search

electron / universal

Create Universal macOS applications from two x64 and arm64 Electron applications
MIT License
112 stars 43 forks source link

Codesign fail after universal #40

Closed StephenKe closed 2 months ago

StephenKe commented 2 years ago

Modified Plist lead to fail when use electron-osx-sign to Codesign universal app: invalid Info.plist (plist or signature have been modified)

Error: Command failed: codesign --verify --deep --verbose=2 ./bst3.app
--prepared:/universal/bst3.app/Contents/Frameworks/bst3 Helper (Renderer).app
--validated:/universal/bst3.app/Contents/Frameworks/bst3 Helper (Renderer).app
--prepared:/universal/bst3.app/Contents/Frameworks/zAutoUpdate.bundle
--validated:/universal/bst3.app/Contents/Frameworks/zAutoUpdate.bundle
--prepared:/universal/bst3.app/Contents/Frameworks/bst3 Helper (Plugin).app
--validated:/universal/bst3.app/Contents/Frameworks/bst3 Helper (Plugin).app
--prepared:/universal/bst3.app/Contents/Frameworks/protobuf.framework/Versions/Current/.
--validated:/universal/bst3.app/Contents/Frameworks/protobuf.framework/Versions/Current/.
--prepared:/universal/bst3.app/Contents/Frameworks/viperex.bundle
--validated:/universal/bst3.app/Contents/Frameworks/viperex.bundle
./bst3.app: invalid Info.plist (plist or signature have been modified)
In subcomponent: /universal/bst3.app/Contents/Frameworks/zSDKRes.bundle

    at ChildProcess.exithandler (child_process.js:303:12)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5) {
  killed: false,
  code: 1,
  signal: null,
  cmd: 'codesign --verify --deep --verbose=2 ./bst3.app'
}

After I removed the following code.It worked.

        const plistFiles = x64Files.filter((f) => f.type === file_utils_1.AppFileType.INFO_PLIST);
        for (const plistFile of plistFiles) {
            const x64PlistPath = path.resolve(opts.x64AppPath, plistFile.relativePath);
            const arm64PlistPath = path.resolve(opts.arm64AppPath, plistFile.relativePath);
            const _a = plist.parse(await fs.readFile(x64PlistPath, 'utf8')), { ElectronAsarIntegrity: x64Integrity } = _a, x64Plist = __rest(_a, ["ElectronAsarIntegrity"]);
            const _b = plist.parse(await fs.readFile(arm64PlistPath, 'utf8')), { ElectronAsarIntegrity: arm64Integrity } = _b, arm64Plist = __rest(_b, ["ElectronAsarIntegrity"]);
            if (JSON.stringify(x64Plist) !== JSON.stringify(arm64Plist)) {
                throw new Error(`Expected all Info.plist files to be identical when ignoring integrity when creating a universal build but "${plistFile.relativePath}" was not`);
            }
            const mergedPlist = Object.assign(Object.assign({}, x64Plist), { ElectronAsarIntegrity: generatedIntegrity });
            await fs.writeFile(path.resolve(tmpApp, plistFile.relativePath), plist.build(mergedPlist));
        }
indutny-signal commented 2 years ago

Do you sign the x64/arm64 bundles before merging them?

StephenKe commented 2 years ago

Do you sign the x64/arm64 bundles before merging them?

Yes.My x64/arm64 app build on electron-builder and it can not skip codesign.

indutny-signal commented 2 years ago

Usually electron-builder builds two separate copies of x64/arm64 builds before merging them and they are not signed unlike regular arm64/x64 builds.

StephenKe commented 2 years ago

Em...My project includes both electron-builder and @electron-universal.Have any good idea to universal app after electron-builder builded?(respect~)

indutny-signal commented 2 years ago

We just use universal arch here: https://github.com/signalapp/Signal-Desktop/blob/development/package.json#L339-L341

StephenKe commented 2 years ago

I tried and it went wrong: We use zoom-electron-sdk + elelctron@11.0.1 + node@12.18.0. universal arch can not match zoom-electron-sdk due to elelctron@11.0.1 have no --arch=universal.So I use electron-builder to build x64/arm64 on electron@11.0.1 --arch=x64/arm64.And use @electron-universal to universal x64/arm64 manually.

indutny-signal commented 2 years ago

Ah, interesting. So you build two separate builds and then merge them with the help of universal. In this case, you should try merging them before signing and sign the universal binary separately.

StephenKe commented 2 years ago

'you should try merging them before signing'. That's the problem: It seems like electron-builder not provided a configuration to skip signing process.

indutny-signal commented 2 years ago

I see. I suggest we move over to electron-builder issues with regards to this. There has to be a way to avoid signing in such situations, but surely it has nothing to do with @electron/universal!

StephenKe commented 2 years ago

I see. I suggest we move over to electron-builder issues with regards to this. There has to be a way to avoid signing in such situations, but surely it has nothing to do with @electron/universal!

Good idea ^ 0 ^ Already submit an issue to electron-builder.

StephenKe commented 2 years ago

I make it work like this:

  1. electron-builder build x64/arm64
  2. remove x64/arm64 all _CodeSignature/CodeResources in Contents/**
  3. remove mergedPlist code in electron-universal
  4. add code in electron-universal Don’t lipo binaries that are already a universal file or the same arch.Don’t lipo binaries add zoom-electron-sdk relevant file.
  5. run electron-universal and it work
StephenKe commented 2 years ago

If it possible that electron-universal remove _CodeSignature before merge? @indutny-signal

erickzhao commented 2 months ago

Should be closed in #72