Mac App Store

[ghost]

Hello, I've been looking at all the info available here, downloaded zip files with instructions and everything else shown here ( https://github.com/nwjs/nw.js/issues/936 ), And I'm unable to submit my app, I can create the pkg and everything but when I run macstore_sign.sh I get this:

==Validating code signature and subsequent resources==
signed/Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper.app: rejected
origin=Mac Developer: Cedrik (84EQU97N)
signed/Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper EH.app: rejected
origin=Mac Developer: Cedrik (84EQU97N)
signed/Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper NP.app: rejected
origin=Mac Developer: Cedrik (84EQU97N)
signed/Kiwi Music Player.app: rejected
origin=Mac Developer: Cedrik (84EQU97N)

Note: I've removed some characters to the ID shown here, this is the only difference of the results I get. So as you can see all the helpers are rejected while using the entitlements signing tool.

Then when I create the .pkg file and try to upload it via Application Loader I get the following errors:

Package Summary:

1 package(s) were not uploaded because they had problems:
    /var/folders/n0/mgn36nxn56xbqgdy8v4l63z80000gp/T/DE51CC86-A883-4FF4-A6C6-100523573CF1/977736922.itmsp - Error Messages:
        ERROR ITMS-90261: "Bad CFBundleExecutable. Cannot find executable file that matches the value of CFBundleExecutable in the nested bundle Kiwi Music Player [com.studioquipo.kiwimusicplayer.pkg/Payload/Kiwi Music Player.app/Contents/Resources/app.nw] property list file."
        ERROR ITMS-90334: "Bundle identifier mismatch. The executable at node-webkit Helper EH in Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper EH.app has been signed with identifier 'com.studioquipo.kiwimusicplayer' which does not match the bundle identifier 'com.intel.nw.helper.EH'."
        ERROR ITMS-90334: "Bundle identifier mismatch. The executable at node-webkit Helper NP in Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper NP.app has been signed with identifier 'com.studioquipo.kiwimusicplayer' which does not match the bundle identifier 'com.intel.nw.helper.NP'."
        ERROR ITMS-90334: "Bundle identifier mismatch. The executable at node-webkit Helper in Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper.app has been signed with identifier 'com.studioquipo.kiwimusicplayer' which does not match the bundle identifier 'com.intel.nw.helper'."

Is there a fix for this or a way to bypass this problem? I'm already a mac developer verified and this will be my first app that I submit to the Mac Store.

Thank you for your time and help.

[alexeyst]

@Cedriking I was able to submit an NW app to Mac App Store, and that involved fixing many different issues including patching and rebuilding NW (I used node-webkit v. 0.11.5) as well as tweaking the configuration.

Let me answer the issues one by one.

1. Regarding the rejected validation—that's fine; the validator won't accept it until it also has the MAS receipt added by Apple once your app gets to App Store, but that will be okay; you can ignore the warning and still get the app submitted to the App Store just fine.
2. Regarding the bundle identifiers, you have to change them within the helper apps to a single value that matches your bundle ID that you're signing with (that is, com.studioquipo.kiwimusicplayer in your case); so within each of the plist, in your app and all helper apps, ensure that the bundle ID is the same, and equals to the one you're signing the app with.

Now, even if this is done correctly, you will not be able to submit to the App Store right away... There's more to be done with this regard, please see below.

1. NW uses QTKit, which is not accepted by Apple anymore; there was a pull request here that suggested the change, however for some reason it wasn't accepted by @rogerwang. I am still hoping this can be introduced into NW in the future, but the best person to respond to this will definitely be @rogerwang.
2. Until NW introduces App Store support, I've posted a patch based on @trevorlinton's original work on older node-webkit versions, adapted to fairly recent v0.11.5 of node-webkit and a v0.11.5 build that can be (and already was!) successfully submitted to App Store, you can find it here on GitHub. If you happen to rebuild NW 0.12 with the patch, please feel free to suggest a pull request with that binary for everyone else, or you can use the 0.11.5 I built previously.
3. Given the nature of the workarounds in the patch, you cannot use a long bundle ID for the app as you do here com.studioquipo.kiwimusicplayer. Instead, try a very short name, like com.qpo.kiwi, otherwise it won't work when sandboxed.
4. Ensure that the entitlements include sandboxing, and that the bundle ID for each of the apps is the same, see this issue for more details.

