Electron-builder: Invalid Signature - The nested app bundle Electron Framework

Please use https://itunes.apple.com/us/app/rb-app-checker-lite/id519421117?mt=12 to check your app.

Please set DEBUG env to * to get debug output and attach it here.

Maybe related https://github.com/electron-userland/electron-packager/issues/371

If you use latest electron, you need to wait https://github.com/electron-userland/electron-packager/issues/371 fix.

@mcfedr @sethlu Do you have any clue?

@develar I'm not sure but electron-builder doesn't yet use electron-osx-sign right? 😕
It seems to me like that the frameworks embedded in the app bundle aren't properly signed.

@sethlu No, we use your excellent module (but fork — my PR was accepted, thanks).

@develar Sorry I looked at the wrong part of the code...

@develar Just read this: https://discussions.agilebits.com/discussion/37099/verification-of-app-signature. Not sure if it's related to this issue. His app-bundle-id only has a prefix com.releasespro. Not sure if this triggered the issue. (Let me check if the error could be reproduced.)

@jechazelle May I ask which identifier you used on iTC? Was it com.releasespro.something? Thanks.

Hi @sethlu

On iTunes Connect I use : com.myapp

@jechazelle thanks for confirming. Sorry but I'm out of clues right now. Would you do the following test of designated requirements on your local machine?

codesign --verify --verbose path/to/my.app

@sethlu Yes, of course !

pc3:my-app jeremiechazelle$ sudo codesign --verify --verbose ./dist/my app-darwin-x64/my app.app
./dist/my app-darwin-x64/MyApp.app: valid on disk
./dist/my app-darwin-x64/MyApp.app: satisfies its Designated Requirement
pc3:my-app jeremiechazelle$ 

@jechazelle Thanks for testing... Now this is very weird 😿
I'll have to look into this a bit more. Seems like something to do with code-signing.

@develar @sethlu thank you for your help !

I re-signed my .app from mas folder with this script :

child.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

parent.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <string>XXXXXXXXXX.com.myapp</string>
  </dict>
</plist>

sign.sh

#!/bin/bash

# Name of your app.
APP="MyApp"
# The path of your app to sign.
APP_PATH="./dist/my-app-mas-x64/My App.app"
# The path to the location you want to put the signed package.
RESULT_PATH="/Users/jeremiechazelle/Desktop/$APP.pkg"
# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXXX)"
INSTALLER_KEY="3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXX)"

FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"

codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libnode.dylib"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/Electron Framework.framework"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper.app/"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper EH.app/Contents/MacOS/$APP Helper EH"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper EH.app/"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper NP.app/Contents/MacOS/$APP Helper NP"
codesign -s "$APP_KEY" -f --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper NP.app/"
codesign -s "$APP_KEY" -f --entitlements child.plist "$APP_PATH/Contents/MacOS/$APP"
codesign -s "$APP_KEY" -f --entitlements parent.plist "$APP_PATH"

productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

Now it's done, I see my build on iTunes Connect ! I wait if Apple valid my app with this pkg...

@jechazelle Yea, this script reminded me of something!
The identity provided for electron builder is Developer ID Application which doesn't really satisfy the MAS requirements. However, 3rd Party Mac Developer Application is used with your custom Shell script. Not sure if that's the cause.

If you use electron-builder for the MAS build you should set env vars CSC_INSTALLER_NAME="...Developer Installer..." and CSC_NAME="...Developer Application..."
Then your .app and .pkg come out with the correct signatures

https://github.com/electron-userland/electron-builder/wiki/Code-Signing

@sethlu codesign checks cert — no way to use invalid not installer cert (so, I doubt that it is a electron-builder bug). But there is some user error and my goal to add extra check when this issue will be solved.

FYI: codesign verify on electron-osx-sign side is not complete — #377 is not prevented.

I am fairly sure that if Application Loader takes your pkg then its correctly signed

@develar I'll try to reproduce this error... see if export DEBUG could get anything from electron-osx-sign. I'm thinking now that some lines in package.json may need some tweaking.

