Code signing rejected - unnotarized Developer ID

[mattgogerly]

• Version: 20.39.0

• Target: platform=darwin arch=x64 electron=4.1.4

I've generated a Developer ID Application certificate using Xcode and I can see it in login on Keychain. When I run electron_builder I get the following error:

Error: Command failed: spctl --assess --type execute --verbose --ignore-cache --no-cache /Users/mattgogerly/Documents/GitHub/MailBean/frontend/electron_dist/mac/MailBean.app
/Users/mattgogerly/Documents/GitHub/MailBean/frontend/electron_dist/mac/MailBean.app: rejected
source=Unnotarized Developer ID

I can't seem to find anything about unnotarized IDs with electron-builder, hence this issue. Any ideas how to fix?

[martani]

I have the same issue after updating to OSX 10.14.5. This error does not happen on previous versions, notably 10.14.4. Any ideas about what's causing this and how to fix?

[dorokei]

Unfortunately, I also updated to OSX 10.14.5 and have the same problem😭

[martani]

You can use electron-notarize but the afterSign hook is broken on Mac, so this is still an issue. See #3908.

You can also try to notarize the app manually: https://stackoverflow.com/questions/53112078/how-to-upload-dmg-file-for-notarization-in-xcode

[wildcodeman]

I also updated to OSX 10.14.5 and then...😂

Here is my solution:

Edit file node_modules/electron-osx-sign/sign.js, find function verifySignApplicationAsync, comment section below, and every thing goes right!

  // Additionally test Gatekeeper acceptance for darwin platform
  //if (opts.platform === 'darwin' && opts['gatekeeper-assess'] !== false) {
  //  promise = promise
  //    .then(function () {
  //      debuglog('Verifying Gatekeeper acceptance for darwin platform...')
  //      return execFileAsync('spctl', [
  //        '--assess',
  //        '--type', 'execute',
  //        '--verbose',
  //        '--ignore-cache',
  //        '--no-cache',
  //        opts.app
  //      ])
  //    })
  //}

That code looks just test the app files, so remove it should be ok, I don't know why...but that fixed my problem...

[will-stone]

Unfortunately, @wildcodeman's solution doesn't works for me. Well, it allows my app to be packaged but when I release and download, I still get the "app cannot be opened" error. This means the app hadn't really been notarized.

[wagslane]

This is a big problem... @wildcodeman solution definitely wont work for any production app, as it is editing the node modules files directly.

[lordkerwin]

I too now have this issue after doing the update.... -__- not ideal when trying to deploy apps to production...

[KASOGIT]

Does someone found any fix that's acceptable in production ?

[martani]

So I was able to track this a bit. I generated a dmg that's notarized (also tried to notarize the .app before packaging within a dmg but I'm getting the same results):

On macOS 10.14.4:
APP

codesign --verify -vvvv my_app.app
my_app.app: valid on disk
my_app.app: satisfies its Designated Requirement

spctl --assess --type install --context context:primary-signature -v my_app.app
my_app.app: accepted
source=Notarized Developer ID

spctl --assess --type execute --context context:primary-signature -v my_app.app
my_app.app: accepted
source=Notarized Developer ID

spctl --assess --type open --context context:primary-signature -v my_app.app
my_app.app: accepted
source=Developer ID

DMG

codesign --verify -vvvv my_app.dmg
my_app.dmg: valid on disk
my_app.dmg: satisfies its Designated Requirement

spctl --assess --type install --context context:primary-signature -v my_app.dmg
my_app.dmg: accepted
source=Notarized Developer ID

spctl --assess --type execute --context context:primary-signature -v my_app.dmg
my_app.dmg: rejected (the code is valid but does not seem to be an app)

spctl --assess --type open --context context:primary-signature -v my_app.dmg
my_app.dmg: accepted
source=Developer ID

On macOS 10.14.5:
All the results are the same, except for:

spctl --assess --type open --context context:primary-signature -v my_app.app
my_app.dmg: rejected
source=no usable signature

spctl --assess --type open --context context:primary-signature -v my_app.dmg
my_app.dmg: rejected
source=no usable signature

The issue seems to be related to the --type open assessment. The side effect of this is that when a user double clicks the dmg on macOS 10.14.5, they do not have the open to click "open", only a close button! I don't have enough knowledge of how gatekeeper handles this type, but does it indicate that something is missing during the sign process for the dmg?

Note that this is not an issue for the .app itself because the default action after a double click is to execute. And the execute assessment type shows correctly that the app is notarized.

[Kilian]

@martani can you share a screenshot of the message a user sees when they try to open that dmg?

