Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error signing after upgrade of NodeJS #4932

Closed
idanwork opened this issue May 5, 2020 · 9 comments
Closed

Error signing after upgrade of NodeJS #4932

idanwork opened this issue May 5, 2020 · 9 comments

Comments

@idanwork
Copy link

idanwork commented May 5, 2020

  • Version: 22.4.1-22.6.0
  • Electron Version: 8.2.5
  • Electron Type (current, beta, nightly): current
  • Target: Zip,DMG

  • OS Version: macOS v10.13.6

Heads up it might be long,

Summary:
After upgrade node version from 8.11.1 to 12.16.3, I started getting sign errors, which were ignored with older version of NodeJS (using the same electron-builder version!).

Longer story:
I wanted to update electron-builder from version 22.4.1 to 22.6.0,
I saw that a new syntax was used in the newer version that didn't fly welll with the older NodeJS version

a catch without () brackets was throwing syntax error as part of the install-app-deps step

    catch { ....}

So I've upgraded the station to node V12.16.3 and started getting sign errors.

I include another app ("Another.app") in the electron app ("My.app") both are developed in-house.

Everything was signed and packaged smoothly with Node 8.11.1.

The error I'm getting with the NodeJS 12.16.3 is "code object is not signed at all" error code when signing the electron app

[14:43:10] Starting 'pack'...
  • electron-builder  version=22.6.0 os=17.7.0
  • loaded configuration  file=package.json ("build" field)
  • packaging       platform=darwin arch=x64 electron=8.2.5 appOutDir=/path/to/dist/mac
  • signing         file=/path/to/dist/mac/My App.app identityName=Developer ID Application: My DevID (MyDevCode) identityHash=MY-HASH-CODE provisioningProfile=none
[14:43:38] 'pack' errored after 28 s
[14:43:38] Error: Command failed: codesign --sign MY-HASH-CODE --force --timestamp --options runtime --entitlements build/entitlements.mac.inherit.plist /path/to/dist/mac/My App.app/Contents/Resources/My Other.App
/path/to/dist/mac/My App.app/Contents/Resources/Contents/Resources/My Other.App/Contents/MacOS/another: replacing existing signature
/path/to/dist/mac/My App.app/Contents/Resources/Contents/Resources/My Other.App/Contents/MacOS/another: code object is not signed at all
In subcomponent: /path/to/dist/mac/My App.app/Contents/Resources/My Other.App/Contents/Info.xml

    at ChildProcess.exithandler (child_process.js:303:12)
    at ChildProcess.emit (events.js:310:20)
    at ChildProcess.EventEmitter.emit (domain.js:505:15)
    at maybeClose (internal/child_process.js:1021:16)
    at Socket.<anonymous> (internal/child_process.js:443:11)
    at Socket.emit (events.js:310:20)
    at Socket.EventEmitter.emit (domain.js:505:15)
    at Pipe.<anonymous> (net.js:672:12)
From previous event:
    at bound (domain.js:426:14)
    at MappingPromiseArray.runBound (domain.js:439:12)
    at processImmediate (internal/timers.js:456:21)
    at process.topLevelDomainCallback (domain.js:137:15)
From previous event:
    at MacPackager.signApp (/path/to/app/node_modules/app-builder-lib/src/macPackager.ts:329:27)
    at MacPackager.doPack (/path/to/app/node_modules/app-builder-lib/src/platformPackager.ts:244:16)
    at MacPackager.pack (/path/to/app/node_modules/app-builder-lib/src/macPackager.ts:130:7)
    at Packager.doBuild (/path/to/app/node_modules/app-builder-lib/src/packager.ts:444:9)
    at executeFinally (/path/to/app/node_modules/builder-util/src/promise.ts:12:14)
    at Packager._build (/path/to/app/node_modules/app-builder-lib/src/packager.ts:373:31)
    at Packager.build (/path/to/app/node_modules/app-builder-lib/src/packager.ts:337:12)
    at executeFinally (/path/to/app/node_modules/builder-util/src/promise.ts:12:14)
    at pack (/path/to/app/tasks/pack.js:68:13)

What I tried:

I suspect that codesign returns "warning" in the stderr which was ignored on earlier combination of Node & electron-builder, but are not ignored anymore.

