce this issue, ensure you are testing the exact version of the app that you submitted for review, and that you're doing so in a minimally privileged environment. See Technical Q&A QA1778: How to reproduce bugs reported against Mac App Store submissions.

For information on how to symbolicate and read a crash log, please see Technical Note TN2123 - CrashReporter.

[sethlu]

@Alexandra1337 did they provide a crash log for your app for analysis?

Also, I just realized that I missed an issue with parent.plist: (com.apple.security.inherit should not be included.) Probably with that the app should launch at their end.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.scripting-targets</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
  </dict>
</plist>

[Alexandra1337]

@sethlu I just made new release with the new plist file. For now I don't have the crash log, but I will try to ask them for it. I will keep you updated.

[sethlu]

@Alexandra1337 Thanks for the update! Hope it go well 😺

[Alexandra1337]

@sethlu The app was rejected again. There is no crash log, but I will try to send them a ticket to ask for more information about my issue.

From Apple
2. 4 Performance: Hardware Compatibility (macOS)
Guideline 2.4.5(i) - Performance

Your app incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Please review the included entitlements and sandboxing documentation and resolve this issues before resubmitting a new binary.

-com.apple.security.scripting-targets

[sethlu]

@Alexandra1337 If that's what Apple responded to the current release, I think correcting the entitlements entry should help resolve the issue.

References:

• Adopting Scripting Targets for Composing Mail: https://developer.apple.com/library/content/qa/qa1802/_index.html
• Enabling Scripting of Other Apps: https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW25

[Alexandra1337]

@sethlu My app uses webcam and it needs to connect to one SDK, so I guess I need network request and request for the cam.

[sethlu]

@Alexandra1337 oh, then probably we need to keep the networking entries in there. 👍 The references linked are for properly setting up scripting targets.

[Alexandra1337]

@sethlu By the way I just send apple a ticket for the app and when they respond I will tell you.

[sethlu]

@Alexandra1337 Great! Let me know how the process goes.

[Alexandra1337]

@sethlu For now should I wait for their response or try to add something new to the plist file?

[sethlu]

@Alexandra1337 I think fixing the scripting targets during this time can be a good use of time, because if the app requires usage of scripting targets, the entitlements need to be properly set up to reflect that.

Putting the entry like the following inside the entitlements should work, according to the documentation:

<key>com.apple.security.scripting-targets</key>
<dict>
    <key>com.apple.mail</key>
    <array>
        <string>com.apple.mail.compose</string>
    </array>
</dict>

[Alexandra1337]

@sethlu But we already added options for network and camera, should I add this too and try with it?

[sethlu]

@Alexandra1337 oh the format above is the specifications on how to address the scripting targets used, since in previous submissions to iTC we used <true/> for com.apple.security.scripting-targets's value, the app ending up rejected.

The entitlements about network and camera should be fine.

[Alexandra1337]

@sethlu For now I am still waiting for reply from Apple and when I have update I will tell you.

[sethlu]

@Alexandra1337 🎉 Good luck!

[Alexandra1337]

@sethlu

Hello,

Thank you for your resubmission. However, upon further review, we found that your app is still out of compliance with the following guideline(s):

Guideline 2.4.5(i) - Performance

Your app still incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Please review the included entitlements and sandboxing documentation and resolve this issues before resubmitting a new binary:

-com.apple.security.scripting-targets

Next Steps

For information on common app sandboxing issues, please see Technical Q&A QA1773 Common app sandboxing issues.

See App Sandboxing for links to essential video and documentation to learn how to sandbox your application.

Should you need code-level assistance implementing sandboxing, contact Apple Developer Technical Support

[3webbg]

Hi @sethlu @Alexandra1337 and I are working together. That's what we brought back today:

Thank you for your resubmission. However, upon further review, we found that your app is still out of compliance with the following guideline(s):

Guideline 2.4.5(i) - Performance

Your app still incorrectly implements sandboxing, or it contains one or more entitlements with invalid values. Please review the included entitlements and sandboxing documentation and resolve this issues before resubmitting a new binary:

-com.apple.security.scripting-targets

Next Steps

For information on common app sandboxing issues, please see Technical Q&A QA1773 Common app sandboxing issues.

See App Sandboxing for links to essential video and documentation to learn how to sandbox your application.

Should you need code-level assistance implementing sandboxing, contact Apple Developer Technical Support

I am already desperate. We made a lot of attempts to publish this app :( If you want, we can send you the source code?

[sethlu]

@Alexandra1337 @3webbg I'm sorry to see an immense time that you put into publishing the app. 😢 I believe the scripting targets need specifying... Which apps are you trying to target?