[KASOGIT]

@Kilian That's the one i'm getting

English: "Cannot open "app name" cause apple can't verify that there isn't any malicious soft in it"

[Kilian]

Here's the English text:

Worth noting, if you right-click and open, then you do get the expected buttons.

[Kilian]

On 10.14.5 I tried the same as @martani with a signed + notarized app in a signed+notarized dmg, with the following results:

$ codesign --verify -vvvv Polypane-1.0.0.dmg
Polypane-1.0.0.dmg: valid on disk
Polypane-1.0.0.dmg: satisfies its Designated Requirement

$ spctl --assess --type install --context context:primary-signature -v Polypane-1.0.0.dmg
Polypane-1.0.0.dmg: accepted
source=Notarized Developer ID

$ spctl --assess --type execute --context context:primary-signature -v Polypane-1.0.0.dmg
Polypane-1.0.0.dmg: rejected (the code is valid but does not seem to be an app)

$ spctl --assess --type open --context context:primary-signature -v Polypane-1.0.0.dmg
Polypane-1.0.0.dmg: rejected
source=Unnotarized Developer ID

Where the first three seem as expected, but the third is different and might give more of a clue. I'll look into how electron-builder signs the dmg.

[Kilian]

@mattgogerly to go back to your original issue, this error happens in electron-osx-sign (and thus has nothing to do with electron-builder). The workaround is to disable the gatekeeper assessment, like described here: electron/osx-sign#196

I would suggest to close this issue.

The issues @martani, @KASOGIT and I are having are separate issues and I suggest we continue that in #3870.

[raymondjacobson]

Is there an easy way to disable gatekeeper access from electron-builder?

[Kilian]

@raymondjacobson There is now in 20.43.0, set "gatekeeperAssess": false in the mac configuration of electron-builder.

[develar]

@Kilian gatekeeperAssess is set by default to false. Or... not, I am wrong. Should we set gatekeeperAssess by default to false?

[Kilian]

@develar I would keep the default true. When @sethlu changes the behaviour of the assessment in electron-osx-sign to again verify just the signing and not also the notarizing (on 10.14.5) then we want that to be the default, so keeping it to true by default makes the most sense.

[guillaumeduhan]

Same problem here.

App builded successfully but "App cannot be opened because Apple cannot check if malicious software."

[yoannsark]

Same problem here.

App builded successfully but "App cannot be opened because Apple cannot check if malicious software."

Here is the good tutorial of @Kilian
https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application

I did it, the notarizing is ok but I have an error when I launch the app 😕
/var/folders/_x/... : code signature in (/var/folders/_x/...) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
EDIT : fixed #3940 (comment)

[guillaumeduhan]

Same problem here.
App builded successfully but "App cannot be opened because Apple cannot check if malicious software."

Here is the good tutorial of @Kilian
https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application

I did it, the notarizing is ok but I have an error when I launch the app 😕
/var/folders/_x/... : code signature in (/var/folders/_x/...) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
EDIT : fixed #3940 (comment)

After long search it seems that it's a specific error to Electron-sign-osx but can't determine how to sign app. App is flagged valid but still:

source=Unnotarized Developer ID

[yoannsark]

@guillaumeduhan yes, you must have an Apple Developer ID certificate to sign the app

[7E2678562852987564757825]

I had the same problem than you.

This tutorial resolved some of those problems : https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[mayqiyue]

no stale[bot] <notifications@github.com>于2019年9月11日 周三23:08写道：

…

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#3828?email_source=notifications&email_token=ABQZYV7BXPLA2VUOIJNCP6LQJECVFA5CNFSM4HGECVDKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6O2FEI#issuecomment-530424465>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABQZYVZ5YAXZHX57CYLUGJ3QJECVFANCNFSM4HGECVDA> .

[DenisTsapelnikov]

Hi,

I was able to notarize my app (Apple's email confirmed this). But when I try to run it, it gets an error with Code Signing problem.
I tried with different variety of entitlements.
The latest one is below:

com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.allow-dyld-environment-variables com.apple.security.device.audio-input com.apple.security.device.camera

<key>com.apple.security.app-sandbox</key><true/>
<key>com.apple.security.network.client</key><true/>
<key>com.apple.security.network.server</key><true/>
<key>com.apple.security.files.user-selected.read-write</key><true/>
<key>com.apple.security.files.downloads.read-write</key><true/>

[standuprey]

Trick that got me out of this one:

sudo spctl --master-disable

[ndtreviv]

Trick that got me out of this one:

sudo spctl --master-disable

Wouldn't everyone have to do this on their macs for it to work for them?