To summarise my very long issue - what I am asking is

  1. Is it possible to add the --deep to the sign programatically (or as package.json prop for mac)?
  2. Is it possible to customise the sign process for mac, the same way we can customise in windows (package.json --> build --> win --> sign)
  3. Is it possible to add ignore sign error flag for internal applications ?
  4. Is it possible to add an handler to sign errors ? for example if the text is "Object is not signed at all" then ignore...
@idanwork
Copy link
Author

idanwork commented May 6, 2020

Hi,

Again sorry for the long message and forgive me if not clear - I've been struggling with it for few days now.

After correctly running debug mode (🤦),
I think there may be a problem in the electron-builder copy mechanism.

Why do I suspect this?

I was looking how to deep sign or avoid sign an internal application,
I found this code:

  return file.endsWith(".kext") || file.startsWith("/Contents/PlugIns", appPath.length) ||
          // https://github.com/electron-userland/electron-builder/issues/2010
          file.includes("/node_modules/puppeteer/.local-chromium")

in https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts#L180

It lets you ignore signing for anything in the PlugIns path,
I've put my internal app in the "PlugIns" folder and as expected it skipped the sign as part of the build.

However the build still fails to verify the "packaged" app - with the same error as before

Error: Command failed: codesign --verify --deep --strict --verbose=2 /path/to/packaged/My App.app
--prepared:/path/to/packaged/My App.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--validated:/path/to/packaged/My App.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--prepared:/path/to/packaged/My App.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--validated:/path/to/packaged/My App.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--prepared:/path/to/packaged/My App.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.
--validated:/path/to/packaged/My App.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.
--prepared:/path/to/packaged/My App.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--validated:/path/to/packaged/My App.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--prepared:/path/to/packaged/My App.app/Contents/Frameworks/My App Helper (GPU).app
--validated:/path/to/packaged/My App.app/Contents/Frameworks/My App Helper (GPU).app
--prepared:/path/to/packaged/My App.app/Contents/Frameworks/My App Helper (Plugin).app
--validated:/path/to/packaged/My App.app/Contents/Frameworks/My App Helper (Plugin).app
--prepared:/path/to/packaged/My App.app/Contents/Frameworks/My App Helper (Renderer).app
--validated:/path/to/packaged/My App.app/Contents/Frameworks/My App Helper (Renderer).app
--prepared:/path/to/packaged/My App.app/Contents/Frameworks/My App Helper.app
--validated:/path/to/packaged/My App.app/Contents/Frameworks/My App Helper.app
--prepared:/path/to/packaged/My App.app/Contents/PlugIns/Another.app
/path/to/packaged/My App.app: code object is not signed at all
In subcomponent: /path/to/packaged/My App.app/Contents/PlugIns/Another.app/Contents/Info.xml

    at ChildProcess.exithandler (child_process.js:303:12)
    at ChildProcess.emit (events.js:310:20)
    at ChildProcess.EventEmitter.emit (domain.js:505:15)
    at maybeClose (internal/child_process.js:1021:16)
    at Socket.<anonymous> (internal/child_process.js:443:11)
    at Socket.emit (events.js:310:20)
    at Socket.EventEmitter.emit (domain.js:505:15)
    at Pipe.<anonymous> (net.js:672:12)
From previous event:
    at bound (domain.js:426:14)
    at MappingPromiseArray.runBound (domain.js:439:12)
    at processImmediate (internal/timers.js:456:21)
    at process.topLevelDomainCallback (domain.js:137:15)
From previous event:
    at MacPackager.signApp (/path/to/My App/node_modules/app-builder-lib/src/macPackager.ts:329:27)
    at MacPackager.doPack (/path/to/My App/node_modules/app-builder-lib/src/platformPackager.ts:244:16)
    at MacPackager.pack (/path/to/My App/node_modules/app-builder-lib/src/macPackager.ts:130:7)
    at Packager.doBuild (/path/to/My App/node_modules/app-builder-lib/src/packager.ts:444:9)
    at executeFinally (/path/to/My App/node_modules/builder-util/src/promise.ts:12:14)
    at Packager._build (/path/to/My App/node_modules/app-builder-lib/src/packager.ts:373:31)
    at Packager.build (/path/to/My App/node_modules/app-builder-lib/src/packager.ts:337:12)
    at executeFinally (/path/to/My App/node_modules/builder-util/src/promise.ts:12:14)
    at pack (/path/to/My App/tasks/pack.js:68:13)

