Nw.js: Sign in and upload to app store

@alexeyst @johansatge help please:)

Also, using this tool http://docs.nwjs.io/en/latest/For%20Users/Advanced/Support%20for%20Mac%20App%20Store/ with the already generated package by web2exe not working too.

And even .app file not work

+1 Can't sign mac app.

I tried nw-builder and had the same problem too. After using MAS python script, app shut down immediately

@Arti3DPlayer Yes, I have same issue, my app shut down immediately.

@Julyyq do you have Frameworks folder inside .app ?

I find bad method.

Why not use (g)objcopy and gcc / ld than it will embed into single application. If you know objdump into
nw_binary_text
nw_binary_data
nw_binary_size
and ....
or
nw_start
nw_end
nw_size
Embedding into assembly and method

or
Other method:
Xcode embeds too

@sourceskyboxer sorry, it is looks too hard for me. No one don't have good tutorial on simple app about how to publish it...

Hi! Apologies for the late response 😊

Actually I'm afraid I'm not going to be very helpful, because I have not followed the NW.js development for a long time. Here is what I can say:

• I still have an app on the Store, built by following the guide
• It uses an old NW.js version (0.12.3), I did not try to update my app with a more recent one (👈 does someone know if the buildbot still generates a MAS build? Or if the MAS compatibility was frozen at a specific version?)

What version are you using? Did you try to follow the guide (packaging and signing the app by hand, without using an external packager script?

@Arti3DPlayer Thanks I understand that. It is okay... Or you can use macpack from Mono-Runtime?

@johansatge I'm using 0.22.3 now, of course i tried to do guide 4 times step by step and i guess i have problems with entitlements, because in log monitor i see errors after run app, but my attempts to add all keys like:

com.apple.security.network.client

didn't fix this problem

And as i said in question, here:
https://github.com/nwjs/nw.js/wiki/MAS%3A-Configuring-children-apps

i have a different structure after build with nw-builder or web2exe

I created simple "Hello world" app where codesign in is not working too.

https://github.com/Arti3DPlayer/nw_sign_example

To run project just clone project, download nw.js to folder nw.js_package

You can use grunt to run commands.To build project use:

grunt deploy_and_build --platform=osx

to sign:

grunt shell:sign_mac --platform=osx

Hi,

I have issues when trying to run your demo code, it looks like things are missing in the repository:

→ grunt deploy_and_build --platform=osx
Running "nwjs:osx64" (nwjs) task
Verifying property nwjs.osx64 exists in config...ERROR
>> Unable to process task.
Warning: Required config property "nwjs.osx64" missing. Use --force to continue.

Aborted due to warnings.

@johansatge try to pull now

Thanks, I reproduce now. (The app crashes on startup after being signed)

Also in the meanwhile, I saw on that issue that the wiki isn't updated anymore; and there is this page on the up-to-date docs that explains what I think is the "new" signing method, did you try it?

_I'll try to have a look too in the next days/weeks, if I find some time._

@johansatge yes tried with python script too. But maybe i did something wrong, I tried this about month ago. I suppose that problem with ParentEntitlements and ChildEntitlements

@johansatge didn't try yet ?:( I thought nw.js sponsoring by Intel, it is not created by enthusiasts)

Hi,

@Arti3DPlayer I couldn't manage to upload my test app on the MAS by following the guide, there may be an issue with it. I guess help from a core team member will be needed.

Here is a log when i tried to launch signed app from terminal:

[0730/234626.049094:WARNING:close_multiple.cc(85)] opendir: Operation not permitted
[0730/234626.061128:WARNING:close_multiple.cc(85)] opendir: Operation not permitted
[0730/234626.072005:ERROR:mach_extensions.cc(68)] bootstrap_check_in org.chromium.crashpad.child_port_handshake.749.14957.DXCSYJPBDNMGWWWH: Permission denied (1100)
[0730/234626.072527:FATAL:child_port_handshake.cc(111)] Check failed: server_port.is_valid().
0   crashpad_handler                    0x000000010e9a58ec crashpad_handler + 30956
1   crashpad_handler                    0x000000010e9ab813 crashpad_handler + 55315
2   crashpad_handler                    0x000000010e9e91fd crashpad_handler + 307709
3   crashpad_handler                    0x000000010e9a24c1 crashpad_handler + 17601
4   libdyld.dylib                       0x00007fffe7dc4235 start + 1

