Mac App Store refuses app via transporter

[gregoiregentil]

I have an app that I can notarize, sign and execute properly. But when I upload it to Mac App Store for review via transporter, I get the following errors:

Asset validation failed (90287)
Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.developer.team-identifier' in 'network.goodip.client.pkg/Payload/GoodIP.app/Contents/Library/LoginItems/GoodIP Login Helper.app/Contents/MacOS/GoodIP Login Helper'. (ID: a7ba6702-bf50-4fb8-9623-9923a325c547)

Asset validation failed (90287)
Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.application-identifier' in 'network.goodip.client.pkg/Payload/GoodIP.app/Contents/Library/LoginItems/GoodIP Login Helper.app/Contents/MacOS/GoodIP Login Helper'. (ID: ee3241a0-ba7d-4a04-8e15-5f0e62e021cc)

Asset validation failed (90287)
Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.developer.team-identifier' in 'network.goodip.client.pkg/Payload/GoodIP.app/Contents/MacOS/GoodIP'. (ID: 85ac6410-7994-46a3-8c40-8bfa441beee4)

Asset validation failed (90287)
Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.application-identifier' in 'network.goodip.client.pkg/Payload/GoodIP.app/Contents/MacOS/GoodIP'. (ID: 79445e6f-1e21-446f-bd9f-d32cfef3901f)

I suspect that I have a mis-configuration somewhere rather than a bug, but I can't find the problem.

To give more precisions:

• "security find-identity -p codesigning -v" reports both the "Developer ID Application" and "Apple Distribution" certificates.
• in full debug mode, osx-sign shows the entitlement

<key>com.apple.developer.team-identifier</key><string>Correct ID of my developer account</string>

• "npm run electron:make" signs, notarizes and creates a dmg successfully. I can run the app on a Mac at a physical Apple Store.
• The script shows that for mas configuration, the .pkg app is signed with the "Apple Distribution" certificate.
• I have read and I think that I do everything described at https://www.electronjs.org/docs/latest/tutorial/mac-app-store-submission-guide

What could be wrong? I apologize if it's not a bug.

The only thing that doesn't make sense is that I'm not using the provisioning file downloaded from the apple website for the platform "macOS".

[sanjubhambhani]

Make sure you're building a mas build and not darwin/mac

You'll also need to use the
"Apple Distribution" + "3rd Party Mac Developer Installer" certificates with the matching provisional profile.

Hope this helps.

[sanjubhambhani]

Hey! Where you able to get a working build on the Mac App Store (TestFlight) ?

[gregoiregentil]

No. :-( :-(

I build both mac and mas and I'm sure that I'm dealing with the right mas file when dealing with transporter.

Here is my keys. I do I have "Apple Distribution" and "3rd Party Mac Developer Installer".

I'm unsure what kind of configuration I should have to make sure that the build system use the right certificates. Can you be more precise or is there a recent WORKING tutorial somewhere?

[sanjubhambhani]

That's annoying man. Share your config files here... I can take a look and let you know if anything stands out. What package builder are you using? I'm currently using electron-forge which uses electron-packager & electron-osx-sign.

I have now managed to successfully package the app and upload via Transporter to TestFlight BUT the app directly hits status "Not Available for Testing" without any error messages or logs. Such a pain.

[gregoiregentil]

I'm a little bit confused. Do you have success or do you have (you too) an issue which would be different from mine?

I'm disappointed by Apple. Their certificates are just pure nightmare. All the error messages are completely cryptic. I have complained multiple times on their forums but they don't care. It's like complaining against a wall.

I'm using:

@capacitor-community/[email protected]
@electron/[email protected]
[email protected]
[email protected]
[email protected]

I'm building mas:

	"mac": {
		"category": "public.app-category.utilities",
		"target": ["dmg", "mas"],
		"icon": "assets/main.icns",
		"hardenedRuntime": true,
		"entitlements": "entitlements.mac.plist",
		"entitlementsInherit": "entitlements.mac.plist",
		"gatekeeperAssess": false
	},
	"dmg": {
		"title": "GoodIP App",
		"background": "assets/background.tiff",
	},
	"mas": {
		"entitlements": "entitlements.mas.plist",
		"entitlementsInherit": "entitlements.mas.plist",
	},
	"afterSign": "./notarize.js",
	"afterAllArtifactBuild": "./post.js"

and notarize.js:

const { notarize } = require ("@electron/notarize");

module.exports = async () => {
	if (process.platform === 'darwin') {
		console.log("Starting notarization");
		try {
			await notarize({
				appBundleId: "...",
				appPath: "./dist/mac/GoodIP.app",
				appleId: "....",
				appleIdPassword: "...",
				ascProvider: "G..."
			});
			await notarize({
				appBundleId: "...",
				appPath: "./dist/mas/GoodIP.app",
				appleId: "....",
				appleIdPassword: "...",
				ascProvider: "G..."
			});
			console.log("Ending notarization");
		} catch (error) {
			console.log("Error: ", error);
		}
	}
}

[sanjubhambhani]

You don't have to notarize the app for Mac App Store submission.

Im stuck on a different issue. I can successfully package and upload the build to TestFlight. However it reaches TestFlight with status "Not Available For Testing" - No error message/logs on TestFlight & No help from apple developer support.

[gregoiregentil]

Can you share your setup and configuration similarly to what I have written above?

[ntbosscher]

@gregoiregentil I was able to solve that same error by switching to electron-forge. But now I'm also getting the "Not available for testing" error

[ntbosscher]

@gregoiregentil, I think I was also able to fix the error you saw by running this on the .app that was produced by electron-builder. Then repackaging with productbuild into a pkg.

const { signAsync } = require('@electron/osx-sign');
const app = 'packages/mas-universal/APPNAME.app';

console.log('signing ' + app);

signAsync({
  app: app,
  entitlements: 'build/entitlements.mas.plist',
  identity: 'Apple Distribution: APPNAME (AAAAAAAA)',
  platform: 'mas',
  provisioningProfile: 'embedded.provisionprofile',
  version: '23.1.1', // electron version
  optionsForFile: (file) => {
    const index = file.replace('APPNAME.app', '').indexOf('.app');
    const inherit = index !== -1;
    if (inherit) {
      console.log(file);
    }

    return {
      entitlements: inherit
        ? 'build/entitlements.mas.inherit.plist'
        : 'build/entitlements.mas.plist',
    };
  },
})
  .then(function () {
    // Application signed
    console.log('success');
  })
  .catch(function (err) {
    // Handle the error
    console.log(err);
  });

but that resulted in this error

WARNING ITMS-90885: ""Cannot be used with TestFlight because the executable “${executable}” in bundle “${bundle}” is missing a provisioning profile but has an application identifier in its signature. Nested executables are expected to have provisioning profiles with application identifiers matching the identifier in the signature in order to be eligible for TestFlight.""

which Quinn Eskimo helped me a bit with over at https://developer.apple.com/forums/thread/730398

[nathanarritt]

@gregoiregentil I'm new to Electron and experiencing my own issues so I'm no expert, but it looks like your electron-builder config may be missing some things required for the mas build. I've included my configs below along with the back story.

@sanjubhambhani @ntbosscher I'm having the same problem with Forge. I was able to get a working build using electron-builder, but I'm still hoping to get Forge working. (Forge config at bottom)

I'm using Electron (25.0.0) Forge (6.1.1). I can package with Forge and "make" (dist) with electron-builder (^22.14.13), but I can't figure out how to make with Forge (App Store Connect says "Not Available for Testing" and app crashes on launch).

yarn package ("package": "electron-forge package --arch=universal --platform=mas")

Works: yarn dist ("dist": "yarn package && electron-builder --config builder.config.js")
Doesn't work: yarn make ("make": "electron-forge make --arch=universal --platform=mas")

"main": ".webpack/main", (package.json default from Forge for reference)

Note: The latest version of electron-builder (23.x.x) didn't work. I had to downgrade for it to work (^22.14.13).

// mas build certificates required
security find-identity -v
  4) myHash "Apple Distribution: myEntityName (myTeamId)"
  6) myHash "3rd Party Mac Developer Installer: myEntityName (myTeamId)"
     2 valid identities found

// mas build code signing certificate required
security find-identity -p codesigning -v
  3) myHash "Apple Distribution: myEntityName (myTeamId)"
     1 valid identities found

// builder.config.js
module.exports = {
  appId: 'com.myApp.myAppName',
  copyright: `Copyright © 2023 ${myEntityName}`,
  mac: {
    category: 'public.app-category.myCategory',
    icon: './build/logo.icns',
    target: {
      arch: 'universal',
      target: 'mas',
    },
  },
  mas: {
    entitlements: './build/entitlements.mas.plist',
    entitlementsInherit: './build/entitlements.mas.inherit.plist',
    entitlementsLoginHelper: './build/entitlements.mas.loginhelper.plist',
    hardenedRuntime: false,
    provisioningProfile: './build/Mac_App_Store.provisionprofile',
    type: 'distribution',
  },
}

// entitlements.mas.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <string>myTeamId.com.myApp.myAppName</string>
    <key>com.apple.application-identifier</key>
    <string>myTeamId.com.myApp.myAppName</string>
    <key>com.apple.developer.team-identifier</key>
    <string>myTeamId</string>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-only</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
  </dict>
</plist>

// entitlements.mas.inherit.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
  </dict>
</plist>

// entitlements.mas.loginhelper.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
  </dict>
</plist>

// forge.config.ts
const config: ForgeConfig = {
  makers: [new MakerPKG({ identity: `3rd Party Mac Developer Installer: ${myEntityName} (${myTeamId})` }),
  ],
  packagerConfig: {
    appBundleId: 'com.myApp.myAppName',
    appCopyright: `Copyright © 2023 ${myEntityName}`,
    icon: './build/logo',
    osxSign: {
      identity: `Apple Distribution: ${myEntityName} (${myTeamId})`,
      optionsForFile: () => ({ hardenedRuntime: false }),
      provisioningProfile: './build/Mac_App_Store.provisionprofile',
      type: 'distribution',
    },
  },
}

[pauljonescodes]

@nathanarritt One thing that stands out to me is that com.apple.security.application-groups is an array of strings.

https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_application-groups

For an approach that worked for me: electron-userland/electron-builder#4553 (comment)