electron mac build crashing on startup (signed and notarized)

im using electron @5.0.0 and electron-builder@21.1.1

im having issues in trying to get an electron app to start. i have no problems signing (even after i had to do a workaround) and notarizing has no issues either as checking the logUrl, there are no issues listed

a typically error log shows up as:

Process: Appname [874]
Path: /Volumes/VOLUME/*/Appname.app/Contents/MacOS/Appname
Identifier: com.appname.desktopapp
Version: 1.0.0 (1.0.0)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Appname [874]
User ID: 501
Date/Time: 2019-07-19 15:27:26.821 -0700
OS Version: Mac OS X 10.14.5 (18F2058)
Report Version: 12
Anonymous UUID: A4DA30A6-09EA-9677-95CD-EA316769DD4D
Sleep/Wake UUID: CC4B1217-0165-46A8-846E-BFA4D38C58E6
Time Awake Since Boot: 16000 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (Code Signature Invalid)
Exception Codes: 0x0000000000000032, 0x0000108a00082040
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x2
kernel messages:
VM Regions Near 0x108a00082040:
Memory Tag 255 0000108a00081000-0000108a00082000 [ 4K] ---/rwx SM=NUL
--> Memory Tag 255 0000108a00082000-0000108a000ff000 [ 500K] r-x/rwx SM=COW
Memory Tag 255 0000108a000ff000-0000108a07fbe000 [126.7M] ---/rwx SM=NUL
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 ??? 0x0000108a00082040 0 + 18184892063808
1 com.github.Electron.framework 0x0000000103ffdad8 0x10273b000 + 25963224
2 com.github.Electron.framework 0x0000000103ffc6ce 0x10273b000 + 25958094



my entitlements file looks like this:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
</dict>
</plist>


if i run codesign -d --ent :- "path/to/file/shown/in/errorpath", i get the entitlements file on the console exactly as it is


and have tried many other combinations with other keys, and this error very closely resembles the issue many others have regarding recent security changes Apple has made regarding notarization and hardened runtime: https://github.com/electron-userland/electron-builder/issues/4040

the path of the file also curiously being the same one as the ones listed in that git issue
the main purpose of this app right now is just to load a video api that connects to session rooms for people to talk and see each other. this will later be expanded on but for now its a simple idea.


my questions boil down to:

is my entitlements file incorrect?

am i missing a requirement like a provisioning profile?

is there something that i have completely overlooked?


ive been at this for several weeks now and badly want to wrap this up as it is so close to completion and cannot believe trying to get an electron app to run to be this difficult when apps like Slack and Discord dont have problems.


thank you for any help you can provide

I strongly suspect that your third-party tools are using a JIT, which is why you’re seeing the code signature failure at runtime. The best way to enable JITed code in a hardened runtime app depends on how that JIT is implemented, and the only folks who can give you definitive answers on that front is your third-party tools vendor.

If your tool vendor needs help with this, I recommend that they open a DTS tech support incident and I can assist them from there. Keep in mind that DTS provides code-level support, which means we want to talk to the folks who wrote the code, and thus can make changes to that code. In a case like this, where you didn’t write the code involved, you’re just using it, there’s limits to how much we can help.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

This has become a very common problem for all developers trying to notarize macOS apps created using Electron, Unity or Adobe AIR frameworks. It is reproducable by creating a simple Hello World app in said frameworks, doing the signing and notarization procedure and running the app on Mojave. The apps will only crash on Mojave, not on earlier versions, so the problem seems to be caused by the new way Notarization checks are done in Mojave. @eskimo, please see this forum post that outlines the problems: https://forums.adobe.com/message/11177722#11177722


We are a bunch of developers struggling with the exact same issue and we are really worried that our apps will stop functioning when Catalina is released. Please help!

@eskimo Thank you for the detailed analysis of the problem which is spot-on.


We're getting exactly the same issue with apps compiled using Adobe AIR with captive runtime (not surprising since Actionscript has always been JIT compiled). The apps work perfectly and can be signed and notarized without any issues but when run on MacOS 10.14+ they crash with the same EXC_BAD_ACCESS (Code Signature Invalid) even though they have passed notarization. They run fine on MacOS prior to 10.14 and will work if the app is signed without the hardened runtime option and not notarized.

There are others reporting the same issue over on the Adobe forums: https://forums.adobe.com/thread/1470113 (comments in the thread from July 2019 onwards)


We really appreaciate that you've given a direct contact and have invited the developers of the compiler to talk to you - great support. However, the odds of a small independent software developer like us being able to get the code-level developer of Adobe's compiler to talk directly to you (or even to discover who they were and whether they're even still working on that project) are pretty low. What would you suggest we do? Our apps are mission critical to our business and notarization appears to remove the possibility of any Mac user running them successfully once it becomes mandatory in MacOS 10.15.