I hope this helps!

[ghost]

@alexeyst Wow, thank for your message and taking the time to explain everything! Really! Tomorrow I will try everything and hope it will work fine, have a great night!

[alexeyst]

Great, fingers crossed!

[Taytay]

@alexeyst : Thanks for taking the time to write all of this up!

[xuanhun]

Thanks!

[siuying]

@alexeyst thanks, this is very helpful and informative.

[rogerwang]

@alexeyst We'd like to support this. Could you please point me to your pull requests? Last time some PRs were closed by github when we rename the branches, see https://groups.google.com/d/msg/nwjs-general/NY5aYvC-r8s/r_zvltcYJK4J

[ghost]

Hello, I've tried everything out and it didnt work, I still receive error messages about the sandbox, I'm currently using this file to sign apps and add the entitlements:

#!/bin/sh
echo
echo "True Interactions (Tint) and node-webkit Mac App Store / Entitlements Signing Tool."
echo "NOTE: THIS SIGNING TOOL IS INTENDED ONLY FOR APPLICATIONS TO BE SUBMITTED TO"
echo "THE MAC APP STORE OR THAT NEED ENTITLEMENTS. IF YOU DO NOT PLAN ON USING EITHER"
echo "USE THE DEFAULT SIGNING UTILITY."
echo "www.trueinteractions.com"
echo
if [ -z "$5" ]
then
    echo "Usage: sign.sh application_file_path application_name bundle_id identity out_directory"
    echo "  application_file_name \t The full path to the application to sign, original is not modified"
    echo "  application_name \t\t The full application name (with spaces if needed), do not include .app extention"
    echo "  bundle_id \t\t\t The bundle identifier used in the Info.plist, it must be unique for helpers and the app"
    echo "  identity \t\t\t The identity to sign the application with (a valid list of id's is printed out later)"
    echo "  out_directory \t\t The directory to place the signed application at"
    echo ""
    echo "If you do not know your identity pick the most appropriate one from the list below, the valid identities"
    echo "installed on your /Applications/Utilities/Keychain Access.app are:"
    echo
    security -q find-identity -p codesigning -v
    echo
    echo "Tip: your identity is the alpha-numeric, usually 10 character long string contained between parenthesis."
    echo "Note that entitlements for the Mac App Store will be applied, this will sandbox the application and may"
    echo "in certain circumstances cause new errors if your application plays outside of Mac App Stores rules."
    echo
    exit 1;
fi

export SOURCE=$1
export NAME=$2
export IDENTITY=$4
export BUNDLEID=$3
export OUTDIRECTORY=$5
export ENTITLEMENTS_PARENT='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.personal-information.location</key>
    <true/>
    <key>com.apple.security.print</key>
    <true/>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <array>
        <string>/private/tmp/</string>
        <string>/private/var/tmp/</string>
        <string>/private/var/folders/ml/</string>
    </array>
</dict>
</plist>
'
export ENTITLEMENTS_CHILD='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>
'

echo "$ENTITLEMENTS_PARENT" > /tmp/entitlements.parent
echo "$ENTITLEMENTS_CHILD" > /tmp/entitlements.child

# copy your app to this folder.
rm -rf $OUTDIRECTORY/$NAME.app
cp -p -a $SOURCE $OUTDIRECTORY/$NAME.app

echo "==Signing Code=="
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper EH.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper NP.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.parent "$OUTDIRECTORY/$NAME.app"

# validate entitlements
echo "==Validating entitlements and Mac App Store needs=="
codesign -dvvv --entitlements :- "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper.app/Contents/MacOS/node-webkit Helper"
codesign -dvvv --entitlements :- "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper EH.app/Contents/MacOS/node-webkit Helper EH"
codesign -dvvv --entitlements :- "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper NP.app/Contents/MacOS/node-webkit Helper NP"
codesign -dvvv --entitlements :- "$OUTDIRECTORY/$NAME.app/Contents/MacOS/node-webkit"

# validate code signatures
echo "==Validating code signature and subsequent resources=="
spctl --assess -vvvv "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper.app"
spctl --assess -vvvv "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper EH.app"
spctl --assess -vvvv "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper NP.app"
spctl --assess -vvvv "$OUTDIRECTORY/$NAME.app"

Maybe the problem is this file? Because I used the node-webkit-macappstore that @alexeyst provided as I'm currently usign nw 0.11.5, also tested the pkg file I created and I was able to install it from the command line.