I'm trying to sign my app, and notarize it as per the tutorial (https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/) but when I run:
spctl -a -vv ./dist/mac/MyApp.app I still get:

./dist/mac/MyApp.app: rejected
source=Unnotarized Developer ID

What have I done wrong? What does this error even mean?
My package.json:

    "mac": {
      "icon": "build/icons/icon.icns",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist",
      "provisioningProfile": "build/MyApp.provisionprofile"
    },

[portah]

@ndtreviv Have you pass this issue? I have the same. And actual notarization step is taking hours and I could not complete it.

10/14/19:

./dist/mac/MyApp.app: rejected
source=Unnotarized Developer ID

This error appeared before notarization. I used electron-notarization and when it completed I got

./dist/mac/MyApp.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: *********

However, there were a complication, apple's notarization server was down so it took more than 6h to notarize.

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[ndtreviv]

@ndtreviv Have you pass this issue? I have the same. And actual notarization step is taking hours and I could not complete it.

I did get past this in the end. My plist files were ever so slightly incorrect, but I think the main issue was that I had generated my certs using keychain. I ended up going ground-zero on my certs, installing full fat XCode and doing it that way, then it all worked.

[ghost]

@ndtreviv, could you elaborate on what exactly you did with Xcode? 😰

[ndtreviv]

It seems like years ago now (!) but I think I did something like this: https://ioscodesigning.com/generating-code-signing-files/

I Create-d the bottom 5 and went from there.

By build package.json entry looks like this:

  "build": {
    "appId": "com.mycompany.ApplicationName",
    "afterSign": "electron/notarize.js",
    "asarUnpack": [
      "**/node_modules/module_I_wanted_unpacked/**/*"
    ],
    "publish": {
      "provider": "s3",
      "bucket": "my-s3-bucket-name",
      "storageClass": "STANDARD_IA",
      "region": "us-east-1"
    },
    "files": [
      "build/**/*",
      "node_modules/**/*"
    ],
    "win": {
      "target": "NSIS",
      "icon": "build/icons/icon.ico",
      "sign": "./electron/winsign.js",
      "publisherName": "My Publisher Name"
    },
    "mac": {
      "category": "public.app-category.productivity",
      "icon": "build/icons/icon.icns",
      "hardenedRuntime": true,
      "gatekeeperAssess": false,
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist",
      "provisioningProfile": "embedded.provisionprofile"
    },
    "dmg": {
      "sign": false
    },
    "linux": {
      "icon": "build/icons/icon.icns",
      "target": "AppImage",
      "category": "Utility"
    }
  },

The scripts.release value is this:

    "prepare": "yarn build && mkdir -p build/src && cp -r electron/. build/electron && cp -r src/shared/. build/src/shared && cp -R assets/ build/",
    "prerelease": "yarn prepare",
    "release": "electron-builder build --mac --win --linux -c.extraMetadata.main=build/electron/main.js --publish always",
    "sign-for-mac": "electron-osx-sign dist/mac/MyAppName.app --platform=darwin --type=distribution --entitlements=\"assets/entitlements.mac.plist\" --provisioning-profile=\"embedded.provisionprofile\" --hardened-runtime"

entitlements.mac.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
  </dict>
</plist>

entitlements.mas.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.app-sandbox</key>
    <true />
    <key>com.apple.application-identifier</key>
  	<string>MY_TEAM_IDENTIFIER.com.mycompany.ApplicationName</string>
    <key>com.apple.team-identifier</key>
  	<string>MY_TEAM_IDENTIFIER</string>
    <key>com.apple.developer.team-identifier</key>
  	<string>MY_TEAM_IDENTIFIER</string>
    <key>com.apple.security.application-groups</key>
    <array>
      <string>MY_TEAM_IDENTIFIER.com.mycompany.ApplicationName</string>
    </array>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
  </dict>
</plist>

I exported all my certs into a .p12 file and put it in ./assets.

My notarize.js script looks like this:

require('dotenv').config();
const { notarize } = require('electron-notarize');

const password = `@keychain:EE_PASSWORD`;

exports.default = async function notarizing(context) {
  const { electronPlatformName, appOutDir } = context;  
  if (electronPlatformName !== 'darwin') {
    return;
  }

  const appName = context.packager.appInfo.productFilename;

  console.log("Notarizing: ", password, process.env.APPLE_ID);

  return await notarize({
    appBundleId: 'com.mycompany.MyApplicationName',
    appPath: `${appOutDir}/${appName}.app`,
    appleId: process.env.APPLE_ID,
    appleIdPassword: password,
  });
};

EE_PASSWORD is stored in my keychain, done with this command:

security add-generic-password -a "my-apple-id@mycompany.com" -w my-password -s "EE_PASSWORD"