   "osx": {
      [... skipped]
      "target": "mas",
      "identity": "Developer ID Application: Jeremie Chazelle (XXXXXXXXX)",
      [... skipped]
    },
    "mas": {
      "identity": "Jeremie Chazelle"
    }

I checked my env vars :

CSC_INSTALLER_NAME=3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXX)
CSC_NAME=Developer ID Application: Jeremie Chazelle (XXXXXXXX)

I have no CSC_LINK, CSC_KEY_PASSWORD, CSC_INSTALLER_LINK, CSC_INSTALLER_KEY_PASSWORD

I must use it "3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXX)" somewhere ?

@develar @sethlu
Apple just send me a message :

2.2 Here is how we found this bug: The app does not respond on launch, and does not display any windows.

when I build with target: mas, the app does not respond on launch, and does not display any windows (myapp.app => 140,8Mo).
when I build without target: mas, identity, it's ok, my app respond on launch, when I click on myApp.app (myapp.app => 142,9Mo).

May be it's a link with the certificate problem ?

I used

    "electron-builder": "3.25.0",
    "electron-prebuilt": "1.0.1",

    "electron-builder": "3.27.0",
    "electron-prebuilt": "1.0.2",

@jechazelle let me respond to the comment regarding CSC first. I believe _3rd Party Mac Developer Application/Installer_ should be used to sign off any app bundles/installers sent to iTC for review.
If _Developer ID Application_ was used for signing, it may not work; probably it explains why previously Application Loader throws the error message.

@jechazelle As a quick solution, would you do the following with your app bundle either signed/unsigned? Previous signings should be overwritten by default. 💭

npm install -g electron-osx-sign
# OR sudo npm install -g electron-osx-sign IF EACCES error thrown

# Display logs while signing or packing flat installer
export DEBUG=electron-osx-sign*

# This should automatically discover certs for signing
electron-osx-sign path/to/my/app.app --entitlements path/to/my/entitlements.plist
# And this for flatting
electron-osx-flat path/to/my/app.app

(also note that Info.plist needs updating with team id added before signing)

I think we may track down this issue slightly better if with the script above works (as I expect). Then we may take some time looking into the signing part of using electron-builder.

@jechazelle That sounds like it might be a sandbox issue, electron have just released 1.1.2 that addresses a problem with sandboxing, check out the latest instructions about entitlements, https://github.com/electron/electron/blob/master/docs/tutorial/mac-app-store-submission-guide.md

@mcfedr I think what @jechazelle did earlier (https://github.com/electron-userland/electron-builder/issues/436#issuecomment-221741023) adheres to the latest MAS submission guide, (not sure about his Info.plist though).
I'm not sure if it's the incorrect certs for signing or if a different build other than mas that is used for packing that caused this issue.

@sethlu "I believe 3rd Party Mac Developer Application/Installer should be used to sign off any app bundles/installers sent to iTC for review. If Developer ID Application was used for signing, it may not work; probably it explains why previously Application Loader throws the error message."

So, I must modify my env var ?

CSC_INSTALLER_NAME=3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXX)
CSC_NAME=Developer ID Application: Jeremie Chazelle (XXXXXXXX)

by

CSC_INSTALLER_NAME=3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXX)
CSC_NAME=3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXX)

from wiki :
export CSC_NAME="Developer ID Application: Your Name (code)"
https://github.com/electron-userland/electron-builder/wiki/Code-Signing

my info.plist

<plist version="1.0">
<dict>
  <key>ElectronTeamID</key>
  <string>XXXXXXXX</string>
</dict>
</plist>

@jechazelle I think @develar may know more on the set up of this module.
However, generally when building apps for distribution _inside_ the MAS, 3rd Party Mac Developer Application and 3rd Party Mac Developer Installer should be the correct ones to be used. When for distribution _outside_ the MAS, Developer ID Application and Developer ID Installer should be used (as far as I understand).

I have never yet published to MAS, so, I trust @sethlu And as I see in the code https://github.com/electron-userland/electron-osx-sign/blob/master/index.js#L298 yes, 3rd Party Mac Developer Application must be used.

So, such check must be added to electron-builder.

