Closed Kilian closed 2 years ago
@Kilian Where does one put
--no-gatekeeper-assess
or
'gatekeeper-assess': false
as en electron-builder user?
I think the proper fix for this is to run the Gatekeeper assessment after the afterSign
hook is run (which @Kilian fixed in https://github.com/electron-userland/electron-builder/pull/3912#issue-280767311). Doing so will allow users to notarize the app after it gets signed but before the gatekeeper assessment runs.
As I reported in (https://github.com/electron-userland/electron-builder/issues/3828#issuecomment-495860811), the execute
assessment is successful for notarized apps on macOS 10.15.5:
spctl --assess --type execute --context context:primary-signature -v my_app.app my_app.app: accepted source=Notarized Developer ID
@lane-c-wagner I don't think that's currently possible, but I'm going to open a PR for that.
@martani the electron-osx-sign
package doesn't (and shouldn't) know about notarization, all the check should care about is if the source contains the text "Developer ID" (as opposed to "no usable signature"), since this indicates the app got signed.
Is this what's causing the 'Appname is damaged and can't be opened' error with additional info that reads 'The app has been modified, and its code does not match the original signed code...'?
It does seem to go away by adding 'gatekeeper-assess': false
export const signerOptions = {
identity: 'Developer ID Application',
keychain: '/Users/user/Library/Keychains/mykeychain.keychain-db',
verbose: true,
// Temporary: https://github.com/electron-userland/electron-osx-sign/issues/196
'gatekeeper-assess': false
};
Where can I set this option? I just have a package.json looking like:
Edit: Nah, just the documentation is completely missing. Since 20.43.0, you can have the option "gatekeeperAssess" : false
inside the mac
key...
"build": {
"asar": true,
"appId": "de.xxx.datatool",
"files": [
"build/**/*",
"package.json"
],
"mac": {
"category": "public.app-category.developer-tools",
"icon": "icons/mac/icon.icns",
"gatekeeperAssess" : false,
"publish": {
"provider": "s3",
"bucket": "xxx"
}
},
I think gatekeeper-assess
should be false
by default.
The following check is no longer valid on mac 10.14.5, because an unnotarized developer id is now an error: https://github.com/electron-userland/electron-osx-sign/blob/04e6b976e4289d01c7bcaf5f5fb67ac214219c17/sign.js#L108-L115
Running this gives the following breaking output:
This prevents electron-osx-sign from working on 10.14.5. You can circumvent it by commenting out the check above in node_modules and it will sign the app correctly.
Workaround A quick workaround is to put
--no-gatekeeper-assess
forelectron-osx-sign
or provide in the programmable api:'gatekeeper-assess': false