Will Apple be providing a way for users to work-around this and install a non-Notarized app in MacOS 10.15 or will you be reaching out to Adobe directly? Without that, introducing notarization is gong to break every AIR app available for Macs, and kill off the Mac side of businesses that rely on them, which would seem quite drastic given that AIR is officially still supported on the MacOS platform. We love Apple and use Macs throughout our company and would be really sad to only be able to support Windows users!

notarization appears to remove the possibility of any Mac user running them successfully once it becomes mandatory in MacOS 10.15.

That’s not the case. All of the security measures imposed by the hardened runtime can be disabled with entitlements. You can find a full list of those entitlements in Hardened Runtime Entitlements. That leaves two questions:

  • What’s the minimum set of entitlements needed?

  • How do you apply those entitlements in your development environment?

These aren’t questions I can answer. DTS’s remit is to support Apple APIs and processes. Moreover, I have no direct experience with these tools, so any answers from me would be speculative, and my management gets grumpy when I speculate.

As to Apple’s relationship with various third-party tool vendors, I can’t comment on that either. Even if I were in that particular loop, such matters are deeply confidential.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

@eskimo - thank you so much for taking the time to give these details. We completely understand about the limits of what you can comment on and we appreciate that you have at least offered a glimmer of hope that there may be a way forward.


So, based on your reply, here's what I've tried:

1. I created an entitlements file using XCode:

  com.apple.security.cs.allow-jit
 

2. I referenced this entitlements file when signing the .app using codesign:

codesign  --force --options runtime --deep --sign  "Developer ID Application: My Company, Inc (AB1CD2E3FG)" --entitlements "/Users/username/Documents/entitlements.plist"  "/Users/username/Documents/out/MyApp.app"

3. I then used productbuild to create the .pkg:

productbuild --component /Users/username/Documents/out/MyApp.app /Applications "/Users/username/Documents/out/MyApp.pkg"  --sign "Developer ID Installer: My Company, Inc (AB1CD2E3FG)" --identifier “MyApp" --version "${VERSION}"


4. I notarized the .pkg and then stapled it as detailed in the documentation.


5. Finally did a fresh install on MacOS 10.14.5 Mojave and ran the app. I still get the crash with the same error.


Update: For AIR apps, it runs without error if I assign both

com.apple.security.cs.allow-jit

and

com.apple.security.cs.allow-unsigned-executable-memory

So, now have a working notarized app. Hooray!


@eskimo: Really appreciate your willingness to help us struggling developers to work out what the new notarization requirements look like in practice. Thanks!

Wow. @cycle, you are a true hero. The AIR community owes you big time for all the time spent researching, trying and failing until success. This info will save people a tonne of time as there's no complete documentation available anwhere on successfully signing and getting AIR macOS apps notarized for Mojave and onwards. 😍

For AIR apps, it runs without error if I assign both

com.apple.security.cs.allow-jit
and
com.apple.security.cs.allow-unsigned-executable-memory
So, now have a working notarized app. Hooray!

Hooray indeed. If you remove

com.apple.security.cs.allow-jit
, does it still work?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

FYI, we just pushed out a bunch of improvements to the hardened runtime documentation. I don’t have time today to write my own summary, but fortunately I don’t have to (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,
Can you please share how did you get the code-sign and notarization done for your application ?
I've also created an application using electron.js in visual studio code, electron-packager and facing issues while code-signing. I'm getting error as "Unnotarized developer ID"
Please hare your inputs to it.
Thanks in advance.

I don’t build Electron apps, so I can’t help you with that side of things.

In terms of how to notarise a program in general, I use either the Xcode workflow (Notarizing Your App Before Distribution) or the command-line workflow (Customizing the Notarization Workflow) depending on whether I’m using Xcode to build my product or not.

I recommend that you work through this process and then post back here if you still have problems.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi @eskimo
Thanks for the reply.
Actually, my application is built using Visual studio code and not Xcode. I've code-signed my application using electron-osx-sign (electron package).
Though, currently my application is running fine on macOS 10.14.5 and above (10.15 as well). Now I want to get it notarised to avoid any issues in future, I've been looking for solutions given on internet and I found all the solutions are using Xcode.
I've researched so far that you cannot open or export an applicaiton built in visual studio code to Xcode. Can you share some solution to get my electron applicaiton notarised without using Xcode (by some commands or electron packages).


Thanks in advance.

From the Apple perspective, an Electron app is just an app, and it has to follow the same rules as any other app. If you need help getting your third-party tool to produce an app that will pass notarisation and Gatekeeper, you should raise that via the support channel for that tool. Indeed, a quick search of the ’net for “electron notarize” reveals a bunch of resources that might help.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi @eskimo,
Thanks for the help. I checked with electron-notarize and trying to notarize. I'm facing error as "*** Error: You must first sign the relevant contracts online. (1048)", can you please help me with the possible step that needs to be done from my account. Is there any contract to be signed from my Apple ID ?
Thanks

You must first sign the relevant contracts online. (1048)

Everything I have to say about this is in my 26 Jul post on this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
electron mac build crashing on startup (signed and notarized)
 
 
Q