[0730/234626.072869:ERROR:file_io.cc(89)] ReadExactly: expected 4, observed 0
[0730/234626.073808:ERROR:mach_extensions.cc(68)] bootstrap_check_in org.chromium.crashpad.child_port_handshake.747.14954.NSDUPMSBDFHPSUVJ: Permission denied (1100)
[0730/234626.073837:FATAL:child_port_handshake.cc(111)] Check failed: server_port.is_valid().
0   crashpad_handler                    0x00000001063c38ec crashpad_handler + 30956
1   crashpad_handler                    0x00000001063c9813 crashpad_handler + 55315
2   crashpad_handler                    0x00000001064071fd crashpad_handler + 307709
3   crashpad_handler                    0x00000001063c04c1 crashpad_handler + 17601
4   libdyld.dylib                       0x00007fffe7dc4235 start + 1
5   ???                                 0x0000000000000009 0x0 + 9

[0730/234626.074171:ERROR:file_io.cc(89)] ReadExactly: expected 4, observed 0
[745:32003:0730/234626.154216:ERROR:mach_port_broker.mm(100)] bootstrap_check_in: Permission denied (1100)
[745:32003:0730/234626.154270:ERROR:mach_broker_mac.mm(52)] Failed to initialize the MachListenerThreadDelegate
[745:775:0730/234626.154927:ERROR:process_singleton_posix.cc(1052)] Failed to bind() /var/folders/5f/2w5ss9tn6ksgwmxkl1lrqyyh0000gn/T/com.codeorangeinco.raceflight/.com.codeorangeinco.raceflight.ocm31U/SingletonSocket: Operation not permitted
[745:775:0730/234626.155357:ERROR:chrome_browser_main.cc(1578)] Failed to create a ProcessSingleton for your profile directory. This means that running multiple instances would start multiple browser processes rather than opening a new window in the existing process. Aborting now to avoid profile corruption.
[745:33795:0730/234626.158464:ERROR:browser_gpu_channel_host_factory.cc(103)] Failed to launch GPU process.
[0730/234626.312504:ERROR:mach_port_broker.mm(43)] bootstrap_look_up: Permission denied (1100)

Also i suppose maybe it is because nw.js app has incorrect structure:

https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/FrameworkAnatomy.html

I modified mas python script, andadded this lines:

info('Child entitlements: %s' % tmp_child_entitlements)
  helperApp = glob(args.output, 'nwjs Helper.app', returnOnFound=True)
  system('codesign -f --verbose -s "%s" --entitlements %s --deep "%s"' % (identity, tmp_child_entitlements, helperApp))
  crashpad_handler = glob(args.output, 'crashpad_handler', returnOnFound=True)
  system('codesign -f --verbose -s "%s" --entitlements %s --deep "%s"' % (identity, tmp_child_entitlements, crashpad_handler))
  app_mode_loader = glob(args.output, 'app_mode_loader', returnOnFound=True)
  system('codesign -f --verbose -s "%s" --entitlements %s --deep "%s"' % (identity, tmp_child_entitlements, app_mode_loader))
  alertNotificationService = glob(args.output, 'AlertNotificationService', returnOnFound=True)
  system('codesign -f --verbose -s "%s" --entitlements %s --deep "%s"' % (identity, tmp_child_entitlements, alertNotificationService))
  framework = glob(args.output, 'nwjs Framework.framework', returnOnFound=True)
  system('codesign -f --verbose -s "%s" --entitlements %s --deep "%s"' % (identity, tmp_child_entitlements, framework))

And it successfully passed via template loader, even that app didn't work. But then i got message from apple:

To process your delivery, the following issues must be corrected:

Invalid Signature - The nested app bundle at path rf.app/Contents/Versions/60.0.3112.78/nwjs Framework.framework has following signing error(s): code object is not signed at all In architecture: x86_64 . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.

Invalid code signature - Signatures created with macOS version 10.8.5 or earlier [v1 signatures] are obsoleted and will no longer be recognized by Gatekeeper beginning with macOS version 10.9.5. To ensure your apps will run on updated versions of macOS they must be signed on macOS version 10.9 or later [v2 signatures]. Bundle with identifier 'com.codeorangeinco.raceflight.framework' does not have v2 signature. For more information, see macOS Code Signing In Depth

Invalid Signature - The executable at path rf.app/Contents/Versions/60.0.3112.78/nwjs Framework.framework/libffmpeg.dylib has following signing error(s): code object is not signed at all In architecture: x86_64 . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.

Invalid Signature - The executable at path rf.app/Contents/Versions/60.0.3112.78/nwjs Framework.framework/libnode.dylib has following signing error(s): code object is not signed at all In architecture: x86_64 . Refer to the Code Signing and Application Sandboxing Guide at http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html and Technical Note 2206 at https://developer.apple.com/library/mac/technotes/tn2206/_index.html for more information.

Once these issues have been corrected, you can then redeliver the corrected binary.

Regards,

The App Store team

You can codesign the app without using xcode. The following bash script allows you to do that. You need you developer id Application which you can find in your keychain access app.

You have to change the directory after versions to the directory that you have, depending on the version of nw.js that you are using

identity="Developer ID Application: youridentiy... (some number)"
app="pathToYourApp.app"
rm -f "$app/Icon^M" 
rm -r -f "$app/.idea"

echo "### signing libraries"
codesign --force --verify --sign "$identity" "$app/Contents/Versions/60.0.3112.113/nwjs Framework.framework/Libraries/exif.so"
codesign --force --verify --sign "$identity" "$app/Contents/Versions/60.0.3112.113/nwjs Framework.framework/libffmpeg.dylib"
codesign --force --verify --sign "$identity" "$app/Contents/Versions/60.0.3112.113/nwjs Framework.framework/libnode.dylib"

echo "### signing frameworks"
codesign --force --verify --sign "$identity" "$app/Contents/Versions/60.0.3112.113/nwjs Framework.framework/nwjs Framework"
codesign --force --verify --sign "$identity" "$app/Contents/Versions/60.0.3112.113/nwjs Framework.framework/Helpers/crashpad_handler"
codesign --force --verify --sign "$identity" "$app/Contents/Versions/60.0.3112.113/nwjs Helper.app/Contents/MacOS/nwjs Helper"
codesign --force --verify --sign "$identity" "$app/Contents/Versions/60.0.3112.113/nwjs Helper.app/"
codesign --force --verify --sign "$identity" "$app/Contents/Versions/60.0.3112.113/nwjs Framework.framework/helpers/crashpad_handler"

echo "### sing osx folder"
codesign --force --verify --sign "$identity"  "$app/Contents/MacOS/nwjs"

echo "### signing app"
codesign --force --verify --sign "$identity" "$app"

echo "### verifying signature"
codesign -vv -d "$app"

what`s the newest link of The documentation about Mac-App-Store-(MAS)-Submission-Guideline(https://github.com/nwjs/nw.js/wiki/Mac-App-Store-(MAS)-Submission-Guideline) seems out of date.

Where exactly can I find build_mas.py, anyway? According to github search, such a file doesn't exist in the nw.js repo.

UPDATE: I found this post in the google group to provide some necessary context. In addition, I found the build_mas.py and accessory files here. The last version of the app to have Mac App Store support was 0.20, and we're on 0.27, so it's unclear (at least to me) what the future of signing is, or what to do in cases where native messaging is needed or where you need to also sign included native messaging applications.

NWJS Version : 0.36
Operating System : 10.14.3
This is not a bug from NWJS

Expected behavior

Expect nwjs to run

Actual behavior

Nwjs crashes after signing programs of packages. This is not a bug from nwjs. This is due to the new policies of Apple with Sandbox.
The Apple sandbox module expects that the right permissions be added to parents.plist to be able to run Nwjs on macOS after being code signed. This is important for those who want to submit a NWJS application to the Mac App store. I don't think Nwjs should be modified. I think that the right permissions (capibilities) should be added to parents.plist. For every error in the Mac console, there should a solution in parents.plist
I don't think it is an issue about which program in the package is signed because the program that violates a permission are always the program and the helper.

How to reproduce

Move the default nwjs.app to a folder, sign it with codesign and your MacOS developer identity and then try to start the app. It will run and crash right away, due to sandbox. Look into the console for sandbox or nwjs in the search field.

The list of files signed below is inspired by the error returned by application loader that asked me to include Sandbox for this list of files.

I have created my script to sign the files that were displayed in an error from the Application Loader ( the app that checks the app before sending it to the Mac App store). I have done it because the folder structure have changed and I think the python program can't work now.
Put this code in a myscript.sh and then from the Mac terminal, do "sh myscript.sh" I have created this script because the pathnames inside the packages changed. This package is designed to work with further versions of chromium. The chromium version is now included in the pathname under /contents/versions/.

You can add a codesign to the script by adding a line like:
codesign -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/path/to/file" -f -v

#!/bin/bash
# run this by typing "sh thenameofthisfile" in Mac terminal
# app is yourapp without .app extension
#helpername is the name to replace= nwjs in nwjs help.app
#macosuseraccount is your macOS user account for the paths.
# "3rd party mac developer Installer" => for signing pkg // 3rd party mac developer Application => for signing everything in the app + .app
# replace app name / helpen name / macOs user name
#V1 is a variable equals to the current chromium version in the pathname for example: 71.0.3578.98

APP=nwjs
HELPERNAME=nwjs
MACOSUSERACCOUNT=yourmacuser

ID_APP="3rd Party Mac Developer Application"
ID_PKG="3rd Party Mac Developer Installer"
DIRECTORY=/users/$MACOSUSERACCOUNT/path/to/folder
APP_PATH="$DIRECTORY/$APP.app"
PARENT_PLIST=$DIRECTORY/parent.plist
CHILD_PLIST=$DIRECTORY/child.plist
CHROMIUMVERSION=(/$APP_PATH/contents/versions/*/)
V1="$(basename $CHROMIUMVERSION)"

xattr -cr $APP_PATH

codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/$HELPERNAME helper.app" -f -v
codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/$HELPERNAME helper.app/contents/macos/$HELPERNAME helper" -f -v

codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/nwjs framework.framework/versions/a/helpers/crashpad_handler" -f -v

codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/nwjs framework.framework/Versions/A/Resources/app_mode_loader.app/Contents/MacOS/app_mode_loader" -f -v

codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/nwjs framework.framework/Versions/A/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService" -f -v

#codesign --force --verify -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/Versions/$V1/nwjs Framework.framework/nwjs Framework"

codesign --deep --force --verify -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/Versions/$V1/nwjs Framework.framework"

codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/nwjs framework.framework/libnode.dylib" -f -v

codesign -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP" -f -v


codesign --deep -s "$ID_APP" --entitlements "$PARENT_PLIST" $APP_PATH -f -v

This successfully signed:

• nwjs.app

• nwjs helper.app

• crashpad_handler

• app_mode_loard

• alertnotficationservice

I get those errors in the error console when I type "nwjs"

Sandbox: nwjs(12396) deny(1) file-read-data /Users/nicolasguerinet/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Sandbox: nwjs(12396) deny(1) network-bind /private/var/folders/kt/c216x7lx2qg87zhlwx46l6zr0000gn/T/io.nwjs.nwjs/.io.nwjs.nwjs.rCrpmi/SingletonSocket

Sandbox: nwjs(4739) deny(1) mach-register io.nwjs.nwjs.rohitfork.4739
Sandbox: nwjs(4739) deny(1) mach-register io.nwjs.nwjs.FieldTrialMemoryServer.4739

Sandbox: nwjs(4739) deny(1) process-info-listpids

[0212/152228.165052:FATAL:child_port_handshake.cc(111)] Check failed: server_port.is_valid().
0 crashpad_handler 0x00000001049c4f2f crashpad_handler + 241455
1 crashpad_handler 0x000000010499ebdf crashpad_handler + 84959
2 crashpad_handler 0x00000001049d0ba4 crashpad_handler + 289700
3 crashpad_handler 0x000000010498e369 crashpad_handler + 17257
4 libdyld.dylib 0x00007fff68bc4ed9 start + 1

For your information in the parent.plist file I have added:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.application-groups</key>
    <string>HB3S6UXXXX.io.nwjs.nwjs</string>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.temporary-exception.files.relative-path.read-only</key>
    <array>
    <string>/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist</string>
</array>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <array>
    <string>/private/var/folders/kt/</string>
</array>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
    <array>
        <string>/dev/fd</string>
        <string>/private/etc</string>
        <string>/Library/Managed Preferences</string>
    </array>
</dict>
</plist>

I guess there are issues with permissions inside sandbox https://developer.apple.com/app-sandboxing/
If someone could add new sandbox permissions to the parent.plist file it may work.

here are some links that can be useful:
https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html

and this one to know what to add to parent.plist
https://developer.apple.com/library/archive/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW1

Other sandbox directives that I have tried to add to parent.plist unsuccessfully. However it should be perhaps useful to you.

> <key>com.apple.security.temporary-exception.shared-preference.read-only</key>
>     <array>
>       <string>com.apple.symbolichotkeys</string>
>     </array>
>       <key>com.apple.security.temporary-exception.sbpl</key>
> <array>
>   <string>(allow mach-lookup (global-name-regex #"^io.nwjs.nwjs.FieldTrialMemoryServer.rohitfork.[0-9]+$"))</string>
>   <string>(allow mach-register (global-name-regex #"^io.nwjs.nwjs.rohitfork.[0-9]+$"))</string>
>   <string>(allow mach-lookup (global-name-regex #"^io.nwjs.nwjs.rohitfork.[0-9]+$"))</string>
> </array>

new version of parents.plist with less errors.
error left:

• Unable to load Info.plist exceptions (eGPUOverrides)

• Sandbox: nwjs(23455) deny(1) process-info-listpids

• [0215/223008.162542:ERROR:mach_port_broker.mm(46)] bootstrap_look_up: Unknown service name (1102)

`

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.application-groups</key>
    <string>HB3XX.io.nwjs.nwjs</string>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.temporary-exception.files.relative-path.read-only</key>
    <array>
        <string>/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist</string>
    </array>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
    <array>
        <string>/private/var/folders/kt/</string>
    </array>
    <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
    <array>
        <string>/dev/fd</string>
        <string>/private/etc</string>
        <string>/Library/Managed Preferences</string>
    </array>
    <key>com.apple.security.temporary-exception.shared-preference.read-only</key>
    <array>
        <string></string>
    </array>
    <key>com.apple.security.temporary-exception.mach-register.global-name</key>
    <array>


</array>
    <key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
    <array>
        <string>io.nwjs.nwjs.FieldTrialMemoryServer.1</string>
        <string>io.nwjs.nwjs.rohitfork.1</string>
        <string>com.apple.GameController.gamecontrollerd</string>
    </array>
    <key>com.apple.security.temporary-exception.sbpl</key>
    <array>
      <string>(allow mach-register (global-name-regex #"^io.nwjs.nwjs.rohitfork.[0-9]+$"))</string>
      <string>(allow mach-register (global-name-regex #"^io.nwjs.nwjs.FieldTrialMemoryServer.[0-9]+$"))</string>
    </array>
</dict>
</plist>

`

This documentation can be really useful to everyone. this is the apple sandbox guide with the sandbox directives to add to parent.plist
https://reverse.put.as/wp-content/uploads/2011/09/Apple-Sandbox-Guide-v1.0.pdf

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.