@jechazelle Thanks for posting your Info.plist. So far I believe with the identities _3rd Party Mac Developer/Installer_ used for signing, your app should pass the iTC check. 👍

@sethlu @develar So, I resume :

package.json

   "osx": {
      [... skipped]
      "target": "mas",
      "identity": "Developer ID Application: Jeremie Chazelle (XXXXXXXXX)",
      [... skipped]
    },
    "mas": {
      "identity": "Jeremie Chazelle"
    }

and declare :

CSC_INSTALLER_NAME=3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXX)
CSC_NAME=3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXX)

it's true ?

@jechazelle I don't have too much experience working with electron-builder, but from the docs, I think the following should work (with CSC_NAME/CSC_INSTALLER_NAME declared or not).

"osx": {
   "_comment": "some lines skipped",
   "target": "mas",
   "identity": "3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXX)"
},
"mas": {
   "identity": "3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXX)"
}

Refer to: https://github.com/electron-userland/electron-builder/wiki/Options#buildosx, https://github.com/electron-userland/electron-builder/wiki/Code-Signing

@jechazelle "Consider using environment variables" — please remove identity from the build. Docs is clear — please don't specify identity in the package.json, it is recommended to use only env.

But... now I see a big problem — we have CSC_NAME but surprisingly Apple requires different cert to sign for MAS (named as Mac App Distribution Certificate). So, CSC_NAME is not enough — because if you want to build both mas and dmg, we must use TWO different certs. Yeah, so, suddenly :(

So, currently, you cannot produce versions for MAS and not-MAS (DMG) using the same configuration.

@mcfedr How does it work for you?

@sethlu @mcfedr Thanks a lot for your help!

So, currently, you cannot produce versions for MAS and not-MAS (DMG) using the same configuration.

@develar probably separating OS X and MAS builds could be a solution, partly I think MAS doesn't require the other compression/wrapping-in-dmg methods. However, that may be more or less a bump (out of the scope of this issue lol).

@sethlu @develar @mcfedr Thanks a lot for you help!! 👍

I would like to generate my build only to MAS (iTC)

'please don't specify identity in the package.json, it is recommended to use only env.'

I read your comments, So, I don't declare identity in my package.json, only with env var

package.json

"osx": {
      [... skipped]
      "target": "mas",
      [... skipped]
    }

and I set env var

CSC_INSTALLER_NAME=3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXX)
CSC_NAME=3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXX)

it's correct ?

@jechazelle Yup, I think it should be correct now. 👍

I have this error :

with electron 1.0.2

Rebuilding app dependencies for arch x64 to /Users/jeremiechazelle/Sites/my-app/app
Packaging app for platform mas x64 using electron 1.0.2 to dist/mas
Error: App is not signed: CSC_LINK or CSC_NAME are not specified, see https://github.com/electron-userland/electron-builder/wiki/Code-Signing
    at OsXPackager.<anonymous> (/Users/jeremiechazelle/Sites/my-app/node_modules/electron-builder/src/osxPackager.ts:84:15)
    at [object Generator].next (native)
From previous event:
    at tsAwaiter (/Users/jeremiechazelle/Sites/my-app/node_modules/electron-builder/src/awaiter.ts:10:47)
    at Object.build (/Users/jeremiechazelle/Sites/my-app/node_modules/electron-builder/src/builder.ts:30:59)
    at Object.<anonymous> (/Users/jeremiechazelle/Sites/my-app/node_modules/electron-builder/src/build-cli.ts:47:2)
    at Module._compile (module.js:435:26)
    at Object.Module._extensions..js (module.js:442:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:311:12)
    at Function.Module.runMain (module.js:467:10)
    at startup (node.js:134:18)
    at node.js:961:3

