electron / osx-sign

Codesign Electron macOS apps
BSD 2-Clause "Simplified" License
567 stars 97 forks source link

App sandbox not enabled (ITMS-90296): For other binaries to be signed #192

Open warrenbuckley opened 5 years ago

warrenbuckley commented 5 years ago

Error

image

ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.warrenbuckley.compact.logviewer.pkg/Payload/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/LogViewer.Server" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app."

Background

I am currently trying to submit a MacOS app to the app store for submission and have been successful. However I forgot to include my self hosted API/Server binary/executable that is needed to be run in order for my Electron app to work.

I am using electron-osx-sign as part of https://github.com/electron-userland/electron-builder and have the following configuration setup for this and I have included the binary path in order for it be signed as well.

So these entitlements and configuration listed below minus the binary option in the JSON config has all worked and has been approved by Apple - I just don't have a fully working app 🙈

So by including the binary option it fails this pre-validation by Apple with its Application Loader program.

Electron Builder Config

{
    "appId": "com.warrenbuckley.compact.logviewer",
    "productName": "Compact Log Viewer",
    "directories": {
        "output": "../output"
    },
    "files": [
        "!**/.vscode",
        "!tsconfig.json",
        "!tslint.json"
    ],
    "extraResources": {
        "from": "../LogViewer.Server/bin/dist/",
        "to": "LogViewer.Server/bin/dist/",
        "filter": [
            "**/*"
        ]
    },
    "win": {
        "target": [
            "nsis",
            "appx"
        ],
        "icon": "logo.png"
    },
    "mac": {
        "category": "public.app-category.developer-tools",
        "target": [
            "dmg",
            "mas"
        ],
        "bundleVersion": 20190426,
        "icon": "logo.png",
        "provisioningProfile": "Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile"
    },
    "nsis": {
        "deleteAppDataOnUninstall": true,
        "createDesktopShortcut": true,
        "createStartMenuShortcut": true,
        "shortcutName": "Compact Log Viewer",
        "artifactName": "Compact.Log.Viewer.Setup.${version}.${ext}",
        "uninstallDisplayName": "Compact Log Viewer (${version})"
    },
    "appx": {
        "applicationId": "Compact.Log.Viewer",
        "backgroundColor": "#3544b1",
        "displayName": "Compact Log Viewer",
        "identityName": "64819WarrenBuckley.CompactLogFormatViewer",
        "publisher": "CN=4629CEC3-93A2-4080-86C0-63487B897B1F",
        "publisherDisplayName": "Warren Buckley"
    },
    "dmg": {
        "backgroundColor": "#3544b1"
    },
    "mas": {
        "binaries": [
            "../LogViewer.Server/bin/dist/osx/LogViewer.Server"
        ]
    }
}

Entitlements.mas.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

Entitlements.mas.inherit.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>
warrenbuckley commented 5 years ago

Debug log output

> logviewer.client@1.0.4 mac /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client
> electron-builder --publish never --mac --config electron-builder.json

Configuring yargs through package.json is deprecated and will be removed in the next major release, please use the JS API
 instead.
Configuring yargs through package.json is deprecated and will be removed in the next major release, please use the JS API
 instead.
  • electron-builder version=20.39.0
  • loaded configuration file=/Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/electron-builder.json
  • writing effective config file=/Users/warrenbuckley/Projects/LogViewer/output/builder-effective-config.yaml
  • no native production dependencies
  • packaging       platform=darwin arch=x64 electron=4.1.1 appOutDir=/Users/warrenbuckley/Projects/LogViewer/output/mac
  • packaging       platform=mas arch=x64 electron=4.1.1 appOutDir=/Users/warrenbuckley/Projects/LogViewer/output/mas
  • map async                  • map async                 taskCount=2 taskCount=2

  • map async                 taskCount=1  • map async                
 taskCount=1
  • map async                 taskCount=206
  • fix permissions           file=/Users/warrenbuckley/Projects/LogViewer/output/mas/Electron.app/Contents/Frameworks/El
ectron Framework.framework/Versions newPermissions=rwxr-xr-x originalPermissions=rwxr--r-- reason=group or other cannot r
ead
  • fix permissions           file=/Users/warrenbuckley/Projects/LogViewer/output/mas/Electron.app/Contents/Frameworks/Electron Framework.framework/Versions/A newPermissions=rwxr-xr-x originalPermissions=rwxr--r-- reason=group or other cannot read
  • map async                 taskCount=312
  • fix permissions           file=/Users/warrenbuckley/Projects/LogViewer/output/mac/Electron.app/Contents/Frameworks/Electron Framework.framework/Versions newPermissions=rwxr-xr-x originalPermissions=rwxr--r-- reason=group or other cannot read
  • fix permissions           file=/Users/warrenbuckley/Projects/LogViewer/output/mac/Electron.app/Contents/Frameworks/Electron Framework.framework/Versions/A newPermissions=rwxr-xr-x originalPermissions=rwxr--r-- reason=group or other cannot read
  • unresolved deps           nodeModuleDir=/Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/node_modules round=0 unresolved=psl
  • unresolved deps           nodeModuleDir=/Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/node_modules round=0 unresolved=angular
  • unresolved deps           nodeModuleDir=/Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/node_modules round=0 unresolved=chartjs-color, moment
  • unresolved deps           nodeModuleDir=/Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/node_modules round=0 unresolved=psl
  • unresolved deps           nodeModuleDir=/Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/node_modules round=0 unresolved=angular
  • unresolved deps           nodeModuleDir=/Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/node_modules round=0 unresolved=chartjs-color, moment
  • path resolved             outputFormat=icns path=/Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/logo.png
  • signing         file=/Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app identityName=Developer ID Application: Warren Buckley (...LU24) identityHash=...B285 provisioningProfile=Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile
  electron-osx-sign electron-osx-sign@0.4.11 +0ms
  • signing         file=/Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app identityName=3rd Party Mac Developer Application: Warren Buckley (...LU24) identityHash=...4BC0 provisioningProfile=Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile
  electron-osx-sign electron-osx-sign@0.4.11 +2ms
  electron-osx-sign `identity` passed in arguments. +1ms
  electron-osx-sign:warn No `entitlements` passed in arguments: 
 * Provide `entitlements` to specify entitlements file for codesign. +1ms
  electron-osx-sign Pre-sign operation enabled for provisioning profile: 
 * Disable by setting `pre-embed-previsioning-profile` to `false`. +0ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`: 
 * Disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign `identity` passed in arguments. +2ms
  electron-osx-sign Pre-sign operation enabled for provisioning profile: 
 * Disable by setting `pre-embed-previsioning-profile` to `false`. +0ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`: 
 * Disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign `provisioning-profile` passed in arguments. +0ms
  electron-osx-sign Executing... security cms -D -i Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile +1ms
  electron-osx-sign `provisioning-profile` passed in arguments. +3ms
  electron-osx-sign Executing... security cms -D -i Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile +0ms
  electron-osx-sign Provisioning profile: 
 > Name: Compact Log Viewer App - Mac Production Profile 
 > Platforms: [ 'mas' ] 
 > Type: distribution 
 > Path: Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile 
 > Message: { AppIDName: 'Compact Log Viewer App',
  ApplicationIdentifierPrefix: [ '...LU24' ],
  CreationDate: 2019-03-13T12:38:57.000Z,
  Platform: [ 'OSX' ],
  IsXcodeManaged: false,
  DeveloperCertificates:
   [ <Buffer ... 04 06 ... > ],
  Entitlements:
   { 'com.apple.application-identifier': '...LU24.com.warrenbuckley.compact.logviewer',
     'keychain-access-groups': [ '...LU24.*' ],
     'com.apple.developer.team-identifier': '...LU24' },
  ExpirationDate: 2020-03-11T18:01:11.000Z,
  Name: 'Compact Log Viewer App - Mac Production Profile',
  TeamIdentifier: [ '...LU24' ],
  TeamName: 'Warren Buckley',
  TimeToLive: 364,
  UUID: 'b40eee06-0539-47e7-a76f-96757f7c8781',
  Version: 1 } +60ms
  electron-osx-sign Looking for existing provisioning profile... +7ms
  electron-osx-sign Embedding provisioning profile... +1ms
  electron-osx-sign Copying file... 
 > Source: Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile 
 > Target: /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/embedded.provisionprofile +0ms
  electron-osx-sign Provisioning profile: 
 > Name: Compact Log Viewer App - Mac Production Profile 
 > Platforms: [ 'mas' ] 
 > Type: distribution 
 > Path: Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile 
 > Message: { AppIDName: 'Compact Log Viewer App',
  ApplicationIdentifierPrefix: [ '...LU24' ],
  CreationDate: 2019-03-13T12:38:57.000Z,
  Platform: [ 'OSX' ],
  IsXcodeManaged: false,
  DeveloperCertificates:
   [ <Buffer ... 55 04 06 ... > ],
  Entitlements:
   { 'com.apple.application-identifier': '...LU24.com.warrenbuckley.compact.logviewer',
     'keychain-access-groups': [ '...LU24.*' ],