I've made sure that the internal app is signed (same developer id) on the source folder and it looks ok (checked both with codesign and spctl):

my-machine-name$ spctl -a -vv -t install /path/to/My App/PlugIns/Another.app
/path/to/My App/PlugIns/Another.app: accepted
source=Developer ID
origin=Developer ID Application: My Develoer ID


my-machine-name$ codesign --verify --deep --strict --verbose=2 /path/to/My App/PlugIns/Another.app
--prepared:/path/to/My App/PlugIns/Another.app/Contents/Info.xml
--validated:/path/to/My App/PlugIns/Another.app/Contents/Info.xml
...
Long list of files  here ;) 
...
/path/to/My App/PlugIns/Another.app: valid on disk
/path/to/My App/PlugIns/Another.app: satisfies its Designated Requirement

So I suspect the copy of the source (signed) app to the target ".app" does not retain the files structure/permissions/etc...

What I need help with

  1. Will it be possible to customise the ignore folders?
  2. Will it be possible to customise the copy? (or even better fix it?)

Other thoughts:

I've looked ad the sign.js file
https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/electron-osx-sign/sign.js

And found that it does verify with --deep argument is used for verifying the signatures,
whereas --deep is not used for the sign itself.

This sounds like a good behaviour by default but I don't see way to override it,
I thought maybe I can get it done with "signature-flags" but can't see how to pass it.

@pfrazee
Copy link
Contributor

pfrazee commented May 13, 2020

Is this possibly related? electron/osx-sign#228

@idanwork
Copy link
Author

Hi @pfrazee
Thanks for your reply,

I've tried using the electron9.0.0-beta24 and I get the same error as in the link you provided

Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework: code object is not signed at all

I'll check it again later

@idanwork
Copy link
Author

Tried again with electron@9.0.0 (not beta)
and electron-builder@22.6.1

I still getting the error as in electron/electron#23534
it fails before reaching the error that I had before

pfrazee added a commit to pfrazee/electron-builder that referenced this issue May 20, 2020
@pfrazee
Copy link
Contributor

pfrazee commented May 20, 2020

I've submitted a fix PR https://github.com/electron-userland/electron-builder/pull/4993/files

I've tested this multiple times (I had to apply the patch manually in my node_modules to create a recent release of my Electron project).

@idanwork
Copy link
Author

Thanks @pfrazee I'll try to do the same (edit in the node_modules)

@idanwork
Copy link
Author

@pfrazee I did as you and edited the node_modules and it's passed the electron 9 error as you intend to fix.

my original issue still persist.
I liked the idea of editing the node_modules for testing this - Thanks!

ymschaap added a commit to ymschaap/electron-builder that referenced this issue May 21, 2020
Sign macOS objects depth-first (close electron-userland#4932)
@idanwork
Copy link
Author

Hi @develar
While the issue of electron 9's frameworks is indeed resolved in electron-builder@22.7.0,

my issue still persist

When I check the signature of my internal app in it's directory I get

user@machine bin % codesign --verify --verbose internal.app 
internal.app: valid on disk
internal.app: satisfies its Designated Requirement

when I check it in the output folder after running electron-builder I get this error

user@machine bin % codesign --verify --verbose  internal.app  
internal.app: code object is not signed at all
In subcomponent: /Users/user/...PathToOutput.../Internal.App/Contents/Info.xml

I haven't ruled out this maybe something with the internal app,
but it appears that the copy of the app changes something with the file attributes that causes its' signature to become invalid.

If I install NodeJS 8.11 i don't get this error (but I also need to use electron-builder@22.4.1)

Is it possible to delegate the sign to the user? the same way it's on windows?

 "win": {
      "sign": "sign.js", 
    },

This way I can make a work-around

@idanwork
Copy link
Author

Hi just leaving this here, in case someone runs into the same issue.

The problem was not in the electron-builder but was related to how the internal app is signed before including it in the main electron app.

for detailed info see here https://stackoverflow.com/questions/54149144/cannot-codesign-an-app-with-python-and-node

The main gist of it is,
Dont include non-code in the Contents/MacOS folder
Dont sign it with --deep, instead do sign the files yourself in the same way as pfrazee wrote the (deeper levels first)

Thanks all!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants