14 Replies
      Latest reply on Oct 16, 2019 3:00 AM by eskimo
      PacothePig Level 1 Level 1 (0 points)

        im using electron @5.0.0 and electron-builder@21.1.1

        im having issues in trying to get an electron app to start. i have no problems signing (even after i had to do a workaround) and notarizing has no issues either as checking the logUrl, there are no issues listed


        a typically error log shows up as:

        Process:               Appname [874]
        Path:                  /Volumes/VOLUME/*/Appname.app/Contents/MacOS/Appname
        Identifier:            com.appname.desktopapp
        Version:               1.0.0 (1.0.0)
        Code Type:             X86-64 (Native)
        Parent Process:        ??? [1]
        Responsible:           Appname [874]
        User ID:               501

        Date/Time:             2019-07-19 15:27:26.821 -0700
        OS Version:            Mac OS X 10.14.5 (18F2058)
        Report Version:        12
        Anonymous UUID:        A4DA30A6-09EA-9677-95CD-EA316769DD4D

        Sleep/Wake UUID:       CC4B1217-0165-46A8-846E-BFA4D38C58E6

        Time Awake Since Boot: 16000 seconds

        System Integrity Protection: enabled

        Crashed Thread:        0  Dispatch queue: com.apple.main-thread

        Exception Type:        EXC_BAD_ACCESS (Code Signature Invalid)
        Exception Codes:       0x0000000000000032, 0x0000108a00082040
        Exception Note:        EXC_CORPSE_NOTIFY

        Termination Reason:    Namespace CODESIGNING, Code 0x2

        kernel messages:

        VM Regions Near 0x108a00082040:
            Memory Tag 255         0000108a00081000-0000108a00082000 [    4K] ---/rwx SM=NUL 
        --> Memory Tag 255         0000108a00082000-0000108a000ff000 [  500K] r-x/rwx SM=COW 
            Memory Tag 255         0000108a000ff000-0000108a07fbe000 [126.7M] ---/rwx SM=NUL 

        Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
        0   ???                           0x0000108a00082040 0 + 18184892063808
        1   com.github.Electron.framework 0x0000000103ffdad8 0x10273b000 + 25963224
        2   com.github.Electron.framework 0x0000000103ffc6ce 0x10273b000 + 25958094

         

         

        my entitlements file looks like this:
        <?xml version="1.0" encoding="UTF-8" ?>
        <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
        <plist version="1.0">
            <dict>
                <key>com.apple.security.files.user-selected.read-write</key>
                <true/>
                <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
                <true/>
                <key>com.apple.security.device.audio-input</key>
                <true/>
                <key>com.apple.security.files.user-selected.read-only</key>
                <true/>
            </dict>
        </plist>

         

        if i run codesign -d --ent :- "path/to/file/shown/in/errorpath", i get the entitlements file on the console exactly as it is

         

        and have tried many other combinations with other keys, and this error very closely resembles the issue many others have regarding recent security changes Apple has made regarding notarization and hardened runtime: https://github.com/electron-userland/electron-builder/issues/4040

        the path of the file also curiously being the same one as the ones listed in that git issue

        the main purpose of this app right now is just to load a video api that connects to session rooms for people to talk and see each other. this will later be expanded on but for now its a simple idea.

         

        my questions boil down to:

        is my entitlements file incorrect?

        am i missing a requirement like a provisioning profile?

        is there something that i have completely overlooked?

         

        ive been at this for several weeks now and badly want to wrap this up as it is so close to completion and cannot believe trying to get an electron app to run to be this difficult when apps like Slack and Discord dont have problems.

         

        thank you for any help you can provide

        • Re: electron mac build crashing on startup (signed and notarized)
          eskimo Apple Staff Apple Staff (12,285 points)

          I strongly suspect that your third-party tools are using a JIT, which is why you’re seeing the code signature failure at runtime.  The best way to enable JITed code in a hardened runtime app depends on how that JIT is implemented, and the only folks who can give you definitive answers on that front is your third-party tools vendor.

          If your tool vendor needs help with this, I recommend that they open a DTS tech support incident and I can assist them from there.  Keep in mind that DTS provides code-level support, which means we want to talk to the folks who wrote the code, and thus can make changes to that code.  In a case like this, where you didn’t write the code involved, you’re just using it, there’s limits to how much we can help.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: electron mac build crashing on startup (signed and notarized)
              daghl Level 1 Level 1 (0 points)

              This has become a very common problem for all developers trying to notarize macOS apps created using Electron, Unity or Adobe AIR frameworks. It is reproducable by creating a simple Hello World app in said frameworks, doing the signing and notarization procedure and running the app on Mojave. The apps will only crash on Mojave, not on earlier versions, so the problem seems to be caused by the new way Notarization checks are done in Mojave. @eskimo, please see this forum post that outlines the problems: https://forums.adobe.com/message/11177722#11177722

               

              We are a bunch of developers struggling with the exact same issue and we are really worried that our apps will stop functioning when Catalina is released. Please help!

              • Re: electron mac build crashing on startup (signed and notarized)
                cycle Level 1 Level 1 (0 points)

                @eskimo Thank you for the detailed analysis of the problem which is spot-on.

                 

                We're getting exactly the same issue with apps compiled using Adobe AIR with captive runtime (not surprising since Actionscript has always been JIT compiled).  The apps work perfectly and can be signed and notarized without any issues but when run on MacOS 10.14+ they crash with the same EXC_BAD_ACCESS (Code Signature Invalid) even though they have passed notarization.  They run fine on MacOS prior to 10.14 and will work if the app is signed without the hardened runtime option and not notarized.

                There are others reporting the same issue over on the Adobe forums: https://forums.adobe.com/thread/1470113 (comments in the thread from July 2019 onwards)

                 

                We really appreaciate that you've given a direct contact and have invited the developers of the compiler to talk to you - great support.  However, the odds of a small independent software developer like us being able to get the code-level developer of Adobe's compiler to talk directly to you (or even to discover who they were and whether they're even still working on that project) are pretty low.  What would you suggest we do?  Our apps are mission critical to our business and notarization appears to remove the possibility of any Mac user running them successfully once it becomes mandatory in MacOS 10.15.

                 

                Will Apple be providing a way for users to work-around this and install a non-Notarized app in MacOS 10.15 or will you be reaching out to Adobe directly?  Without that, introducing notarization is gong to break every AIR app available for Macs, and kill off the Mac side of businesses that rely on them, which would seem quite drastic given that AIR is officially still supported on the MacOS platform.  We love Apple and use Macs throughout our company and would be really sad to only be able to support Windows users!

                  • Re: electron mac build crashing on startup (signed and notarized)
                    eskimo Apple Staff Apple Staff (12,285 points)

                    notarization appears to remove the possibility of any Mac user running them successfully once it becomes mandatory in MacOS 10.15.

                    That’s not the case.  All of the security measures imposed by the hardened runtime can be disabled with entitlements.  You can find a full list of those entitlements in Hardened Runtime Entitlements.  That leaves two questions:

                    • What’s the minimum set of entitlements needed?

                    • How do you apply those entitlements in your development environment?

                    These aren’t questions I can answer.  DTS’s remit is to support Apple APIs and processes.  Moreover, I have no direct experience with these tools, so any answers from me would be speculative, and my management gets grumpy when I speculate.

                    As to Apple’s relationship with various third-party tool vendors, I can’t comment on that either.  Even if I were in that particular loop, such matters are deeply confidential.

                    Share and Enjoy

                    Quinn “The Eskimo!”
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"

                      • Re: electron mac build crashing on startup (signed and notarized)
                        cycle Level 1 Level 1 (0 points)

                        @eskimo - thank you so much for taking the time to give these details.  We completely understand about the limits of what you can comment on and we appreciate that you have at least offered a glimmer of hope that there may be a way forward.