This is my command line codes I send:

codesign -s "3rd Party Mac Developer Application: Studio Quipo inc. (CFUXHRHK)" --deep "Kiwi Music Player.app"

sh macstore_sign.sh "Kiwi Music Player.app" "Kiwi Music Player" com.qpo.kiwi "3rd Party Mac Developer Application: Studio Quipo inc. (CFUXHRHK)" kiwisigned

productbuild --component "Kiwi Music Player.app" /Applications  --sign "3rd Party Mac Developer Installer: Studio Quipo inc. (CFUXHRHK)" KiwiMusicPlayer.pkg

Thank's again for your help and time.

[alexeyst]

Hello @Cedriking

Could you please let me know what the error says? You could see it in the Console app on your Mac.

I have reviewed the macstore_sign.sh file you're using and it is nearly exactly similar to what I'm using for my app here. Here are a few differences in the process, though:

• you're first using codesign -s and later execute the shell script; you should omit the first part and once the clean application is built you can proceed directly with the ./macstore_sign.sh
• you should be sure to only request entitlements that your app really needs; printing, access to temp files, location, etc.—this shouldn't affect the build process now, but may likely result in a rejection if your app doesn't need extra permissions.

[alexeyst]

I'm really glad that Mac App Store issue gains a lot of attention, thanks everyone for your feedback!

@rogerwang: it actually wasn't my pull request; it was a pull request by @trevorlinton that was open for a long time, but then closed. Here's the PR in question.

Now, this was done for an older version of Chromium and node-webkit, so my patch in here was based on this work but introduced more changes to support successful Mac App Store submission.

However, it is important to note that my patch only solves the submission problem, and as I don't have a complete development environment around Chromium I did not run its tests on this; more to that end, the patch disables certain parts of Chromium restricted by Apple rather than re-implementing them, so I guess you as an owner/maintainer of this could make a decision of what is the best way to incorporate this.

Lastly, there's another complication in the process—every time NW starts using new Chromium, a respective change should be made until Chromium project stops using QTKit and other blocked private APIs in the first place.

So, IMHO, setting up a special build for Mac App Store would be of a great value. I will be happy to test that build on my app and ensure successful submission, if you'd be willing to setup one.

This would be really very helpful, as so far the need of custom-building the NW executable and update / rebase the patch every time makes the adoption of NW's updates for Mac App Store users much more complicated. So, @rogerwang, thank you very much for your attention to this issue, and I hope it can be solved one day!

[alexeyst]

@rogerwang: here's also an open feature request, which encompasses the changes and discussion about this matter: https://github.com/nwjs/nw.js/issues/1755.

• Still open Pull Request to NW: https://github.com/nwjs/nw.js/pull/2213.
• Already closed Pull Request to Chromium to compliment the changes: https://github.com/nwjs/chromium.src/pull/17

@xueeinstein: I saw that you are now assigned to this, so I am happy to help or discuss this further as necessary.

[ghost]

Hello @alexeyst and thanks for your fast reply, I forgot to add the error I receive, here is it:

Package Summary:

