App rejected when Mac Developer certificate is in keychain

[kobens]

• Version: 7.25.0

• Target: macOS

I wanted to get auto updates working by signing the macOS app so I installed Xcode and created a Mac Development certificate in the Preferences/Accounts panel on my Apple ID (don't have a real Developer ID yet). Now electron-builder gives me an error in the build process. If I revoke the certificate the error goes away. It actually creates a working .app, but no .dmg or .zip as before.

⚠️  Application icon is not set, default Electron icon will be used
⚠️  Mac Developer is used to sign app — it is only for development and testing, not for production
Signing app (identity: Mac Developer: ****@**.** (LFH******))

Error: Exit code: 3. Command failed: spctl --assess --type execute --verbose --ignore-cache --no-cache /Users/el/code/electron/autotron/dist/mac/Autotron.app
/Users/el/code/electron/autotron/dist/mac/Autotron.app: rejected

/Users/el/code/electron/autotron/dist/mac/Autotron.app: rejected

    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/util.js:69:16
    at ChildProcess.exithandler (child_process.js:213:5)
    at emitTwo (events.js:106:13)
    at ChildProcess.emit (events.js:191:7)
    at maybeClose (internal/child_process.js:877:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:226:5)
From previous event:
    at module.exports.execFileAsync (/Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/util.js:48:10)
    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:99:16
From previous event:
    at verifySignApplicationAsync (/Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:97:8)
    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:181:25
    at runCallback (timers.js:574:20)
    at tryOnImmediate (timers.js:554:5)
    at processImmediate [as _immediateCallback] (timers.js:533:5)
From previous event:
    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:178:10
From previous event:
    at signApplicationAsync (/Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:121:6)
    at /Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:330:14
From previous event:
    at module.exports.signAsync (/Users/el/code/electron/autotron/node_modules/electron-osx-sign-tf/sign.js:322:6)
    at /Users/el/code/electron/autotron/node_modules/electron-builder/src/macPackager.ts:196:12
    at next (native)
    at MacPackager.doSign (/Users/el/code/electron/autotron/node_modules/electron-builder/out/macPackager.js:262:11)
    at /Users/el/code/electron/autotron/node_modules/electron-builder/src/macPackager.ts:169:56
    at next (native)
    at runCallback (timers.js:574:20)
    at tryOnImmediate (timers.js:554:5)
    at processImmediate [as _immediateCallback] (timers.js:533:5)

[develar]

@sethlu First of all, thank you that you added such check (using spctl). Users cannot build incorrect apps anymore. Great. Am I right that if spctl rejects Mac Developer then auto update will also not work?

[develar]

Related: electron/osx-sign#100

[kobens]

Auto update actually works - and it also looks like the app is signed correctly if I run it through RB App Checker.

[develar]

Will be fixed tomorrow morning CET.

[workswithweb]

⚠️ Mac Developer is used to sign app — it is only for development and testing, not for production
Signing app (identity: 3rd Party Mac Developer Application: ************)

Unhandled rejection Error: Exit code: 3. Command failed: spctl --assess --type execute --verbose --ignore-cache --no-cache

Also mac .app file is crashing.

[salomvary]

@develar this got broken again somewhere between 8.2.0 (working) and 8.6.0 (broken). 8.2.0 was fine with my self-signed certificate (passed in gatekeeper-assess=false to electron-osx-sign which skips spctl --assess) but 8.6.0 fails with Gatekeeper again (executes spctl --assess with the self-signed certificate which is expected to fail).

[develar]

@salomvary Because changes were reverted — #897 (comment) Will be reapplied soon.

[salomvary]

@develar ouch! Thanks anyway :)

[develar]

@salomvary Fix reapplied. Version 9.0.0.

[akashnimare]

Hey @develar I'm able to code sign my electron app on OSX. Although it says -

⚠️ Mac Developer is used to sign app — it is only for development and testing, not for production
Signing app (identity: Mac Developer: * (******))

Just a little confusion - What process should I follow to code sign my app for production 🤔

[develar]

@akashnimare You use "Mac Developer" cert only if don't have money to became Apple Developer. Otherwise please use certs listed in the https://github.com/electron-userland/electron-builder/wiki/Code-Signing#how-to-export-certificate-on-macos

[akashnimare]

@develar I have an Apple developer account and got this certificate from there only. In this case I don't need to export the certificates and It will be automatically imported and my app will be signed, right?

[develar]

@akashnimare not quite understand what do you mean. Yes — if your p12 file contains both private key and cert, you don't need to import it to keychain.

[TimNZ]

@develar Running latest electron-builder and getting same problem as original issue creator.
Only have Developer certificate in keychain, do not have a paid Developer account yet.

Unable to get any more detailed reason from spctl when running on commandline and asking for more verboseness.

Packaging for darwin x64 using electron 1.6.2 to dist/mac
⚠️ Mac Developer is used to sign app — it is only for development and testing, not for production
Signing app (identity: Mac Developer: [email protected] (XXXXXXXX))

Error: Failed to pass Gatekeeper: : Error: Command failed: spctl --assess --type execute --verbose --ignore-cache --no-cache /Users/timshnaider/Desktop/Development/electron/electron-simple-updater/example/dist/mac/Simple Updater Example.app
/Users/timshnaider/Desktop/Development/electron/electron-simple-updater/example/dist/mac/Simple Updater Example.app: rejected

Looking for related issues

electron/osx-sign#83

Just noticed my Gatekeeper options on OS X 10.12.4 don't include running apps from Anywhere like Gatekeeper screens from older OS.

[TimNZ]

Ran as root 'spctl --master-disable' for time being for testing.

[sethlu]

@TimNZ I don't think a Mac Developer identity will pass the Gatekeeper. Only a valid Developer ID Application or an app re-signed by Apple (from submitting to the Mac App Store) could do so.

Like Gatekeeper, spctl will only accept Developer ID-signed apps and apps downloaded from the Mac App Store by default. It will reject apps signed with Mac App Store development or distribution certificates.

Ref: https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211

[akashnimare]

I just successfully signed one of my electron app to distribute it outside the Mac store. Let me know if you guys need any help. It took me months to completely understand the whole code sign process.

[develar]

It took me months to completely understand the whole code sign process.

1. create cert using Xcode (apple member).
2. import to local keychain using Xcode.
3. export from keychain to p12 for CI servers if need.

Nothing more :)

[develar]

I don't think a Mac Developer identity will pass the Gatekeeper

The question is why electron-builder or electron-osx-sign do this check.... Hmm... Will check.

[sethlu]

@develar As Gatekeeper conflicts with app bundles signed with certs for distribution on the MAS, electron-osx-sign does not spawn Gatekeeper check when signing for distribution on the MAS. However, it is assumed that the signed application (darwin build) is for distribution outside the MAS so Gatekeeper check is performed.

---

gatekeeper-assess - Boolean
Flag to enable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates. Gatekeeper assessment is enabled by default on darwin platform. Default to true.

Ref: https://github.com/electron-userland/electron-osx-sign

[TimNZ]

Developer signing is fine for apps distributed out of stores.

The gatekeeper check that electron-builder runs in the pipeline fails though because of it with default OS settings.

Running 'spctl --master-disable' gets past that point.

electron-builder needs an option to disable setting gatekeeper-assess = true for electron-osx-sign, in macPackager.js

[develar]

• electron-builder pass gatekeeper-assess for Mac Developer cert.
• I tested — no errors.

So — please file new issue, specify version of used electron-builder and please set env DEBUG=electron-builder and attach full log of the terminal output.