Signature verification fails when a signed bundle is included

[gzdunek]

In our app bundle (Teleport Connect.app) we include another bundle (tsh.app) that is already signed. This included bundle is passed to x64ArchFiles and to signIgnore in electron-builder.

When trying to create a universal build the following error is thrown:

failed: codesign --verify --deep --strict --verbose=2 /packages/teleterm/build/release/mac-universal/Teleport Connect.app
/packages/teleterm/build/release/mac-universal/Teleport Connect.app: invalid Info.plist (plist or signature have been modified)
In subcomponent: /packages/teleterm/build/release/mac-universal/Teleport Connect.app/Contents/MacOS/tsh.app
In architecture: x86_64

It says that signature verification failed for the tsh.app. That happed because @electron/universal modified its Info.plist file, adding ElectronAsarIntegrity key.

My workaround is to copy the original tsh.app Info.plist file from x64 build and overwrite the one in a universal build:

let tshAppPlist;
afterPack: packed => {
    const path = `${packed.appOutDir}/Teleport Connect.app/Contents/MacOS/tsh.app/Contents/Info.plist`;
    if (packed.appOutDir.endsWith('mac-universal--x64')) {
      tshAppPlist = fs.readFileSync(path);
    }
    if (packed.appOutDir.endsWith('mac-universal')) {
      fs.writeFileSync(path, tshAppPlist);
    }
  },

Would it be possible to prevent @electron/universal from modifying the Info.plist file so that it doesn't break already signed bundle?

Possibly a related issue https://github.com/electron/universal/issues/40.

[continuous-auth[bot]]

:tada: This issue has been resolved in version 1.4.0 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: