Vendored version of electron-osx-builder is old and causes notarization to fail

[manderson-te]

• Version: 22.8.0
• Electron Version: 6.1.5
• Electron Type (current, beta, nightly): current
• electron-updater: 4.1.2
• Target: MacOS

This issue has been mentioned in #4934 and #4656, but the gist is that electron-builder isn't signing certain binary files, which causes notarization to fail with errors like those below. This issue was fixed in electron/osx-sign#169, but electron-builder vendors a copy of electron-osx-sign here. Updating the vendored version of electron-osx-sign promises to resolve this issue.

"issues": [
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.zip/MyApp.app/Contents/chrome-chromedriver/mac/node_modules/puppeteer/.local-chromium/chrome/Chromium.app/Contents/MacOS/Chromium",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.zip/MyApp.app/Contents/chrome-chromedriver/mac/node_modules/puppeteer/.local-chromium/chrome/Chromium.app/Contents/MacOS/Chromium",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "MyApp.zip/MyApp.app/Contents/chrome-chromedriver/mac/node_modules/puppeteer/.local-chromium/chrome/Chromium.app/Contents/MacOS/Chromium",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
...

[manderson-te]

Thankfully, I was able to develop a workaround for the issue:

1. Add electron-osx-sign as a dev dependency: yarn add --dev electron-osx-sign
2. Write an afterSign script that imports electron-osx-sign and invokes signAsync: https://github.com/electron/electron-osx-sign#from-the-api. This technically means that you'll be signing everything twice (once with the broken version of electron-osx-sign that is bundled with electron-builder and once with the newer version you installed previously), but it did work for my case.

Here's what my afterSign.js script looks like:

const electronBuilderConfig = require('../electron-builder.json');
const signAsync = require('electron-osx-sign').signAsync;

export.default = async function(context) {
    const { electronPlatformName, appOutDir } = context;  
    if (electronPlatformName !== 'darwin') {
        console.log('Skipping afterSign script for non-darwin target: ' + electronPlatformName);
        return;
    }
    if (electronBuilderConfig.mac.identity === null) {
        console.log('Skipping afterSign script because identity explicitly set to null');
        return;
    }
    const appName = context.packager.appInfo.productFilename;
    await signAgainFunction(appOutDir, appName);
}

// electron-builder vendors its own private version of electron-osx-sign, but unfortunately it is
// broken (https://github.com/electron-userland/electron-builder/issues/5190).  To get around this,
// we install electron-osx-sign ourselves and invoke it in electron-builder's afterSign callback:
// https://www.electron.build/configuration/configuration#aftersign.
async function signAgainFunction(appOutDir, appName) {
    const identity = 'Developer ID Application: ' + electronBuilderConfig.mac.identity;
    const entitlements = electronBuilderConfig.mac.entitlements;
    const entitlementsInherit = electronBuilderConfig.mac.entitlementsInherit;
    const hardenedRuntime = electronBuilderConfig.mac.hardenedRuntime;
    const gatekeeperAssess = electronBuilderConfig.mac.gatekeeperAssess;
    await signAsync({
        app: `${appOutDir}/${appName}.app`,
        entitlements,
        hardenedRuntime,
        identity,
        "entitlements-inherit": entitlementsInherit,
        "gatekeeper-assess": gatekeeperAssess
    }).then(() => {
        console.log("Second application of electron-osx-sign succeeded!");
    }).catch((err) => {
        console.error("Second application of electron-osx-sign failed");
        console.error(err);
    });
}

Popular guides for notarizing electron applications instruct you to create an afterSign.js file anyways, so this workaround isn't a terrible inconvenience.

[delewis13]

Same issue, for signing .so files: electron/osx-sign#226

[KishanBagaria]

What are the changes preventing us from replacing the vendored version of electron-osx-sign with the latest official version?

Alternatively can we upstream electron/osx-sign#226 into the vendored version?

[manderson-te]

Dare I ask, why vendor electron-osx-sign at all?

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[dmnsgn]

Bumping into this issue as well on 22.9.1.

Has electron-osx-sign been upgraded since then? At the moment, we are still forced to manually sign the app a second time as suggested by @manderson-te here #5190 (comment).

[gregoirepuget]

Use this to resolve :
https://www.npmjs.com/package/puppeteer-chromium-resolver

[kbourro]

Bumping into this issue as well on 23.3.3. Is there any solution ?

{ "severity": "error", "code": null, "path": "SEO+Autopilot.zip/SEO Autopilot.app/Contents/Resources/app/dist/node_modules/puppeteer/.local-chromium/mac-1036745/chrome-mac/Chromium.app/Contents/MacOS/Chromium", "message": "The binary is not signed.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "x86_64" }

[mmaietta]

You're bumping the wrong issue. Create a new one please.

This ticket is related to a "vendored" (statically-copied) version of a deprecated electron-osx-sign package. It has since been migrated to @electron/osx-sign in v24-alpha