     'com.apple.developer.team-identifier': '...LU24' },
  ExpirationDate: 2020-03-11T18:01:11.000Z,
  Name: 'Compact Log Viewer App - Mac Production Profile',
  TeamIdentifier: [ '...LU24' ],
  TeamName: 'Warren Buckley',
  TimeToLive: 364,
  UUID: 'b40eee06-0539-47e7-a76f-96757f7c8781',
  Version: 1 } +2ms
  electron-osx-sign Looking for existing provisioning profile... +1ms
  electron-osx-sign Embedding provisioning profile... +0ms
  electron-osx-sign Copying file... 
 > Source: Compact_Log_Viewer_App__Mac_Production_Profile.provisionprofile 
 > Target: /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/embedded.provisionprofile +0ms
  electron-osx-sign Signing application... 
 > Application: /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app 
 > Platform: darwin 
 > Entitlements: undefined 
 > Child entitlements: undefined 
 > Additional binaries: undefined 
 > Identity: { name: 'Developer ID Application: Warren Buckley (...LU24)',
  hash: '...B285' } +1ms
  electron-osx-sign Walking... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents +0ms
  electron-osx-sign Automating entitlement app group... 
 > Info.plist: /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Info.plist 
 > Entitlements: /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.plist +2ms
  electron-osx-sign `ElectronTeamID` not found in `Info.plist`, use parsed from provisioning profile: ...LU24 +10ms
  electron-osx-sign `Info.plist` updated: 
 > Info.plist: /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Info.plist +13ms
  electron-osx-sign `com.apple.application-identifier` not found in entitlements file, new inserted: ...LU24.com.warrenbuckley.compact.logviewer +1ms
  electron-osx-sign `com.apple.developer.team-identifier` not found in entitlements file, new inserted: ...LU24 +0ms
  electron-osx-sign `com.apple.security.application-groups` not found in entitlements file, new inserted: ...LU24.com.warrenbuckley.compact.logviewer +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Compact Log Viewer Helper.app/Contents/MacOS/Compact Log Viewer Helper +7ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Compact Log Viewer Helper.app/Contents/MacOS/Compact Log Viewer Helper +1ms
  electron-osx-sign Entitlements file updated: 
 > Entitlements: /var/folders/gt/hl2tlmw91bg_9vdghmp7w4ww0000gn/T/tmp-entitlements-cfb-0.plist +6ms
  electron-osx-sign Signing application... 
 > Application: /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app 
 > Platform: mas 
 > Entitlements: /var/folders/gt/hl2tlmw91bg_9vdghmp7w4ww0000gn/T/tmp-entitlements-cfb-0.plist 
 > Child entitlements: /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist 
 > Additional binaries: [ '../LogViewer.Server/bin/dist/osx/LogViewer.Server' ] 
 > Identity: { name:
   '3rd Party Mac Developer Application: Warren Buckley (...LU24)',
  hash: '...4BC0' } +0ms
  electron-osx-sign Walking... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Compact Log Viewer Helper.app/Contents/MacOS/Compact Log Viewer Helper +24ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Compact Log Viewer Helper.app/Contents/MacOS/Compact Log Viewer Helper +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Compact Log Viewer Helper.app +142ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Compact Log Viewer Helper.app +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +148ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Compact Log Viewer Helper.app +125ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Compact Log Viewer Helper.app +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +266ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +818ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework +166ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +339ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler +365ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Resources/crashpad_handler +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework +249ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Electron Framework.framework +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Library/LoginItems/Compact Log Viewer Login Helper.app/Contents/MacOS/Compact Log Viewer Login Helper +257ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Library/LoginItems/Compact Log Viewer Login Helper.app/Contents/MacOS/Compact Log Viewer Login Helper +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Library/LoginItems/Compact Log Viewer Login Helper.app +150ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Library/LoginItems/Compact Log Viewer Login Helper.app +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/MacOS/Compact Log Viewer +164ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/MacOS/Compact Log Viewer +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle +769ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Mantle.framework +247ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Mantle.framework +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Globalization.Native.dylib +101ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Globalization.Native.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.IO.Compression.Native.dylib +136ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.IO.Compression.Native.dylib +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/A/ReactiveCocoa +18ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/A/ReactiveCocoa +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Native.dylib +129ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Native.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Net.Http.Native.dylib +136ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Net.Http.Native.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/ReactiveCocoa.framework +4ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/ReactiveCocoa.framework +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Net.Security.Native.dylib +138ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Net.Security.Native.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Security.Cryptography.Native.Apple.dylib +135ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Security.Cryptography.Native.Apple.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt +29ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libclrjit.dylib +113ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libclrjit.dylib +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel +148ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libcoreclr.dylib +26ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libcoreclr.dylib +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libhostfxr.dylib +223ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libhostfxr.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libhostpolicy.dylib +149ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libhostpolicy.dylib +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Squirrel.framework +3ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Frameworks/Squirrel.framework +0ms
  electron-osx-sign Signing... ../LogViewer.Server/bin/dist/osx/LogViewer.Server +147ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /Users/warrenbuckley/Projects/LogViewer/LogViewer.Client/build/entitlements.mas.inherit.plist ../LogViewer.Server/bin/dist/osx/LogViewer.Server +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/MacOS/Compact Log Viewer +128ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/MacOS/Compact Log Viewer +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app +24ms
  electron-osx-sign Executing... codesign --sign ...4BC0 --force --entitlements /var/folders/gt/hl2tlmw91bg_9vdghmp7w4ww0000gn/T/tmp-entitlements-cfb-0.plist /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app +0ms
  electron-osx-sign Verifying... +1s
  electron-osx-sign Verifying application bundle with codesign... +1ms
  electron-osx-sign Executing... codesign --verify --deep --strict --verbose=2 /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Globalization.Native.dylib +192ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Globalization.Native.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.IO.Compression.Native.dylib +997ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.IO.Compression.Native.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Native.dylib +293ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Native.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Net.Http.Native.dylib +250ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Net.Http.Native.dylib +0ms
  electron-osx-sign Verified. +106ms
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Executing... codesign --display --entitlements :- /Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app +0ms
  electron-osx-sign Entitlements: 
 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.application-identifier</key>
    <string>...LU24.com.warrenbuckley.compact.logviewer</string>
    <key>com.apple.developer.team-identifier</key>
    <string>...LU24</string>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>...TLU24.com.warrenbuckley.compact.logviewer</string>
    </array>
  </dict>
</plist> +49ms
  electron-osx-sign Application signed. +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Net.Security.Native.dylib +102ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Net.Security.Native.dylib +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Security.Cryptography.Native.Apple.dylib +233ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/System.Security.Cryptography.Native.Apple.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libclrjit.dylib +238ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libclrjit.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libcoreclr.dylib +285ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libcoreclr.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libhostfxr.dylib +306ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libhostfxr.dylib +1ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libhostpolicy.dylib +246ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/libhostpolicy.dylib +0ms
  electron-osx-sign Signing... /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app +248ms
  electron-osx-sign Executing... codesign --sign ...B285 --force /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app +0ms
  electron-osx-sign Verifying... +1s
  electron-osx-sign Verifying application bundle with codesign... +1ms
  electron-osx-sign Executing... codesign --verify --deep --strict --verbose=2 /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app +0ms
  electron-osx-sign Verifying Gatekeeper acceptance for darwin platform... +851ms
  electron-osx-sign Executing... spctl --assess --type execute --verbose --ignore-cache --no-cache /Users/warrenbuckley/Projects/LogViewer/output/mac/Compact Log Viewer.app +0ms
  electron-osx-sign Verified. +1s
  electron-osx-sign Application signed. +0ms
  • building        target=DMG arch=x64 file=/Users/warrenbuckley/Projects/LogViewer/output/Compact Log Viewer-1.0.4.dmg
  • copy files                from=/Users/warrenbuckley/Projects/LogViewer/output/.icon-icns/icon.icns isUseHardLinks=false to=/Volumes/Compact Log Viewer 1.0.4/.VolumeIcon.icns
  • building block map blockMapFile=/Users/warrenbuckley/Projects/LogViewer/output/Compact Log Viewer-1.0.4.dmg.blockmap
warrenbuckley commented 5 years ago