                         

                        So, based on your reply, here's what I've tried:

                        1. I created an entitlements file using XCode:

                        
                        
                        
                          com.apple.security.cs.allow-jit
                          
                        
                        
                        

                        2. I referenced this entitlements file when signing the .app using codesign:

                        codesign  --force --options runtime --deep --sign  "Developer ID Application: My Company, Inc (AB1CD2E3FG)" --entitlements "/Users/username/Documents/entitlements.plist"  "/Users/username/Documents/out/MyApp.app"

                        3. I then used productbuild to create the .pkg:

                        productbuild --component /Users/username/Documents/out/MyApp.app /Applications "/Users/username/Documents/out/MyApp.pkg"  --sign "Developer ID Installer: My Company, Inc (AB1CD2E3FG)" --identifier “MyApp" --version "${VERSION}"

                         

                        4. I notarized the .pkg and then stapled it as detailed in the documentation.

                         

                        5. Finally did a fresh install on MacOS 10.14.5 Mojave and ran the app.  I still get the crash with the same error.

                         

                        Update: For AIR apps, it runs without error if I assign both

                        com.apple.security.cs.allow-jit

                          and

                        com.apple.security.cs.allow-unsigned-executable-memory

                        So, now have a working notarized app.  Hooray!

                         

                        @eskimo: Really appreciate your willingness to help us struggling developers to work out what the new notarization requirements look like in practice.  Thanks!

                          • Re: electron mac build crashing on startup (signed and notarized)
                            daghl Level 1 Level 1 (0 points)

                            Wow. @cycle, you are a true hero. The AIR community owes you big time for all the time spent researching, trying and failing until success. This info will save people a tonne of time as there's no complete documentation available anwhere on successfully signing and getting AIR macOS apps notarized for Mojave and onwards.

                            • Re: electron mac build crashing on startup (signed and notarized)
                              eskimo Apple Staff Apple Staff (12,285 points)

                              For AIR apps, it runs without error if I assign both com.apple.security.cs.allow-jit and com.apple.security.cs.allow-unsigned-executable-memory So, now have a working notarized app.  Hooray!

                              Hooray indeed.  If you remove com.apple.security.cs.allow-jit, does it still work?

                              Share and Enjoy

                              Quinn “The Eskimo!”
                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                              let myEmail = "eskimo" + "1" + "@apple.com"

                      • Re: electron mac build crashing on startup (signed and notarized)
                        eskimo Apple Staff Apple Staff (12,285 points)

                        FYI, we just pushed out a bunch of improvements to the hardened runtime documentation.  I don’t have time today to write my own summary, but fortunately I don’t have to (-:

                        Share and Enjoy

                        Quinn “The Eskimo!”
                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                        let myEmail = "eskimo" + "1" + "@apple.com"

                        • Re: electron mac build crashing on startup (signed and notarized)
                          taiji.kamiya Level 1 Level 1 (0 points)

                          Hi,

                          Can you please share how did you get the code-sign and notarization done for your application ?
                          I've also created an application using electron.js in visual studio code, electron-packager and facing issues while code-signing. I'm getting error as "Unnotarized developer ID"
                          Please hare your inputs to it.

                          Thanks in advance.

                            • Re: electron mac build crashing on startup (signed and notarized)
                              eskimo Apple Staff Apple Staff (12,285 points)

                              I don’t build Electron apps, so I can’t help you with that side of things.

                              In terms of how to notarise a program in general, I use either the Xcode workflow (Notarizing Your App Before Distribution) or the command-line workflow (Customizing the Notarization Workflow) depending on whether I’m using Xcode to build my product or not.

                              I recommend that you work through this process and then post back here if you still have problems.

                              Share and Enjoy

                              Quinn “The Eskimo!”
                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                              let myEmail = "eskimo" + "1" + "@apple.com"

                                • Re: electron mac build crashing on startup (signed and notarized)
                                  taiji.kamiya Level 1 Level 1 (0 points)

                                  Hi @eskimo

                                  Thanks for the reply.

                                  Actually, my application is built using Visual studio code and not Xcode. I've code-signed my application using electron-osx-sign (electron package).
                                  Though, currently my application is running fine on macOS 10.14.5 and above (10.15 as well). Now I want to get it notarised to avoid any issues in future, I've been looking for solutions given on internet and I found all the solutions are using Xcode.
                                  I've researched so far that you cannot open or export an applicaiton built in visual studio code to Xcode. Can you share some solution to get my electron applicaiton notarised without using Xcode (by some commands or electron packages).

                                   

                                  Thanks in advance.