Electron-builder: Executables within app.asar.unpacked are not being signed correctly in OSX 10.14.5
- Version: 20.43.0
Electron Updater Version: 4.0.6
Target: Mac OSX 10.14.5
I have implemented the fix mentioned in issue #3828, also outlined here.
However, this isn't working for other binaries found within app.asar.unpacked. Before OSX 10.14.15, I had included a python binary which I had packed via pyinstaller, and this was then automatically signed by Electron Builder.
The error output states "Code signature found in _[FILE_PATH]__ not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed."
I can see in the Contents folder of the app, that the CodeResources file contains keys for all the python binaries, but they don't seem to be recognised.
I have tried signing the files manually with codesign, which allowed the app to work on my mac, but when trying to open the app on another mac, it would get an error, as the package had been amended after being signed.
dboakes
All 7 comments
I had the same problem, that was fixed by adding com.apple.security.cs.disable-library-validation to plist file.
My electron builder configuration :
"mac": {
"hardenedRuntime": true,
"gatekeeperAssess": false,
"entitlements": "./mac_build_files/entitlements.mac.inherit.plist",
"entitlementsInherit": "./mac_build_files/entitlements.mac.inherit.plist",
"target": ["dmg"]
},
My entitlements.mac.inherit.plist :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
yoannsark
on 13 Jun 2019
Only just seen your comment. Updating the plist with your suggestions worked perfectly! Amazing cheers mate.
dboakes
on 24 Jun 2019
I had the same issue (with native node extension Keytar).
I don't know what are the pros/cons of adding too much, so I tried to add the minimum required to get it working, and this is what I ended up with:
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
julienma
on 15 Jul 2019
I can confirm the same as @julienma, I didn't need the com.apple.security.cs.allow-dyld-environment-variables entitlement to fix this. Not sure if there are cases where it is needed, @yoannsark does your case work if you remove it? If so, might be worth removing it from the defaults added in 519bb47
jwheare
on 18 Jul 2019
Yes, com.apple.security.cs.allow-dyld-environment-variables is not necessary
The fix is just com.apple.security.cs.disable-library-validation
yoannsark
on 18 Jul 2019
@Kilian you might need to update your article to include this, I was having an issue with entitlements following the guide (this is not to say that your guide is unappreciated)
dannypaz
on 4 Sep 2019
Adding the entitlement worked for me as well. Thanks everyone!
@Kilian I also came across this issue after following your excellent guide. Thanks for providing clear instructions on how to sign and notarize for Mac OS! (Weird that something like this is still not included in the official documentation.) Just wanted to remind you of @dannypaz's request - I think it would really prevent a lot of wasted time.
LackoDan
on 1 Jul 2020
Related issues
Sambego
路
64Comments
vanmxpx
路
58Comments
ghost
路
51Comments
lingxf2002
路
48Comments
mobitar
路
53Comments
Most helpful comment
I had the same problem, that was fixed by adding
com.apple.security.cs.disable-library-validationto plist file.My electron builder configuration :
My entitlements.mac.inherit.plist :