Electron-builder: App crash once sandbox set to true, once set false App is not crashing but Apple rejects build because of sandbox false.

Created on 26 May 2020 · 41Comments · Source: electron-userland/electron-builder

electron-builder: ^22.6.1:
electron: ^8.2.5:

Target: mas:

I am really helpless, once i set com.apple.security.app-sandbox to true the app is crashing on load and once i submitted to Apple store they rejected with reason, app is crashing on load.
But once i set com.apple.security.app-sandbox to false the app is not crashing but Apple rejects build with this error.
ITMS-90296: App sandbox not enabled - The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list:

I am just waiting to some electron HERO to rescue from this issue.

Here are details of plist files.

entitlements.mas.plist

<!--?xml version="1.0" encoding="UTF-8"?-->
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
      <key>com.apple.security.app-sandbox</key><true/>
            <key>com.apple.security.application-groups</key>
            <array>
                <string>GROUPID_AND_PACKAGE_ID</string>
            </array>
             <key>com.apple.security.network.client</key>
                    <true/>
                    <key>com.apple.security.network.server</key>
                    <true/>
                    <key>com.apple.security.cs.disable-library-validation</key>
                    <true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
    </dict>
</plist>

entitlements.mas.inherit.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key><true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>

package.json

"mac": {
      "category": "public.app-category.productivity",
      "target": "mas",
      "provisioningProfile": "dist/provisionprofile",
      "electronLanguages": [
        "en"
      ],
},
"mas": {
      "entitlements": "dist/entitlements.mas.plist",
      "entitlementsInherit": "dist/entitlements.mas.inherit.plist"
    },

Source

ahmadwaliesipick

All 41 comments

Are you sure that this is correct path for provisioning profile?

"provisioningProfile": "dist/provisionprofile"

AleshaOleg on 26 May 2020

Are you sure that this is correct path for provisioning profile?

"provisioningProfile": "dist/provisionprofile"

Yes this is correct path and i have added electron debugger and i can see detail in logs. it is properly signing with this profile.

ahmadwaliesipick on 26 May 2020

are you able to run build when your target is mas-dev?

AleshaOleg on 26 May 2020

@AleshaOleg i have also signed manually but same issue.

#!/bin/bash

# Name of your app.
APP="sss"
# The path of your app to sign.
APP_PATH="APP.app"
# The path to the location you want to put the signed package.
RESULT_PATH="$APP.pkg"
# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: sss, Inc. (ddd)"
INSTALLER_KEY="3rd Party Mac Developer Installer: sss, Inc. (sss)"
# The path of your plist files.
CHILD_PLIST="child.plist"
PARENT_PLIST="parent.plist"
LOGINHELPER_PLIST="loginhelper.plist"

FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"

#https://github.com/electron/electron-osx-sign/issues/223#issuecomment-611070794
plutil -convert xml1 "$APP_PATH/Contents/Info.plist"
plutil -convert xml1 "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/Contents/Info.plist"
plutil -convert xml1 "$FRAMEWORKS_PATH/$APP Helper.app/Contents/Info.plist"

codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libnode.dylib"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Mantle.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/ReactiveCocoa.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Squirrel.framework"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper EH.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper NP.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper NP.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (GPU).app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Plugin).app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper (Renderer).app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/Contents/MacOS/$APP Login Helper"
codesign -s "$APP_KEY" -f --entitlements "$LOGINHELPER_PLIST" "$APP_PATH/Contents/Library/LoginItems/$APP Login Helper.app/"
codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"
codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"

productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"

ahmadwaliesipick on 26 May 2020

you don't need this script if you're using 22.6.1

AleshaOleg on 26 May 2020

@AleshaOleg are you able to submit build to apple store?

ahmadwaliesipick on 26 May 2020

are you able to run build when your target is mas-dev?

let me try with this

ahmadwaliesipick on 26 May 2020

@AleshaOleg are you able to submit build to apple store?

yes, here is my project - https://github.com/ubergrape/grape-electron

AleshaOleg on 26 May 2020

@AleshaOleg thanks for sharing.
i am using "afterSign": "electron-builder-notarize" instead of this,
https://github.com/ubergrape/grape-electron/blob/ee163a01d0a2f031e5ded30e34cdf5969e340ae3/package.json#L39

but again this for dmg notarise we dont need to notarise to pkg, correct?

Can you please share your plist files?

ahmadwaliesipick on 26 May 2020

@AleshaOleg can you please also share steps to create AppStore_Distribution.provisionprofile ?

ahmadwaliesipick on 26 May 2020

ah, I missed that you successfully submitted app to the app store, I thought you're receiving error while trying to upload app with Transporter. If you passed Transporter uploading, your signatures are fine.

Most likely you problem is that you're using app.requestSingleInstanceLock() in your app.

It's not working for MAS builds. Please check this issue - https://github.com/electron/electron/issues/15958

You can do on this way - https://github.com/ubergrape/grape-electron/blob/master/src/index.js#L77

AleshaOleg on 26 May 2020

❤1

@AleshaOleg i think you are absolutely right, let me check for app.requestSingleInstanceLock() i will back to you, thanks for quick help <3

ahmadwaliesipick on 26 May 2020

@AleshaOleg can you please confirm above plist files are correct?

ahmadwaliesipick on 26 May 2020

@AleshaOleg i have update code to skipapp.requestSingleInstanceLock() for mas, but still same error
`Killed: 9
logout
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.

