Electron-builder: Enable hardened runtime for macOS

I got a dmg generated with electron-builder to work by signing the package with --options runtime!

You can try it by changing electron-osx-sign somewhere here add a line like:

args.push('--options', 'runtime')

I spotted that after searching for the error the notarization service was giving me The executable was not signed with the CS_RUNTIME option. and finding this Cyberduck ticket and their fix.

Then to sign the app, run:

xcrun altool --notarize-app -f yourapp.dmg --primary-bundle-id appId -u [email protected] -p yourpassword

Take appId from what you defined in the build section of your package.json.

When it's done uploading it will output a UUID, run this command to check when it's done notarizing (it will also send you an email):

xcrun altool --notarization-info UUID -u [email protected] -p yourpassword

If it succeeded, you can then staple the package with:

xcrun stapler staple yourapp.dmg

The issue now is that the app crashes when signed like that. Here's the dump in case someone finds it handy.

I wonder if it works for anyone else? Will try on a dummy app when I get a chance.

Same issue for our app.
Dump here

Looks like initialisation of JS env is crashing

Thanks @dariocravero, awesome, I will try your suggestions, for now is not a priority for our app to be notarized but still necessary for the future, when I have results, I will share here in case that it helps to others.

Regards!

It looks like Hardened Runtime is now supported (https://github.com/electron-userland/electron-osx-sign/pull/176). I haven't tried it in our app yet, but from looking at https://github.com/xamarin/xamarin-macios/issues/4288 I think the com.apple.security.cs.allow-jit entitlement needs to be added in order for the JavaScript to work. If I can get our app to work I'll make a PR to electron-osx-sign and add support for the hardenedRuntime option in electron-builder

I'm having a problem with my app where when hardenedRuntime is enabled, the app will crash immediately upon launch without any visible error messages. If I launch from the command line I see this:

#
# Fatal error in , line 0
# Check failed: SetPermissions(area_start, area_size, PageAllocator::kReadWriteExecute).
#
#
#
#FailureMessage Object: 0x7ffee7d1f740Illegal instruction: 4

@noahott it looks like it failed to change the permissions on a section of memory to RWX (read/write/execute) -- as @rajivshah3 suggests you need to enable the "allow-jit" entitlement.

Not sure how helpful it is, but there is an electron-notarize module in electron-userland. It would be great if electron-builder can automatically notarize macOS apps during packaging!

@rajivshah3, regarding your last comment on December 1st 2018, have you added hardenedRuntime support to electron-builder? The documentation for electron-osx-sign has a "TODO" statement for electron-builder support.
Please let me know. thx

just realize this has been implemented in v20.41.0. thanks @loremattei!
https://github.com/electron-userland/electron-builder/commit/7d5f952

https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

21.0.10 (not yet released):

• set hardenedRuntime to true by default
• set gatekeeperAssess by default to false

I am fighting with Apple support to restore my account (bloody useless security questions), but I hope next week will be first-class support for notarization.

@noahott it looks like it failed to change the permissions on a section of memory to RWX (read/write/execute) -- as @rajivshah3 suggests you need to enable the "allow-jit" entitlement.

I've added the allow-jit entitlement, along with a few others and am still getting the same error on launch.

com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.disable-library-validation
com.apple.security.cs.disable-executable-page-protection

Anything else you can think to try for this?

@noahott Hi I am experiencing the same issue but with the mas-dev target. I discovered that the entitlements are returned as a binary plist, not as a plist.

The entitlements can be viewed with the following command: codesign -d --entitlements :- /Path/to/my.app

May this be an issue. I suspect Electron expects a plist instead of a bplist when setting the permissions.

Apple rejected our App because of a crash and I think its because of this issue. I just discovered the mas-dev target while debugging this issue.

Again, here ist he log I get:

#
# Fatal error in , line 0
# Check failed: SetPermissions(area_start, area_size, PageAllocator::kReadWriteExecute).
#
#
#
#FailureMessage Object: 0x7ffee4cfc5d0Illegal instruction: 4

There is no issue with the dmg version of the app, it is successfully notarized and signed. The mastarget isn't notarized, as it is not required. I just tried to also notarize the mas target, but still no success.

Any input on this issue.

@noahott I just checked the "Console" Application (The one used for viewing log).

I discovered the following log entry (after filtering for the Application name):
failed to parse entitlements for MyApp[74469]: OSUnserializeXML: syntax error near line 1

Do you get the same log message?

@idoodler I'm not finding any console log messages with "OSUnserializeXML"

I added "entitlementsInherit": "entitlements.darwin.plist" and i no longer get the SetPermissions error, but my app still crashes with a different error now

cwd = process.cwd(); ^ Error: ENOENT: no such file or directory, uv_cwd

@noahott thx for your reply. I already have set the property entitlementsInherit. The app in question is already deployed in the AppStore, but I am unable to push an update because of this odd behaviour. I opened an TSI at Apple. I think it‘s a Problem with the codesign tool from Apple.

Just a follow up on my 'bplist' issue.

We abandoned the macOS application for quite some time, after an platform upgrade session (node.js, electron and its dependencies) everything semes to work again. So no 'bplist', but a proper 'plist'.