1 package(s) were not uploaded because they had problems:
/var/folders/n0/mgn36nxn56xbqgdy8v4l63z80000gp/T/BE9049EE-08E7-400B-8882-DC6E7C668FF1/977736922.itmsp - Error Messages:
ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.qpo.kiwi.pkg/Payload/Kiwi Music Player.app/Contents/Frameworks/crash_inspector", "com.qpo.kiwi.pkg/Payload/Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper EH.app/Contents/MacOS/node-webkit Helper EH", "com.qpo.kiwi.pkg/Payload/Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper NP.app/Contents/MacOS/node-webkit Helper NP", "com.qpo.kiwi.pkg/Payload/Kiwi Music Player.app/Contents/Frameworks/node-webkit Helper.app/Contents/MacOS/node-webkit Helper", "com.qpo.kiwi.pkg/Payload/Kiwi Music Player.app/Contents/MacOS/node-webkit" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app."
ERROR ITMS-90258: "This bundle is invalid. The value for key CFBundleShortVersionString '38.0.2125.104' in the Info.plist file must be a period-separated list of at most three non-negative integers."
ERROR ITMS-90261: "Bad CFBundleExecutable. Cannot find executable file that matches the value of CFBundleExecutable in the nested bundle Kiwi Music Player [com.qpo.kiwi.pkg/Payload/Kiwi Music Player.app/Contents/Resources/app.nw] property list file."

It's still talking about the sandbox but I used that sh file to sandbox the app, also that error about app.nw I dont understand whats the problem with app.nw theres not much I can do there, or there is?

Thanks a lot :+1:

[alexeyst]

Hey @Cedriking

OK, so here's what you could do about each of the issues:

• "App sandbox not enabled" Here you have to make sure that each executable has the right signature and is indeed sandboxed prior to posting; are you sure there's no issue with each of the codesign runs while you're executing the macstore_sign.sh? Are you also sure that you're executing the signing script on a clean, previously unsigned bundle, and not using any other codesign attempts before?
• "This bundle is invalid" That one is simple, you need to change the version to something like 1.0.0 to be successfully submitted to App Store; and increment that every time you're releasing an update.
• "Bad CFBundleExecutable" Here you're packaging all of your resources into a zip file called app.nw, and it mistakenly treats it as an executable, which is missing the required plist information; to fix this, create an ordinary (that is, not zipped) app.nw folder where you'll store your resources; this will let you avoid the error; after all, you will still have one single *.app file so it should be okay.

Now also a few other things to note:

• You could try deleting the crash_inspector to check if that helps; you need to ensure that the Helper apps are signed and that respective codesign calls are executed correctly.
• If you have other native modules like *.so, *.node built with nw-gyp or anything else—you'll have to sign those too.

Here's how I modified the script in this part (see the first line with the extra module that I have):

codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Resources/app.nw/node_modules/printer/build/Release/node_printer.node"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper EH.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper NP.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.parent "$OUTDIRECTORY/$NAME.app"

[ghost]

Hello @alexeyst, we are close!

ERROR ITMS-90261: "Bad CFBundleExecutable. Cannot find executable file that matches the value of CFBundleExecutable in the nested bundle Kiwi Music Player [com.qpo.kiwi.pkg/Payload/Kiwi Music Player.app/Contents/Resources/app.nw] property list file."

This is the only error I have now, I've read what you said about the app.nw that needed to be a normal folder, but it's already a normal folder, I dont used a zipped file.

Do you know anything else that could cause this?

Really thanks a lot! we are so close to have our first desktop app on apple (well... we will need to wait to be approved but anyways still really exited ) :smile:

[alexeyst]

Absolutely @Cedriking! Could you please let me know what the CFBundleExecutable reads in your plist file?

It should be just plain node-webkit — the actual name of executable file to run the thing. I think the problem is that it currently points to your app.nw folder instead.

For the sake of clarity:

    <key>CFBundleExecutable</key>
    <string>node-webkit</string>

[ghost]

Yes that's what it say in my plist file :+1:

<key>CFBundleExecutable</key>
<string>node-webkit</string>

[alexeyst]

@Cedriking: Do you have any other plist file that has a different value in this key or something? What happens if you try building and signing a simple app with just one package.json and an HTML page, without all the other resources inside app.nw?

[alexeyst]

@Cedriking: Also, where is your plist located? Could you post your folder structure inside the *.app file?

[ghost]

Thank you for the fast reply as always :D, here is the structure:

• Contents
  • Frameworks
  • node-webkit Framework.framework
  • node-webkit Helper EH.app
  • node-webkit Helper NP.app
  • node-webkit Helper.app
  • MacOS
  • node-webkit
  • Resources
  • nw.icns
  • app.nw
    • package.json, css, js, index.html and node_modules folder
  • Info.plist
  • PkgInfo

Is this ok? would you like I go deeper in the paths? node-webkit Framework.framework has a lot of stuffs in it.

