Gatekeeper assessment no longer valid on mac 10.14.5

[Kilian]

The following check is no longer valid on mac 10.14.5, because an unnotarized developer id is now an error: https://github.com/electron-userland/electron-osx-sign/blob/04e6b976e4289d01c7bcaf5f5fb67ac214219c17/sign.js#L108-L115

Running this gives the following breaking output:

Error: Command failed: spctl --assess --type execute --verbose --ignore-cache --no-cache /Users/kilian/workspace/personal/polypane/polypane/release/mac/Polypane.app
/Users/kilian/workspace/personal/polypane/polypane/release/mac/Polypane.app: rejected
source=Unnotarized Developer ID

This prevents electron-osx-sign from working on 10.14.5. You can circumvent it by commenting out the check above in node_modules and it will sign the app correctly.

Workaround A quick workaround is to put --no-gatekeeper-assess for electron-osx-sign or provide in the programmable api: 'gatekeeper-assess': false

[wagslane]

@Kilian Where does one put

--no-gatekeeper-assess 

or

'gatekeeper-assess': false 

as en electron-builder user?

[martani]

I think the proper fix for this is to run the Gatekeeper assessment after the afterSign hook is run (which @Kilian fixed in https://github.com/electron-userland/electron-builder/pull/3912#issue-280767311). Doing so will allow users to notarize the app after it gets signed but before the gatekeeper assessment runs.

As I reported in (https://github.com/electron-userland/electron-builder/issues/3828#issuecomment-495860811), the execute assessment is successful for notarized apps on macOS 10.15.5:

spctl --assess --type execute --context context:primary-signature -v my_app.app my_app.app: accepted source=Notarized Developer ID

[Kilian]

@lane-c-wagner I don't think that's currently possible, but I'm going to open a PR for that.

@martani the electron-osx-sign package doesn't (and shouldn't) know about notarization, all the check should care about is if the source contains the text "Developer ID" (as opposed to "no usable signature"), since this indicates the app got signed.

[dapperdandev]

Is this what's causing the 'Appname is damaged and can't be opened' error with additional info that reads 'The app has been modified, and its code does not match the original signed code...'?

It does seem to go away by adding 'gatekeeper-assess': false

export const signerOptions = {
    identity: 'Developer ID Application',
    keychain: '/Users/user/Library/Keychains/mykeychain.keychain-db',
    verbose: true,
    // Temporary: https://github.com/electron-userland/electron-osx-sign/issues/196
    'gatekeeper-assess': false
};

[flaushi]

Where can I set this option? I just have a package.json looking like: Edit: Nah, just the documentation is completely missing. Since 20.43.0, you can have the option "gatekeeperAssess" : false inside the mac key...

"build": {
    "asar": true,
    "appId": "de.xxx.datatool",
    "files": [
      "build/**/*",
      "package.json"
    ],
    "mac": {
      "category": "public.app-category.developer-tools",
      "icon": "icons/mac/icon.icns",
      "gatekeeperAssess" : false,
      "publish": {
        "provider": "s3",
        "bucket": "xxx"
      }
    },

[mahnunchik]

I think gatekeeper-assess should be false by default.