My win-sign.js looks like this:

require('dotenv').config();

const password = process.env.WIN_CSC_KEY_PASSWORD;

function sleep(ms){
  return new Promise(resolve=>{
      setTimeout(resolve,ms)
  })
}
exports.default = async function(configuration) {
  const MAX_ITER = 100;
  let command = `java \
    -jar ./jsign-2.1.jar \
    --keystore ./hardwareToken.cfg \
    --storepass "${password}" \
    --storetype PKCS11 \
    --tsaurl http://timestamp.digicert.com \
    --alias "SafeNet eToken 5110:MyCompany Ltd's COMODO CA Limited ID" \
    "${configuration.path}"`;
    // console.log("Attempting to sign with: " + command);
  for (let i = 0; i < MAX_ITER; ++i) {
    try {
      require("child_process").execSync(command);      
    } catch(e) {
      if (e.stdout.toString().includes("CKR_PIN_INCORRECT")) {
        console.log("Incorrect token password! No more tries will be attempted");
        process.exit(1);
      }
      await sleep(1000);
      continue
    }
    console.log(`signing succeeded: ${configuration.path}`)
    return;
  }
  console.log(`All ${MAX_ITER} iterations failed.`)
  process.exit(1)
};

[assimovt]

After following the guide by @Kilian (thanks btw 👍) I've just bumped into a similar issue mentioned above.

Notarizing failing with this message:

The binary is not signed with a valid Developer ID certificate

As far as I understand, Electron builder picks Mac Developer identity (which was self-signed certificate), instead of Developer ID Application.

I then tried to configure builder with these env vars:

CSC_LINK=./build/certs.p12
CSC_KEY_PASSWORD=PASSWORD TO CERT BUNDLE
CSC_NAME=Name of the Developer ID Application identity

And made sure I've gotten the correct identities:

$ security find-identity -vp codesigning

1) "Developer ID Application: Name (ID)"
2) "Apple Development: Name (ID)"
3) "Apple Distribution: Name (ID)"
4) "Mac Developer: Name (ID)"

So, now I am getting the error in signing:

skipped macOS application code signing  reason=cannot find valid "Mac Developer" identity or custom non-Apple code signing certificate, see https://electron.build/code-signing allIdentities=

My environment:

• electron-builder 22.4.0
• xcode 11.3.1
• node 12.9.1

Anyone here managed to get the signing + notarizing to work lately? Cheers!

[assimovt]

Looks like I didn't read the docs carefully, the type should be a distribution for the builder to pick up the correct certificate. All good, got my first notarized app 👍

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[mb21]

So do we still need to use electron-notarize to notarize the app or is this now built into electron-builder?

In the build step I have:

signing         file=dist/mac/PanWriter.app identityName=XXXX identityHash=YYYY provisioningProfile=none
building ....
Done

(should there be a separate notarizing step?)

But then:

$ spctl -a -vv -t install dist/mac/MyApp.app
dist/mac/MyApp.app: rejected
source=Unnotarized Developer ID

Do I need a provisioningProfile even if I don't want to use the mac app store?

[stukennedy]

Looks like I didn't read the docs carefully, the type should be a distribution for the builder to pick up the correct certificate. All good, got my first notarized app 👍

I'm stuck here ... sorry what do you mean by the type? Could you show me what you changed to get this to work. Mine is also picking up the self-signed cert instead of the correct Developer ID Application cert

[alex-drocks]

I followed the instructions in the Electron Documentation and am stuck at the source=Unnotarized Developer ID.
Would any one that solved this please provide a working example?

[haraldsteinlechner]

@alex-drocks did you manage to get rid of the problem?

[alex-drocks]

@haraldsteinlechner
Yes but I'm not 100% sure how I did it back then. Here's some clues:

forge.config.js

On my virtual Mac, I created a file named appleIdPassword which is required() when osxNotarize executes.
Also a file named entitlements.plist which contains related settings (not sure where I got the info for what to put inside this file sorry)

Some required steps to do:

• I needed to get a Apple Developer certificate for about 99 USD
• I needed to install Apple's XCode software on the virtual Mac which was a bit hard because my virtual machine is not compatible with latest xcode versions.
• I needed to export some apple code sign related credentials using xcode (following Apple developers documentation)

That's all I can remember right now and sorry I'm not willing to go back and check exactly what I did. It was a pain in the ass that's for sure. Sorry man this part really sucks but then after its done it just works without more configs.

[haraldsteinlechner]

thanks you for the response. I managed to notarise using vanilla developer tools but not using electron infrastructure so far. thanks for the hints!