And here is my Info.plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>BuildMachineOSBuild</key>
    <string>14B25</string>
    <key>CFBundleDevelopmentRegion</key>
    <string>en</string>
    <key>CFBundleDisplayName</key>
    <string>Kiwi Music Player</string>
    <key>CFBundleDocumentTypes</key>
    <array>
        <dict>
            <key>CFBundleTypeIconFile</key>
            <string>nw.icns</string>
            <key>CFBundleTypeName</key>
            <string>node-webkit App</string>
            <key>CFBundleTypeRole</key>
            <string>Viewer</string>
            <key>LSHandlerRank</key>
            <string>Owner</string>
            <key>LSItemContentTypes</key>
            <array>
                <string>com.intel.nw.app</string>
            </array>
        </dict>
        <dict>
            <key>CFBundleTypeName</key>
            <string>Folder</string>
            <key>CFBundleTypeOSTypes</key>
            <array>
                <string>fold</string>
            </array>
            <key>CFBundleTypeRole</key>
            <string>Viewer</string>
            <key>LSHandlerRank</key>
            <string>None</string>
        </dict>
    </array>
    <key>CFBundleExecutable</key>
    <string>node-webkit</string>
    <key>CFBundleIconFile</key>
    <string>nw.icns</string>
    <key>CFBundleIdentifier</key>
    <string>com.qpo.kiwi</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundleName</key>
    <string>Kiwi Music Player</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
    <string>1.2.6</string>
    <key>CFBundleVersion</key>
    <string>1.2.6</string>
    <key>DTSDKBuild</key>
    <string>13F26</string>
    <key>DTSDKName</key>
    <string>macosx10.9</string>
    <key>DTXcode</key>
    <string>0611</string>
    <key>DTXcodeBuild</key>
    <string>6A2008a</string>
    <key>LSFileQuarantineEnabled</key>
    <false/>
    <key>LSMinimumSystemVersion</key>
    <string>10.6.0</string>
    <key>NSPrincipalClass</key>
    <string>NSApplication</string>
    <key>NSSupportsAutomaticGraphicsSwitching</key>
    <true/>
    <key>SCMRevision</key>
    <string>290379</string>
    <key>LSApplicationCategoryType</key>
    <string>public.app-category.music</string>
    <key>UTExportedTypeDeclarations</key>
    <array>
        <dict>
            <key>UTTypeConformsTo</key>
            <array>
                <string>com.pkware.zip-archive</string>
            </array>
            <key>UTTypeDescription</key>
            <string>node-webkit App</string>
            <key>UTTypeIconFile</key>
            <string>nw.icns</string>
            <key>UTTypeIdentifier</key>
            <string>com.intel.nw.app</string>
            <key>UTTypeReferenceURL</key>
            <string>https://github.com/rogerwang/node-webkit/wiki/How-to-package-and-distribute-your-apps</string>
            <key>UTTypeTagSpecification</key>
            <dict>
                <key>com.apple.ostype</key>
                <string>node-webkit</string>
                <key>public.filename-extension</key>
                <array>
                    <string>nw</string>
                </array>
                <key>public.mime-type</key>
                <string>application/x-node-webkit-app</string>
            </dict>
        </dict>
    </array>
</dict>
</plist>

Thanks for taking the time helping me out with all this @alexeyst !

[alexeyst]

OK, that's strange @Cedriking.

Here's a few steps to track the problem down:

1. Does the app actually run and work before you package it with productbuild?
2. Could you try resetting permissions to all the files inside the *.app and see if that helps? That is, make sure that the executable has permissions to execute with chmod command
3. Have you tried signing the empty NW app without the resources inside? Have you had the same problem?

Also, I've compared your plist file to the one I have, and the only differences worth noting are these two:

1. My CFBundleVersion is an integer value rather than a string, and says, like, 21; you could see if that helps; I increment that number every time I upload the app.
2. Not sure if it has anything to do with the error, but just for the sake of troubleshooting, the value of LSFileQuarantineEnabled in my case is true.