The additional binary is listed above and from the logs all seems OK as far as I can tell but I still get the error/screenshot posted at the beginning of this thread.

I don't know enough about MacOS entitlements & code signing to know where the problem lies here, are you able to give any pointers please @sethlu

warrenbuckley commented 5 years ago

Update

I have had to explicitly set the binary in the electron-builder.json config to be a full path like so:

    "mas": {
        "binaries": [
            "/Users/warrenbuckley/Projects/LogViewer/output/mas/Compact Log Viewer.app/Contents/Resources/LogViewer.Server/bin/dist/osx/LogViewer.Server"
        ]
    }

As opposed to a relative path which I had set ../LogViewer.Server/bin/dist/osx/LogViewer.Server however this does not seem to complain to me though.

This is not ideal for me, if I want to move this into some CI pipeline as obviously they will not have the same absolute path as me.

My project structure copies the LogViewer Server over with Electron Builder with this config but I would have thought the relative path I gave of ../LogViewer.Server/bin/dist/osx/LogViewer.Server would have been fine?!

    "extraResources": {
        "from": "../LogViewer.Server/bin/dist/",
        "to": "LogViewer.Server/bin/dist/",
        "filter": [
            "**/*"
        ]
    },

When specifying a path to the additional binaries in codesign what should the path be @sethlu ?

sethlu commented 5 years ago

If specifying the full path to the binary works fine, then the additional binaries list should be working. The paths listed should be relative to the current working directory. In this case, I think it should be relative to where you run the electron-builder script?

warrenbuckley commented 5 years ago

Thanks @sethlu I will experiment & investigate and report back soon

Qiplex commented 5 years ago

Same issue here.

Screen Shot 2019-07-24 at 18 51 23
$ cat build/entitlements.mas.plist 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
</dict>
</plist>                                              

This used to be working flawlessly earlier. A few months ago, I believe.

mvbn commented 5 years ago

Hello, I have the same issue.

I have noted that the Info.plist contained on the package of my previous working version was starting like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">...

But on the latest start like this:

bplist00� 

 !""#$%&'()*11-./01]AsarIntegrity...

Edit: Xcode can open both. I use electron-builder which it uses electron-osx-sign.

To submit MAS with electron 6, is required 21.2.0: so I can't. I downgraded node to 10.16.3, electron to 5 and electron-builder to 20.44.4.

iKBAHT commented 5 years ago

Have the same problem after update to

"electron": "6.0.2",
"electron-builder": "21.2.0",

d300234a-67c2-4f10-b23b-4b63efc47ca7

sethlu commented 5 years ago

Hi @Qiplex @mvbn @iKBAHT! Can you set the environment variable DEBUG=electron-osx-sign* (with the asterisk) and do the code signing again? The output debug logs will be very helpful for us to help troubleshoot 😺 Please note to redact any sensitive info like signing identities & team id.

iKBAHT commented 5 years ago

@sethlu, the error happen not in sign stage, but in send to Mac App Store stage. I run code signing with DEBUG=electron-osx-sign* and no have any extra info.

sethlu commented 5 years ago

@iKBAHT 🤔 if DEBUG=electron-osx-sign* doesn't output any debugging info, that probably means the app bundle isn't signed? Did you configure electron-builder to sign the app after packaging?

We use the output message from the codesigning stage to troubleshoot for issues that show up when submitting to the Mac App Store.

vaibhavtel commented 5 years ago

Workaround Add

<key>com.apple.security.app-sandbox</key>
<true/>

to node_modules/app-builder-lib/templates/entitlements.mac.plist

iKBAHT commented 5 years ago

@sethlu sorry for late. Previous time I incorrectly add DEBUG=electron-osx-sign*. This is log from new electron-builder 22.1.0 and mac os 10.15.1

electron-builder  version=22.1.0 os=19.0.0
  • loaded configuration  file=/Users/--secret--/Desktop/www/maat/electron-builder-mac-store.dev.json
  • writing effective config  file=dist/builder-effective-config.yaml
  • installing production dependencies  platform=darwin arch=x64 appDir=/Users/--secret--/Desktop/www/maat/app
  • packaging       platform=mas arch=x64 electron=6.0.2 appOutDir=dist/mas-dev
  • map async       taskCount=2
  • map async       taskCount=1
  • map async       taskCount=228
  • asar using is disabled — it is strongly not recommended  solution=enable asar and use asarUnpack to unpack files that must be externally available
  • map async       taskCount=8
  • path resolved   path=/Users/--secret--/Desktop/www/maat/resources/icon.icns outputFormat=icns
  • map async       taskCount=6
  • signing         file=dist/mas-dev/Brief.app identityName=Mac Developer: --secret-- provisioningProfile=./build/BriefDevelopment.provisionprofile

