Electron-builder: Vendored version of electron-osx-builder is old and causes notarization to fail

Thankfully, I was able to develop a workaround for the issue:

1. Add electron-osx-sign as a dev dependency: yarn add --dev electron-osx-sign
2. Write an afterSign script that imports electron-osx-sign and invokes signAsync: https://github.com/electron/electron-osx-sign#from-the-api. This technically means that you'll be signing everything twice (once with the broken version of electron-osx-sign that is bundled with electron-builder and once with the newer version you installed previously), but it did work for my case.

Here's what my afterSign.js script looks like:

const electronBuilderConfig = require('../electron-builder.json');
const signAsync = require('electron-osx-sign').signAsync;

export.default = async function(context) {
    const { electronPlatformName, appOutDir } = context;  
    if (electronPlatformName !== 'darwin') {
        console.log('Skipping afterSign script for non-darwin target: ' + electronPlatformName);
        return;
    }
    if (electronBuilderConfig.mac.identity === null) {
        console.log('Skipping afterSign script because identity explicitly set to null');
        return;
    }
    const appName = context.packager.appInfo.productFilename;
    await signAgainFunction(appOutDir, appName);
}

// electron-builder vendors its own private version of electron-osx-sign, but unfortunately it is
// broken (https://github.com/electron-userland/electron-builder/issues/5190).  To get around this,
// we install electron-osx-sign ourselves and invoke it in electron-builder's afterSign callback:
// https://www.electron.build/configuration/configuration#aftersign.
async function signAgainFunction(appOutDir, appName) {
    const identity = 'Developer ID Application: ' + electronBuilderConfig.mac.identity;
    const entitlements = electronBuilderConfig.mac.entitlements;
    const entitlementsInherit = electronBuilderConfig.mac.entitlementsInherit;
    const hardenedRuntime = electronBuilderConfig.mac.hardenedRuntime;
    const gatekeeperAssess = electronBuilderConfig.mac.gatekeeperAssess;
    await signAsync({
        app: `${appOutDir}/${appName}.app`,
        entitlements,
        hardenedRuntime,
        identity,
        "entitlements-inherit": entitlementsInherit,
        "gatekeeper-assess": gatekeeperAssess
    }).then(() => {
        console.log("Second application of electron-osx-sign succeeded!");
    }).catch((err) => {
        console.error("Second application of electron-osx-sign failed");
        console.error(err);
    });
}

Popular guides for notarizing electron applications instruct you to create an afterSign.js file anyways, so this workaround isn't a terrible inconvenience.

Same issue, for signing .so files: https://github.com/electron/electron-osx-sign/issues/226

What are the changes preventing us from replacing the vendored version of electron-osx-sign with the latest official version?

Alternatively can we upstream https://github.com/electron/electron-osx-sign/issues/226 into the vendored version?

Dare I ask, why vendor electron-osx-sign at all?

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.