[Process completed]`

Above error shown once i open app through /dist-app/mas/MyApp.app/Contents/MacOS/MyApp

ahmadwaliesipick on 26 May 2020

You're building mas build. mas build only for the app store. Use mas-dev to test your mas build locally.

AleshaOleg on 26 May 2020

@AleshaOleg I have created mas-dev but i am facing the same error, without sandbox false app is crashing. if i set sandbox true app is working without any crash.

ahmadwaliesipick on 26 May 2020

@abettadapur please follow these steps https://github.com/electron-userland/electron-builder/issues/4553#issuecomment-623451338 and sign "hello world" application. In this way, we will determine where is a problem in code signing or with app code. You can use electron 8.2.5 and electron-builder 22.6.1, simply ignore steps about downgrading to electron@5 and [email protected]. If your signatures are correct you'll see app. Don't forget to build with mas-dev and set hardenedRuntime and gatekeeperAssess to false. Actually you can try to set these values for your app and try to sign with them because I don't those values in your build config.

AleshaOleg on 26 May 2020

👍1

Did you mean @ahmadwaliesipick ?

abettadapur on 26 May 2020

@abettadapur I'm so sorry. yes. cc @ahmadwaliesipick

AleshaOleg on 26 May 2020

@abettadapur please follow these steps #4553 (comment) and sign "hello world" application. In this way, we will determine where is a problem in code signing or with app code. You can use electron 8.2.5 and electron-builder 22.6.1, simply ignore steps about downgrading to electron@5 and [email protected]. If your signatures are correct you'll see app. Don't forget to build with mas-dev and set hardenedRuntime and gatekeeperAssess to false. Actually you can try to set these values for your app and try to sign with them because I don't those values in your build config.

sure @AleshaOleg let me try.

ahmadwaliesipick on 27 May 2020

@AleshaOleg btw i have created mas-dev build the app was working fine. But once i created mas build with sandbox true app crashed.

ahmadwaliesipick on 27 May 2020

@ahmadwaliesipick that is totally fine, because mas shouldn't work locally. If you just built your app with mas-dev and can successfully run it in mas-dev, you can apply mas to app store.

AleshaOleg on 27 May 2020

@AleshaOleg Yes i have submitted build to Apple store and waiting for review.

ahmadwaliesipick on 27 May 2020

@AleshaOleg Apple has rejected build :-(
here is the reason
We discovered one or more bugs in your app when reviewed on Mac running macOS 10.15.4.
Specifically, an error message displayed upon launch of the app.

attachment-9212087272724791547Screen_Shot_2020-05-27_at_10 00 47_PM

i cannot test mas build at my local machine as it is always crashing on load. Do you have any suggestion on this?

ahmadwaliesipick on 28 May 2020

No sorry, have no idea what's wrong here.

AleshaOleg on 28 May 2020

@AleshaOleg when you create mas build it is working for you at your local machine?

ahmadwaliesipick on 28 May 2020

No, mas build shouldn't work locally and don't work for me. Only mas-dev working locally

AleshaOleg on 28 May 2020

Are you sure you need com.apple.security.cs.disable-library-validation in plist?

AleshaOleg on 28 May 2020

hello @ahmadwaliesipick, did you resolve the error?

sanghuynh1501 on 11 Jun 2020

Are you sure you need com.apple.security.cs.disable-library-validation in plist?

Yes @AleshaOleg i did but still same.

ahmadwaliesipick on 15 Jun 2020

hello @ahmadwaliesipick, did you resolve the error?

not yet.

ahmadwaliesipick on 15 Jun 2020

I got the always crashing on load, but fixed by adding a provisioning profile that included my local machine.

stevenroussey-privicy on 26 Jun 2020

I should mention -- the provisioning profile for masDev must be different than the one for mas and submission to the store

stevenroussey-privicy on 26 Jun 2020

No, they shouldn't. mas-dev should use everything same as normal mas build using, to debug app like under mac store env. If provision profiles are different, why we need mas-dev then?

AleshaOleg on 28 Jun 2020

run npm i @replace5/app-builder-bin and replace node_modules/app-builder-bin files with the package @replace5/app-builder-bin files

replace5 on 8 Jul 2020

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

stale[bot] on 6 Sep 2020

👎2

AleshaOleg on 6 Sep 2020

👍1

I should mention -- the provisioning profile for masDev must be different than the one for mas and submission to the store

@stevenroussey-privicy can you please explain more? i am still facing this issue.

ahmadwaliesipick on 6 Oct 2020

run npm i @replace5/app-builder-bin and replace node_modules/app-builder-bin files with the package @replace5/app-builder-bin files

@replace5 i am not sure what you want to explain.

ahmadwaliesipick on 6 Oct 2020

I should mention -- the provisioning profile for masDev must be different than the one for mas and submission to the store

@stevenroussey-privicy can you please explain more? i am still facing this issue.

When you are developing locally, you use a different signing cert. You need to do the same for the profile.

stevenroussey-privicy on 7 Oct 2020

electron-builder.yml:
```
...
mas:
type: distribution
provisioningProfile: ./resources/embedded.provisionprofile
hardenedRuntime: false
entitlements: ./resources/entitlements.mas.plist
entitlementsInherit: ./resources/entitlements.mas.inherit.plist
masDev:
type: development
provisioningProfile: ./resources/MASDevelopment.provisionprofile
...

Notice the type and distribution lines. masDev will override mas, so you only need to put in what changes.

stevenroussey-privicy on 7 Oct 2020

Was this page helpful?

0 / 5 - 0 ratings