electron-osx-sign `identity` passed in arguments. +0ms
  electron-osx-sign Pre-sign operation enabled for provisioning profile:
 * Disable by setting `pre-embed-provisioning-profile` to `false`. +1ms
  electron-osx-sign Pre-sign operation enabled for entitlements automation with versions >= `1.1.1`:
 * Disable by setting `pre-auto-entitlements` to `false`. +0ms
  electron-osx-sign `provisioning-profile` passed in arguments. +0ms
  electron-osx-sign Executing... security cms -D -i ./build/BriefDevelopment.provisionprofile +1ms
  • map async       taskCount=1
  electron-osx-sign Provisioning profile:
 > Name: Mac Store Dev profile
 > Platforms: [ 'darwin', 'mas' ]
 > Type: development
 > Path: ./build/BriefDevelopment.provisionprofile
 > Message: {
  DeveloperCertificates: [
    '--secret--'
  ],
  ProvisionedDevices: [
    '--secret--',
    '--secret--'
  ],
  TimeToLive: 365,
  Platform: [ 'OSX' ],
  IsXcodeManaged: false,
  Entitlements: {
    'com.apple.application-identifier': '--secret--.com.gobrief.Brief',
    'keychain-access-groups': [ '--secret--.*' ],
    'com.apple.developer.team-identifier': '--secret--'
  },
  TeamName: 'Brief Communications Inc.',
  UUID: '--secret--',
  Version: 1,
  AppIDName: 'Brief Messenger',
  ApplicationIdentifierPrefix: [ '--secret--' ],
  Name: 'Mac Store Dev profile',
  TeamIdentifier: [ '--secret--' ],
  CreationDate: '2019-09-11T13:44:22Z',
  ExpirationDate: '2020-09-10T13:44:22Z'
} +60ms
  electron-osx-sign Looking for existing provisioning profile... +3ms
  electron-osx-sign Embedding provisioning profile... +32ms
  electron-osx-sign Copying file...
 > Source: ./build/BriefDevelopment.provisionprofile
 > Target: /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/embedded.provisionprofile +0ms
  electron-osx-sign Automating entitlement app group...
 > Info.plist: /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Info.plist
 > Entitlements: ./build/entitlements.mas.plist +3ms
  • map async       taskCount=2
  electron-osx-sign `ElectronTeamID` not found in `Info.plist`, use parsed from provisioning profile: --secret-- +15ms
  • map async       taskCount=1
  electron-osx-sign `Info.plist` updated:
 > Info.plist: /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Info.plist +14ms
  electron-osx-sign `com.apple.application-identifier` found in entitlements file: --secret--.com.gobrief.Brief +0ms
  electron-osx-sign `com.apple.developer.team-identifier` found in entitlements file: --secret-- +0ms
  electron-osx-sign `com.apple.security.application-groups` found in entitlements file: --secret--.com.gobrief.Brief +0ms
  • map async       taskCount=1
  electron-osx-sign Entitlements file updated:
 > Entitlements: /var/folders/d2/s2gd6khn7xx65_836fkv057m0000gn/T/tmp-entitlements-3831-0.plist +15ms
  electron-osx-sign Signing application...
 > Application: /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app
 > Platform: mas
 > Entitlements: /var/folders/d2/s2gd6khn7xx65_836fkv057m0000gn/T/tmp-entitlements-3831-0.plist
 > Child entitlements: /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist
 > Additional binaries: undefined
 > Identity: {
  name: '--secret--',
  hash: '--secret--'
} +0ms
  electron-osx-sign Walking... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents +1ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (GPU).app/Contents/MacOS/Brief Helper (GPU) +22ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (GPU).app/Contents/MacOS/Brief Helper (GPU) +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (GPU).app +107ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (GPU).app +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (Plugin).app/Contents/MacOS/Brief Helper (Plugin) +94ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (Plugin).app/Contents/MacOS/Brief Helper (Plugin) +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (Plugin).app +94ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (Plugin).app +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (Renderer).app/Contents/MacOS/Brief Helper (Renderer) +95ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (Renderer).app/Contents/MacOS/Brief Helper (Renderer) +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (Renderer).app +94ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper (Renderer).app +1ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper.app/Contents/MacOS/Brief Helper +99ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper.app/Contents/MacOS/Brief Helper +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper.app +101ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Brief Helper.app +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +99ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib +1s
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib +93ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +121ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +1ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib +119ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib +91ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib +1ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework +133ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Frameworks/Electron Framework.framework +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Library/LoginItems/Brief Login Helper.app/Contents/MacOS/Brief Login Helper +1s
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Library/LoginItems/Brief Login Helper.app/Contents/MacOS/Brief Login Helper +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Library/LoginItems/Brief Login Helper.app +89ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/Library/LoginItems/Brief Login Helper.app +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/MacOS/Brief +93ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /Users/--secret--/Desktop/www/maat/node_modules/app-builder-lib/templates/entitlements.mac.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app/Contents/MacOS/Brief +0ms
  electron-osx-sign Signing... /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app +143ms
  electron-osx-sign Executing... codesign --sign --secret-- --force --options runtime --entitlements /var/folders/d2/s2gd6khn7xx65_836fkv057m0000gn/T/tmp-entitlements-3831-0.plist /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app +0ms
  electron-osx-sign Verifying... +142ms
  electron-osx-sign Verifying application bundle with codesign... +0ms
  electron-osx-sign Executing... codesign --verify --deep --strict --verbose=2 /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app +1ms
  electron-osx-sign Verified. +739ms
  electron-osx-sign Displaying entitlements... +0ms
  electron-osx-sign Executing... codesign --display --entitlements :- /Users/--secret--/Desktop/www/maat/dist/mas-dev/Brief.app +0ms
  electron-osx-sign Entitlements:
 bplist00�

_ com.apple.application-identifier_#com.apple.developer.team-identifier_com.apple.security.app-sandbox_%com.apple.security.application-groups_-com.apple.security.files.downloads.read-write_1com.apple.security.files.user-selected.read-write_!com.apple.security.network.client_1com.apple.security.personal-information.calendars_--secret--.com.gobrief.BriefZ--secret--   �                 <b���3g�������� +33ms
  electron-osx-sign Application signed. +0ms
sethlu commented 5 years ago

@iKBAHT It seems like what you're encountering does look similar to https://github.com/electron/electron-osx-sign/issues/192#issuecomment-526826114

I suspect the issue is due to the entitlements file being in some binary plist format that electron-osx-sign doesn't support yet 🤔 Also, I think electron-builder may have a custom fork of electron-osx-sign with slightly different behavior from what's maintained in this repository.

@develar Do you know where the • map async taskCount=1 logs come from?

nguyen-tam commented 5 years ago

Workaround Add

<key>com.apple.security.app-sandbox</key>
<true/>

to node_modules/app-builder-lib/templates/entitlements.mac.plist

when I did like this, the built app crashes

nguyen-tam commented 5 years ago

For me, the error is gone when I add this to electron builder file, mac section

"entitlementsInherit": "build/entitlements.mas.inherit.plist"

Here is the content of entitlements.mas.inherit.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>
abhish3kk commented 4 years ago

My electron app works fine before singing by the script provided here.

However, after signing the app, the app can no longer access the network. Also, if I try to submit the app through Transporter I get this issue

ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list:

Upon checking few comments and troubleshooting for last two days I can confirm that my plists are fine and all of them include

<key>com.apple.security.app-sandbox</key>
<true/>

Also I tried, https://github.com/electron/electron-osx-sign/issues/192#issuecomment-532256196.

My assumption is, after singing in the app, the pkg is losing its entitlements.

Is there something I might be doing wrong?

build script in package.json

"build": {
    "appId": "xxx.xxx.xxxx",
    "productName": "XXX XXX XXX,
    "win": {
      "target": "nsis"
    },
    "mac": {
      "icon": "resources/icon.icns",
      "target": "mas",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "identity": null,
      "category": "public.app-category.business",
      "entitlementsInherit": "build/entitlements.mac.inherit.plist",
      "type": "distribution"
    },
    "mas": {
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.inherit.plist",
      "provisioningProfile": "xxxxxxxxxxxxx.provisionprofile"
    },
    "asar": false
  },

entitlements

CHILD_PLIST="build/entitlements.mac.inherit.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
  </dict>
</plist>

PARENT_PLIST="build/entitlements.mac.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>xxxxxx.xxx.xxxxxxx.xxxxxxx.xxxxxx</string>
    </array>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.personal-information.location</key>
    <true/>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

LOGINHELPER_PLIST="entitlements.mas.loginhelper.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

Packages used:

"electron": "^7.1.7",
 "electron-builder": "^22.2.0",
"electron-packager": "^14.1.1",
ahmadwaliesipick commented 4 years ago

My electron app works fine before singing by the script provided here.