So, let's see if any of these things helps!

[alexeyst]

Hey @Cedriking

Have you tried these items? Please feel free to let me know if you need any further help!

[ghost]

Hello @alexeyst how are you doing? I hadnt the chance to try out the changes you asked me, I'm currently on vacations but as soon as I'm able to update Kiwi I will check all this.

And btw for the first question, yes everything is working fine before packaging with productbuild. Is there I way I can contact you by twitter or somewhere else? I wanted to ask you something. Thanks, have a great night!

[alexeyst]

OK, let's try the rest of the items then. Sure, you could contact me on Twitter, I sent you a direct message in there.

[ghost]

Hello, everything worked fine now, I was able to sign everything and send it to apple, but after the tests I found that after I've successfully signed everything my app dont work, I make some http calls and it seems that that's the problem because my ajax code dont return anything. Am I missing a permission? or is something else?

entitlements.child:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

entitlements.parent:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <array>
        <string>/private/tmp/</string>
        <string>/private/var/tmp/</string>
        <string>/private/var/folders/ml/</string>
    </array>
</dict>
</plist>

Thank you @alexeyst

[alexeyst]

Yep @Cedriking, we're close!

You're missing some network entitlements:

    <key>com.apple.security.network.client</key>
        <true/>
    <key>com.apple.security.network.server</key>
        <true/>

[ghost]

Hello @alexeyst, I've tried the changes you told me, but now the app open and closes instantly, I only have the time to see a blank application and then it's automatically close.

Here are entitlements with the changes in it: entitlements.child

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
</dict>
</plist>

entitlements.parent

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <array>
        <string>/private/tmp/</string>
        <string>/private/var/tmp/</string>
        <string>/private/var/folders/ml/</string>
    </array>
</dict>
</plist>

---

Edit: It worked fine now! We sent it to Apple and now we are waiting to know if everything is fine, the problem was with the entitlements.child they didn't need those two new permissions.

I will let you know if everything went as expected or if I need to do something else, but for now everything looks fine!

Thanks a lot for your help with all this, really!! Have a great day.

[alexeyst]

Yes, that's right, child entitlements should remain as is! Was just about to say that when I saw your edit.

Great, best of luck to you @Cedriking! Will be very happy to check out your app once it gets released! You have a great day too.

[cdmba1]

Does anyone know why following error might be happening?

amfid[228]: /path/to/TheApp.app/Contents/Frameworks/node-webkit Helper.app/Contents/MacOS/node-webkit Helper signature not valid: 0xfffefa31 kernel[0]: proc 32021: load code signature error 4 for file "node-webkit Helper" kernel[0]: proc 32022: load code signature error 4 for file "node-webkit Helper" amfid[228]: /path/to/TheApp.app/Contents/Frameworks/node-webkit Helper.app/Contents/MacOS/node-webkit Helper signature not valid: 0xfffefa31

I’ve signed the app using the mac app store script above. When I boot up my newly signed app for the first time, all is fine. It works beautifully, in exactly the same way as before I signed the app file.

However, this issue starts occurring after a while (say, on average 5-10 minutes after the last boot). If I reboot the app frequently (i.e. every 1-2 minutes), it keeps working fine, until I stop running it. Once this occurs, the helper will never boot again.

This is my sign script:

codesign --deep -s "$IDENTITY" --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Framework.framework/Libraries/ffmpegsumo.so"

codesign --deep -s "$IDENTITY" --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/$NAME Helper.app"

codesign --deep -s "$IDENTITY" --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/$NAME Helper EH.app"

codesign --deep -s "$IDENTITY" --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/$NAME Helper NP.app"

codesign --deep -s "$IDENTITY" --entitlements /tmp/entitlements.parent "$OUTDIRECTORY/$NAME.app”

[alexeyst]

Hey @cdmba1

Which version of node-WebKit are you using? Could you confirm your helper files have the names Helper.app and not node-WebKit Helper.app? If it is the latter, you'd need to change the signing script and instead of $NAME state node-WebKit for the helper apps.