[3webbg]

@sethlu - Can you clarify the question? I'm not sure I understand correctly what you want as information (for: Which apps are you trying to target?)?

[sethlu]

@3webbg com.apple.security.scripting-targets is used when your app needs to control another scriptable app. I'm wondering if it's a necessary entitlement entry for the app you are trying to publish? since its current format in the entitlements file does not conform to suggested format.

Ref: https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW25

[Alexandra1337]

@sethlu "another scriptable app" my app is runing face tracking js with some other html and css. This is the face tracking - https://tastenkunst.github.io/brfv4_javascript_examples

[Alexandra1337]

@sethlu If they think that the face tracking is this "scriptable app" I think I should add the network and camera options there.

[sethlu]

@Alexandra1337 I don't think that conforms to the definition of a scriptable app, since it's more like using AppleScript to compose an email or something.

Is this face-tracking module packed within your Electron app too?

Amend: Or you loaded a separate window of some other webpage?

[Alexandra1337]

@sethlu Yes

[sethlu]

@Alexandra1337 Cool, then it's not a scriptable target by definition I believe. Let me review the entitlements file again to clean up the entries...

[3webbg]

@sethlu - If you want, we can send you the source code?

[sethlu]

@3webbg @Alexandra1337 With the com.apple.security.scripting-targets removed:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.device.firewire</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
  </dict>
</plist>

Does your app use firewire too, or is it provided because of the camera usage?

---

@3webbg I think it's fine 😂

[Alexandra1337]

@sethlu It's provided because of the camera.

[sethlu]

@Alexandra1337 I think macOS handles the camera access with com.apple.security.device.camera and com.apple.security.device.firewire doesn't provide interaction with audio/video devices. (Ref: https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html)

Try the following entitlement file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.device.camera</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
  </dict>
</plist>

[Alexandra1337]

@sethlu I can test with new build after 8h and I will keep you updated.

[sethlu]

@Alexandra1337 Oh great! 👍 Let me know how the new build goes with the submission! Hopefully it works out this time.

---

The first time it took me a couple of weeks to get it signed + submitted.

[holgersindbaek]

@sethlu @Alexandra1337 How can I make sure that my build is actually using the entitlements that I specified? I've tried to look under Contents/Info.plist of the build, but I don't see the entitlements in there. Shouldn't I be able to see them in the Info.plist file?

[sethlu]

@holgersindbaek The entitlements are stored along with the executable file (in its Mach-O structure) and not in the Info.plist. To have electron-osx-sign output debug info about the entitlements used to sign the app with, I would recommend trying to export DEBUG=electron-osx-sign* before running electron-osx-sign.

[Alexandra1337]

@sethlu I just got back from apple and it seems they could run the app, but they got an error.

From Apple
2. 1 Performance: App Completeness (macOS)
Guideline 2.1 - Performance

We discovered one or more bugs in your app when reviewed on Mac running macOS 10.13.

Specifically, the user receives an error upon launch.

Please see the attached screenshot for more information.

Next Steps

Please run your app on a device to identify the issue(s), then revise and resubmit your app for review.

If you are unable to reproduce this issue, ensure you are testing the exact version of the app that you submitted for review, and that you're doing so in a minimally privileged environment. See Technical Q&A QA1778: How to reproduce bugs reported against Mac App Store submissions.

For information on how to symbolicate and read a crash log, please see Technical Note TN2123 - CrashReporter.

This review was conducted on an iMac running macOS 10.13.

Screenshot: http://a707.phobos.apple.com/us/r30/Purple128/v4/ed/b4/b7/edb4b70c-11ab-f6eb-d321-d0a6576e8549/attachment-7941010859572314454ScreenShot2017-10-03at5.47.03PM.png?downloadKey3=1507301073_13eb93804146d980ae2a580064e7a14f

Now I have to update my OS and try to debug this. But I am sure there is 'electron-notify' included there.

[sethlu]

@Alexandra1337 thanks for the update! I think we got through setting up a proper code signing.

With the photo provided I think it's worth checking if the electron-notify is included in the node_modules folder when packaging. Check if electron-notify is installed globally so it didn't end up being packaged in your app?

[sethlu]

@Alexandra1337 I think it may be related to: https://github.com/electron-userland/electron-packager/issues/217, where some installed modules fail to be discovered.

cc: @malept may you help give some advice on this?

[malept]

Don't put native modules in the asar, use asar.unpackDir to exclude them.

[Alexandra1337]

@sethlu I fixed the modules and submited the app and they accepted it !! yeyyy. The last build did the trick. Thank you so much for the help !