same error with electron 1.0.1

Rebuilding app dependencies for arch x64 to /Users/jeremiechazelle/Sites/my-app/app
Packaging app for platform mas x64 using electron 1.0.1 to dist/mas
Error: App is not signed: CSC_LINK or CSC_NAME are not specified, see https://github.com/electron-userland/electron-builder/wiki/Code-Signing
    at OsXPackager.<anonymous> (/Users/jeremiechazelle/Sites/my-app/node_modules/electron-builder/src/osxPackager.ts:84:15)
    at [object Generator].next (native)
From previous event:
    at tsAwaiter (/Users/jeremiechazelle/Sites/my-app/node_modules/electron-builder/src/awaiter.ts:10:47)
    at Object.build (/Users/jeremiechazelle/Sites/my-app/node_modules/electron-builder/src/builder.ts:30:59)
    at Object.<anonymous> (/Users/jeremiechazelle/Sites/my-app/node_modules/electron-builder/src/build-cli.ts:47:2)
    at Module._compile (module.js:435:26)
    at Object.Module._extensions..js (module.js:442:10)
    at Module.load (module.js:356:32)
    at Function.Module._load (module.js:311:12)
    at Function.Module.runMain (module.js:467:10)
    at startup (node.js:134:18)
    at node.js:961:3

CSC_INSTALLER_NAME=3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXX)
CSC_NAME=3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXX)

package.json

"osx": {
      [... skipped]
      "target": "mas",
      [... skipped]
    }

Error: App is not signed: CSC_LINK or CSC_NAME are not specified, see https://github.com/electron-userland/electron-builder/wiki/Code-Signing

@jechazelle quite weird that electron-builder complains about CSC_NAME. Have your variables been exported in the way export CSC_NAME="..."? (Or we may try explicitly state CSC_NAME in package.json as we previously did, as a fallback for now.)

I use "export" in my console to set my variables with this :

export CSC_INSTALLER_NAME="3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXX)"
export CSC_NAME="3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXX)"

But this variables, after a reboot of my mac are clean. I put this in my /etc/profile:
/etc/profile

export CSC_INSTALLER_NAME="3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXX)"
export CSC_NAME="3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXX)"

A screenshot from my console with printenv :

@jechazelle I'm not sure why this came happening. 😦 @develar may have any idea on this?

When I use directly the package.json it's ok !

    "electron-builder": "3.27.0",
    "electron-prebuilt": "1.0.1",

package.json

  "build": {
    "productName": "My App",
    "app-bundle-id": "com.myapp",
    "app-category-type": "public.app-category.productivity",
    "osx": {
      "title": "My App",
      "background": "build/background.png",
      "icon": "build/icon.icns",
      "icon-size": 128,
      "target": "mas",
      "identity": "3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXX)",
      "contents": [
        {
          "x": 355,
          "y": 125,
          "type": "link",
          "path": "/Applications"
        },
        {
          "x": 155,
          "y": 125,
          "type": "file"
        }
      ]
    },
    "mas": {
      "identity": "3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXX)"
    }

I can to upload my app with not problem !!
I not use the var env

But, there is a final problem, when I build my app with this package.json, after when I click on my myApp.app, the application freeze, I see only the button close and reduce.
And after I have a message from Apple : the app does not respond on launch, and does not display any windows

@jechazelle Would you by chance know which Electron version this is done with?

@sethlu yes, of course, The app freeze with this version, I tried with :

    "electron-builder": "3.27.0",
    "electron-prebuilt": "0.37.3",

and

    "electron-builder": "3.27.0",
    "electron-prebuilt": "1.0.1",

@jechazelle Well, that doesn't say the https://github.com/electron/electron release.
Sorry I'm not quite sure how the Electron version is set within electron-builder... I should leave this to see if @develar has any comments.

Sorry, I don't understand ?

@jechazelle electron-builder and electron-prebuilt utilizes Electron (ref https://github.com/electron/electron). However, for some versions/releases of Electron (ref https://github.com/electron/electron/releases), there are known issues with app freezing/graphic glitches.

@sethlu Thanks a lot for you help!!

Wow !! I tried with this version :

    "electron-builder": "3.27.0",
    "electron-prebuilt": "0.35.6",

I resume :

{
  "scripts": {
    "start": "electron ./app --enable-logging",
    "dev": "NODE_ENV='development' npm run start",
    "dist": "npm run dist:osx",
    "dist:osx": "build --platform darwin"
  },
  "devDependencies": {
    "electron-builder": "3.27.0",
    "electron-prebuilt": "0.35.6",
   ...
  },
  "build": {
    "productName": "MyApp",
    "app-bundle-id": "com.myapp",
    "app-category-type": "public.app-category.productivity",
    "osx": {
      "title": "MyApp",
      "background": "build/background.png",
      "icon": "build/icon.icns",
      "icon-size": 128,
      "target": "mas",
      "identity": "3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXX)",
      "contents": [
        {
          "x": 355,
          "y": 125,
          "type": "link",
          "path": "/Applications"
        },
        {
          "x": 155,
          "y": 125,
          "type": "file"
        }
      ]
    },
    "mas": {
      "identity": "3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXX)"
    }
  }
}

My App doesn't freeze and I can submit my app on iTC !!