Also, the native version of node-WebKit doesn't work with AppStore and you might have to use the one referenced above in this issue. It has node-WebKit Helper.app format.

[cdmba1]

Hey Alexey,

1/ I'm using the latest version. 2/ Sorry yes. The names from the building and signing script match, they're "$NAME Helper.app". 3/ I have taken a native version and patched in the relevant changes.

[cdmba1]

Actually @alexeyst, for some reason I am now getting following error when running the "Mac Developer" signed build:

Apr 13 00:00:44 MacBook-Air.local CoreServicesUIAgent[47172]: unexpected message <OS_xpc_error: <error: 0x7fff7ef3fc60> { count = 1, contents = "XPCErrorDescription" => <string: 0x7fff7ef3ff70> { length = 18, contents = "Connection invalid" } }>

[0412/235913:ERROR:ipc_channel_posix.cc(521)] pipe error on 38 Currently writing message of size: 32: Socket is not connected [0412/235913:WARNING:file_descriptor_set_posix.cc(30)] FileDescriptorSet destroyed with unconsumed descriptors: 0/1

This only seems to happen infrequently, which is probably why I did not notice it. However, nothing seems to be broken.

[alexeyst]

Thanks @cdmba1

Do you still have this error?

amfid[228]: /path/to/TheApp.app/Contents/Frameworks/node-webkit Helper.app/Contents/MacOS/node-webkit Helper signature not valid: 0xfffefa31
kernel[0]: proc 32021: load code signature error 4 for file "node-webkit Helper"
kernel[0]: proc 32022: load code signature error 4 for file "node-webkit Helper"

I am asking because the file here reads node-webkit Helper rather than yourapp Helper which I just want to confirm is not an issue.

[cdmba1]

Hi @alexeyst. Still haven't managed to fix this error, sadly. Sorry for the naming - I adjusted some file names when copying over from command line.

The format is "$NAME Helper.app", and you should read the above error as "$NAME Helper.app signature not valid...".

node-webkit is the name of the framework, $NAME Helper EH/NP.app for the app bundles. I'm quite sure the naming of the framework and executable is not an issue, since the app wouldn't work then in unsigned mode either.

[alexeyst]

I see, sorry to hear that; so, for the sake of clarity, what is the error you're dealing with now — signature error or the socket connectivity? Or both, perhaps?

Do you have the network connectivity entitlements enabled? @cdmba1

[cdmba1]

@alexeyst Yes, the signature error. The other one isn't causing any noticeable issues, as far as I know.

I'm using these entitlements:

export ENTITLEMENTS_PARENT='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <array>
        <string>/private/tmp/</string>
        <string>/private/var/tmp/</string>
        <string>/private/var/folders/ml/</string>
    </array>
    <key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
    <array>
        <string>org.chromium.Chromium.rohitfork</string>
    </array>
</dict>
</plist>
'

export ENTITLEMENTS_CHILD='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>
'

I removed the unique PID from mach_broker_mac.cc to get rid of the Mach error when running in sandbox mode.

[alexeyst]

Might it be that the helper apps do not have the same app ID as the main app in their plist files? @cdmba1

[cdmba1]

@alexeyst The helper apps have a separate CFBundleIdentifier (com.app.name, com.app.name.helper, com.app.name.helper.eh and com.app.name.helper.np).

Before using unique identifiers for each helper, I set this value in each plist to com.app.name. However, that gave me an error when uploading my signed package to the App Store. In particular, Application Loader said certain sub packages shared a unique identifier, and that apparently wasn't allowed.

I'll try changing the identifier, and signing with the -i com.app.name option. Can't remember whether I did both at the time.

[alexeyst]

Yes, I have the same bundle ID for all apps, so that might help! @cdmba1

[cdmba1]

@alexeyst How do I name/sign the framework? Also with the same ID, or with its own default plist value?