However, after signing the app, the app can no longer access the network. Also, if I try to submit the app through Transporter I get this issue

ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list:

Upon checking few comments and troubleshooting for last two days I can confirm that my plists are fine and all of them include

<key>com.apple.security.app-sandbox</key>
<true/>

Also I tried, #192 (comment).

My assumption is, after singing in the app, the pkg is losing its entitlements.

Is there something I might be doing wrong?

build script in package.json

"build": {
    "appId": "xxx.xxx.xxxx",
    "productName": "XXX XXX XXX,
    "win": {
      "target": "nsis"
    },
    "mac": {
      "icon": "resources/icon.icns",
      "target": "mas",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "identity": null,
      "category": "public.app-category.business",
      "entitlementsInherit": "build/entitlements.mac.inherit.plist",
      "type": "distribution"
    },
    "mas": {
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.inherit.plist",
      "provisioningProfile": "xxxxxxxxxxxxx.provisionprofile"
    },
    "asar": false
  },

entitlements

CHILD_PLIST="build/entitlements.mac.inherit.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
  </dict>
</plist>

PARENT_PLIST="build/entitlements.mac.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>xxxxxx.xxx.xxxxxxx.xxxxxxx.xxxxxx</string>
    </array>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.personal-information.location</key>
    <true/>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

LOGINHELPER_PLIST="entitlements.mas.loginhelper.plist"

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

Packages used:

"electron": "^7.1.7",
 "electron-builder": "^22.2.0",
"electron-packager": "^14.1.1",

I have same issue anyone has resolved this issue?

mahnunchik commented 4 years ago

It seems it is related https://github.com/electron/electron-osx-sign/issues/223

chetan1406 commented 4 years ago

@sethlu can you please help me on this ?

ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler" )] Refer to App Sandbox page at https://developer.apple.com/documentation/security/app_sandbox for more information on sandboxing your app."

arslankaleem7229 commented 2 years ago

Workaround Add

<key>com.apple.security.app-sandbox</key>
<true/>

to node_modules/app-builder-lib/templates/entitlements.mac.plist

Didn't work for me

chetan1406 commented 2 years ago

hello

 need to do many changes

On Wed, 27 Jul 2022 at 00:45, Arslan Kaleem @.***> wrote:

Workaround Add

com.apple.security.app-sandbox

to node_modules/app-builder-lib/templates/entitlements.mac.plist

Didn't work for me

— Reply to this email directly, view it on GitHub https://github.com/electron/osx-sign/issues/192#issuecomment-1195881003, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADSMYKX7KRW4NL4ORBSNGW3VWA2NXANCNFSM4HJWZCSA . You are receiving this because you commented.Message ID: @.***>

arslankaleem7229 commented 2 years ago

hello need to do many changes On Wed, 27 Jul 2022 at 00:45, Arslan Kaleem @.> wrote: Workaround Add com.apple.security.app-sandbox to node_modules/app-builder-lib/templates/entitlements.mac.plist Didn't work for me — Reply to this email directly, view it on GitHub <#192 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADSMYKX7KRW4NL4ORBSNGW3VWA2NXANCNFSM4HJWZCSA . You are receiving this because you commented.Message ID: @.>

can you please mention them. ???? I am getting this error for sandbox

App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a boolean value of true in the entitlement property list ......
pedrumgolriz commented 2 years ago

@chetan1406 @arslankaleem7229 any luck? Still getting this on a ton of the libraries. I also feel like the pkg is losing all entitlements during the osx-flat commands

10n37 commented 9 months ago

Hi. I'm using electron-builder and running into similliar issue.

In my case the solution is to manually set path to entitlements.plist in electron-builder config even if they already in the path recommended by electron-builder documentation

const builderConfig: builder.Configuration = {
  // your config...
  mac: {
    entitlements: 'build/entitlements.mac.plist',
    entitlementsInherit: 'build/entitlements.mac.plist',
  }, 
  mas: {
    entitlements: 'build/entitlements.mas.plist',
    entitlementsInherit: 'build/entitlements.mas.inherit.plist',
  },
}

I took the permission configurations for MAS from here: https://github.com/electron/osx-sign/tree/main/entitlements