Now, I wait if Apple can open my app

@jechazelle Prob electron-prebuilt defines the Electron version lol. And yea, v0.37.3 freezes on my machine as well after code-signed.

Until the version "electron-prebuilt": "0.36.12", it was working as well, I can generate to mas, sign and upload to iTC !

It seems that it freeze at version 0.37

So, it's strange, when I build my project with mas, I click on myapp.app, launch application, and I don't use the http request (get) in my application (angularjs) : error name not resolve

When I build without mas, the file .app generate allow to use http request (get)

@sethlu After many tests with electorn-builder, I try to use electron-osx-sign to found why my sign doesn't work with electorn-builder

./dist/osx/My App.app
myApp.app

sudo electron-osx-sign "./dist/osx/My App.app" --identity="3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXXX)"
and after :
sudo electron-osx-flat "./dist/osx/My App.app" --identity="3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXXX)"

But when I upload my pkg with Application Loader, I have this :

So I try this:

./default_mas_entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

./default_mas_inherit_entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

sudo electron-osx-sign "./dist/osx/My App.app" --identity="3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXXX)" entitlements="./default_mas_entitlements" entitlements-inherit="./default_mas_inherit_entitlements"

But I have this error :

Sign failed.
Command failed: codesign --sign 3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXXX) -fv entitlements=./default_mas_entitlements
entitlements=./default_mas_entitlements: No such file or directory

I wonder if there is not a link with my problem with electron -builder

@jechazelle If wish to add options, you may use the following for signing and packing. Note the two dashes -- before stating each param.

electron-osx-sign "./dist/osx/Releases Pro.app" --identity="3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXXX)" --entitlements="./default_mas_entitlements" --entitlements-inherit="./default_mas_inherit_entitlements"
electron-osx-flat "./dist/osx/Releases Pro.app" --identity="3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXXX)"

Additionally, export DEBUG=electron-osx-sign* before signing should give extra debug logs.

Also, very strangely Squirrel.framework seems to be inside your app bundle. Do you mind checking if it's the correct Electron (for MAS but not for Darwin) is used to pack your app? Some private APIs are removed in the Electron MAS build; Squirrel.framework shouldn't be in a proper MAS version I think.

Thank you @sethlu my app is sign !

But, when I sign my app with this command

electron-osx-sign "./dist/osx/My App.app" --identity="3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXXX)" --entitlements="./default_mas_entitlements" --entitlements-inherit="./default_mas_inherit_entitlements"
electron-osx-flat "./dist/osx/My App.app" --identity="3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXXX)"

I can't use my xhr request in myapp.app, do you have an idea why ?

How can I remove Squirrel.framework ?

@jechazelle theoretically you cannot send XHR requests lol.
@jasonhinkle's drafted an explanation earlier this year: https://github.com/electron-userland/electron-osx-sign/wiki/3.-App-Sandbox-and-Entitlements and this introduces/clarifies entitlements quite well, personally speaking. 😸 Just as suggestions, I think you may need to add the com.apple.security.network.client into your default_mas_entitlements file, because the default doesn't enable connecting to a remote address for a sandboxed app. A possible entitlements file may look like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

Additionally, when submitting the app eventually, you may need to provide clarification at iTC on why com.apple.security.network.client is listed among the entitlements for that you connect to somewhere else.

On the Squirrel.framework issue, I should leave this to @develar because I'm new to electron-builder. Because Electron comes with darwin and mas builds, I don't know why the darwin build seems to be used while building the app. (It's totally fine as long as it doesn't try to get into mas because iTC complains for various limitations of the app store.)