[alexeyst]

@cdmba1 I do not have a plist inside the framework, so it is just named node-webkit Framework and signed as usual. So, to summarize it I've got:

1) root app with com.myapp.id in the plist 2) all helper apps with com.myapp.id in their plist files 3) all helper apps named node-webkit Helper, not 'app name' Helper 4) custom signing script as follows, I am also using a custom node module, so that one is signed too

codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Framework.framework/Libraries/ffmpegsumo.so"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Resources/app.nw/node_modules/printer/build/Release/node_printer.node"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper EH.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.child "$OUTDIRECTORY/$NAME.app/Contents/Frameworks/node-webkit Helper NP.app"
codesign --deep -s $IDENTITY -i $BUNDLEID --entitlements /tmp/entitlements.parent "$OUTDIRECTORY/$NAME.app"

So as you can see the bundle ID is the same for all lines.

[tylerlong]

@Cedriking On Apr 2 you mentioned that We sent it to Apple and now we are waiting to know if everything is fine. Today I searched Mac App Store but couldn't find any app named Kiwi Music Player. Could you please update us of the situation?

[ghost]

Hello @tylerlong unfortunately Apple rejected our app, because of the ffmpeg and the videos coming from YouTube, so for now the only way for me to make my app available is in my website directly http://kiwimusicplayer.com . But next time when I have a new idea, I hope to be able to have it on the App Store :+1:

Thanks for your interest !

[tylerlong]

@Cedriking Thank you for the update. What's the problem with ffmpeg? I also made an app based on ffmpeg last week and I think it will be reviewed soon. Let me see whether Apple will reject it.

[ghost]

@tylerlong good luck and let me know how it went! :+1:

Not exactly sure why Apple rejects apps with ffmpeg, here is a small explanation that @alexeyst explained on his node-webkit-macappstore repo:

I figured out that Apple may be rejecting the latest ffmpegsumo.so located under libraries. If you do not use ffmpeg, you may delete the file from node-webkit Framework.framework/Libraries/ffmpegsumo.so and resubmit.

If you do use ffmpeg, however, more investigations are necessary to submit it to App Store—it uses certain QtKit APIs that need removal as well (or rather, a conversion to AVFoundation).

Source: https://github.com/alexeyst/node-webkit-macappstore#how-to-get-node-webkit-build-accepted-on-mac-app-store

[baconbrad]

This and this might be useful reading.

[tylerlong]

@Cedriking @baconface Thank you for the information. My app which takes advantages of ffmpeg has been approved! Important fact: the app doesn't use ffmpeg's source code nor its library. Ony ffmpeg's executable is used in the app. I think that's why it's compatible with LGPL.

Disclaimer: my app isn't built with NW.js. I post the information above just for the clarification of the ffmpeg issue.

[baconbrad]

Good to hear. Congrats.

[ghost]

@tylerlong Congratulations! :+1:

[banezaklan]

Hello, I was able to sign and create the pkg successfully. Now I'm trying to submit the app to iTunes Connect using the "Application Loader" app, and it's reporting several errors. Just wandered if somebody has an idea how to fix them:

ERROR ITMS-90451: "CFBundleIdentifier Collision. The Info.plist CFBundleIdentifier value 'com.a51.timer' of 'activecollab-timer.app/Contents/Frameworks/node-webkit Helper EH.app' is in conflict with the Info.plist CFBundleIdentifier value of 'activecollab-timer.app'."

ERROR ITMS-90451: "CFBundleIdentifier Collision. The Info.plist CFBundleIdentifier value 'com.a51.timer' of 'activecollab-timer.app/Contents/Frameworks/node-webkit Helper NP.app' is in conflict with the Info.plist CFBundleIdentifier value of 'activecollab-timer.app'."

ERROR ITMS-90451: "CFBundleIdentifier Collision. The Info.plist CFBundleIdentifier value 'com.a51.timer' of 'activecollab-timer.app/Contents/Frameworks/node-webkit Helper.app' is in conflict with the Info.plist CFBundleIdentifier value of 'activecollab-timer.app'

Note that the values are the same in the 'main' info.plist and all three NW helper .apps. With the original values it was reporting the 'mismatch' problem.

[ghost]

@banezaklan check out that the CFBundleIdentifier of the frameworks ( the 3 node-webkit Helpers ) have the same CFBundleIdentifier value as you app 'activecollab-timer.app'