A possible internal struct of a mas build should look something like:

$ electron-osx-sign test-1.2.0.app
  electron-osx-sign:warn No `platform` passed in arguments, checking Electron platform... +0ms
  electron-osx-sign:warn No `entitlements` passed in arguments, will fallback to default settings. +4ms
  electron-osx-sign:warn No `entitlements-inherit` passed in arguments, will fallback to default settings. +1ms
  electron-osx-sign:warn No `identity` passed in arguments, discovering identities... +1ms
  electron-osx-sign Signing application... +436ms
  electron-osx-sign > application         test-1.2.0.app +1ms
  electron-osx-sign > platform            mas +0ms
  electron-osx-sign > entitlements        /Users/zhuolu/Development/electron-osx-sign/default.mas.entitlements +0ms
  electron-osx-sign > child-entitlements  /Users/zhuolu/Development/electron-osx-sign/default.mas.inherit.entitlements +0ms
  electron-osx-sign > additional-binaries  +0ms
  electron-osx-sign > identity            3rd Party Mac Developer Application: Zhuo Lu (XXXXXXXXXX) +0ms
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework +103ms
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib +3s
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libnode.dylib +272ms
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/Electron Framework.framework +544ms
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/test-1.2.0 Helper EH.app/Contents/MacOS/test-1.2.0 Helper EH +2s
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/test-1.2.0 Helper EH.app +422ms
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/test-1.2.0 Helper NP.app/Contents/MacOS/test-1.2.0 Helper NP +280ms
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/test-1.2.0 Helper NP.app +248ms
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/test-1.2.0 Helper.app/Contents/MacOS/test-1.2.0 Helper +236ms
  electron-osx-sign Signing... test-1.2.0.app/Contents/Frameworks/test-1.2.0 Helper.app +290ms
  electron-osx-sign Signing... test-1.2.0.app +257ms
  electron-osx-sign Verifying sign... +2ms
Application signed: test-1.2.0.app

@sethlu thank you ! :)

I added

<key>com.apple.security.network.client</key>
<true/>

And I have a new message from Apple after the submission with Application Loader:

Dear developer,

We have discovered one or more issues with your recent delivery for "My App". To process your delivery, the following issues must be corrected:

Deprecated API Usage - Apple no longer accepts submissions of apps that use QuickTime or QTKit APIs.

Once these issues have been corrected, you can then redeliver the corrected binary.

Regards,

The App Store team

My App doesn't use QuickTime lol !!

@jechazelle No worries. I guess that's the conflict with non-MAS build. Check https://github.com/electron/electron/issues/5749; I think our issue from message received could be resolved with a proper packing with MAS build.

@sethlu I tried to add --platform="mas"

electron-osx-sign "./dist/osx/My App.app" --identity="3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXXX)" --entitlements="./default_mas_entitlements" --entitlements-inherit="./default_mas_inherit_entitlements" --platform="mas"
electron-osx-flat "./dist/osx/My App.app" --identity="3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXXX)" --platform="mas"

But I have the same error

@jechazelle well, the presence of Squirrel.framework doesn't get addressed with electron-osx-sign. Actually, it seeks for Squirrel.framework and decides which build the Electron is.

It's the Electron build, like electron-v1.2.0-darwin-x64 and electron-v1.2.0-mas-x64, that is different specially when shipping to MAS. The content within each is slightly different, including the many other frameworks or libs. Once we hear back from @develar, he may know how the mas version could be targeted for packing. Sorry, I've only worked directly with electron-packager.

@sethlu I use

    "electron-osx-sign": "^0.3.1",
    "electron-prebuilt": "0.36.12",

Because my app freeze if I upgrade electron-prebuilt :) ..

@sethlu How can I add

<key>com.apple.security.network.client</key>
<true/>

with electron-builder when I build the mas version ?

@jechazelle From the doc here https://github.com/electron-userland/electron-builder/wiki/Options#buildmas I think you may add the following in your package.json:

   "mas": {
      "identity": "3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXX)",
      "entitlements": "path-to-my-entitlements"
    }

Fix:

• identity is removed from the build.mas.
• Env CSC_INSTALLER_NAME is removed.
• You don't need to specify CSC_NAME env or build.osx.identity. Valid identity from your keychain will be automatically used.
• CSC_NAME env or build.osx.identity is still not removed because it is required if you have several identities. But now instead of Developer ID Installer: Your Name (XXXXXXXXXX), you should specify only Your Name — appropriate certificate will be chosen automatically.

4.x will be released soon (yes, it is a breaking change).

@jechazelle with this issue having been closed, if you need extra help with code-signing any Electron products, you may either open an issue here https://github.com/electron-userland/electron-osx-sign/issues (I've just added a knowledge base label in case any general questions fall there) or shoot me an email.

@sethlu Thanks a lot for you help!! :)

I will try with the new version,

To resume, I have :

    "electron-builder": "3.27.0",
    "electron-prebuilt": "0.36.12",

./default_mas_entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
  </dict>
</plist>

./default_mas_inherit_entitlements

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
  </dict>
</plist>

package.json :

"build": {
    "productName": "MyApp",
    "app-bundle-id": "com.MyApp",
    "app-category-type": "public.app-category.productivity",
    "osx": {
      "title": "MyApp",
      "background": "build/background.png",
      "icon": "build/icon.icns",
      "icon-size": 128,
      "target": "mas",
      "identity": "3rd Party Mac Developer Application: Jeremie Chazelle (XXXXXXXXX)",
      "contents": [
        {
          "x": 355,
          "y": 125,
          "type": "link",
          "path": "/Applications"
        },
        {
          "x": 155,
          "y": 125,
          "type": "file"
        }
      ]
    },
    "mas": {
      "identity": "3rd Party Mac Developer Installer: Jeremie Chazelle (XXXXXXXXX)",
      "entitlements": "./default_mas_entitlements",
      "entitlementsInherit": "./default_mas_inherit_entitlements"
    }
  }

And I added this on iTC :

Thank you again !!! @sethlu @develar @mcfedr 👍

@develar @sethlu

with the new version, I must declare :

"electron-builder": "4.1.0",

package.json

"build": {
    "productName": "MyApp",
    "app-bundle-id": "com.MyApp",
    "app-category-type": "public.app-category.productivity",
    "osx": {
      "title": "MyApp",
      "background": "build/background.png",
      "icon": "build/icon.icns",
      "icon-size": 128,
      "target": "mas",
      "identity": "Jeremie Chazelle",
      "contents": [
        {
          "x": 355,
          "y": 125,
          "type": "link",
          "path": "/Applications"
        },
        {
          "x": 155,
          "y": 125,
          "type": "file"
        }
      ]
    },
    "mas": {
      "entitlements": "./default_mas_entitlements",
      "entitlementsInherit": "./default_mas_inherit_entitlements"
    }
  }

It's correct ?

@jechazelle Please wait several hours — 4.2 should be out soon (well, I am trying to release second day :(

BTW — please consider to not specify entitlements explicitly — see https://github.com/electron-userland/electron-builder/wiki/Options#buildmas,

• build/mas.inherit.entitlements will be used if exists
• build/mas.entitlements will be used if exists

And yes, in the new 4 version you don't need to specify identity in the mas — appropriate identity will be found automatically.

@develar Awesome Release !!

@develar electron-builder 4.2.0 will run with electron-prebuilt 1.0.2, because with 0.36.12 it's run, but my app freeze if I upgrade electron-prebuilt ?

@develar Would you mind having a check on how the default entitlements here are implemented? I've renamed the entitlements file so they match the Apple docs better. I could update the links in wiki but anything that needs updating within this module may have to be updated as well.

@sethlu Yep, thanks, we must change according to your conventions. https://github.com/electron-userland/electron-builder/blob/master/src/osxPackager.ts#L147 It is not error currently, because we set options only and only if there is explicit user setting, i.e. we don't repeat default file names. But we should follow your convention. I will do it — since in any case 4 is a major release.

@develar Thanks for following. I did this because editing the .entitlements with Xcode has some interesting and unexpected behaviors...
Wiki here already updated: https://github.com/electron-userland/electron-builder/wiki/Options

@develar Have you updated any docs with entitlements from .entitlements to .plist yet? I'm reaching some inconsistencies from Apple docs on the entitlements file extensions. However, they are property list files anyway.

@sethlu Docs and implementation are fixed, thanks.