Error: Code signature at URL ... did not pass validation: code object is not signed at all

[KrzysZG37]

electron-updater
Version: 2.17.6

electron-builder
Version: 19.49.0

Target: dmg, zip

I am currently facing the problem with auto-updater for mac. After successful sign the application via certificate obtained from apple.developer, auto-updater still gives me the same error concerning code signature.

Newest version of the application is uploaded to the S3 server, and auto-updater finds that version correctly.

[develar]

Squirrel.Mac requires signed application, sorry. For now electron-builder cannot help you here, you have to sign your application if you want to use auto-updates on macOS.

After successful sign the application via certificate obtained from apple.developer

Manually or using electron-builder?

[KrzysZG37]

@develar, I obtained the key (Developer ID Application), then this key was moved to the Keychain access. Then i set CSC_NAME according to the name that appears in the KeyChain access and run electron-builder.

[ghost]

@KrzysZG37 have you exported all the required Certificates?
make sure your .p12 includes all needed certs.

macOS Development Certificate
Mac App Distribution (signs the ZIP and contents of a MAS)
Mac Installer Distribution (signs the DMG)
Developer ID Application (only the 'agent' of a Development team in Apple dev cant issue it)
Developer ID Installer

Make sure you got all of them installed inside the Keychain (in CI case, temp keychain while providing CSC_LINK to the file)

[KrzysZG37]

@hgbloch , so should i export .p12 key using the following certificates:

and then, set the CSC_LINK to the location of .p12 file?

[ghost]

@KrzysZG37 are you building locally or using a CI server?
If you are using a CI server you need to export these certs (although I see you are missing macOS Development cert) to p12 and use CSC_LINK + CSC_KEY_PASSWORD.
If you are not using a CI server electron should identify all things automatically, and you don't have to specify CSC_NAME

[KrzysZG37]

@hgbloch I am building it locally.
Do you mean "Mac Developer" about missing "macOS Development" cert? Because this is the last option that i can obtain from xCode certificate list.

[ghost]

@KrzysZG37 yes, exactly.
If you are building locally electron builder should detect it automatically.
Set up the env var "DEBUG=electron-builder"
and see if he detects 5 identities.
e.g from my CI job -

2017-12-19T15:52:05.1127040Z 2017-12-19T15:52:05.093Z electron-builder hdiutil (1734) exited with exit code 0
2017-12-19T15:52:05.1167320Z 2017-12-19T15:52:05.106Z electron-builder Executing security find-identity -v /Users/vsts/agent/2.126.0/work/_temp/temp-dir-wNakvb/1.keychain
2017-12-19T15:52:05.1313440Z 2017-12-19T15:52:05.128Z electron-builder Executing security find-identity -v -p codesigning /Users/vsts/agent/2.126.0/work/_temp/temp-dir-wNakvb/1.keychain
2017-12-19T15:52:05.2957270Z 2017-12-19T15:52:05.292Z electron-builder   1) <ID> "3rd Party Mac Developer Application:  *********)"
2017-12-19T15:52:05.3044340Z   2) <ID> "Developer ID Application:  *********"
2017-12-19T15:52:05.3144500Z   3) <ID> "Mac Developer:  *********
2017-12-19T15:52:05.3243830Z      3 valid identities found
2017-12-19T15:52:05.3336590Z 
2017-12-19T15:52:05.3459960Z 2017-12-19T15:52:05.331Z electron-builder   1) <ID> "3rd Party Mac Developer Application: *********"
2017-12-19T15:52:05.3489600Z   2) <ID> "3rd Party Mac Developer Installer:  *********"
2017-12-19T15:52:05.3507540Z   3) <ID> "Developer ID Application:  *********"
2017-12-19T15:52:05.3524840Z   4) <ID> "Developer ID Installer:  *********"
2017-12-19T15:52:05.3543480Z   5) <ID> "Mac Developer: *********"
2017-12-19T15:52:05.3560100Z      5 valid identities found

[KrzysZG37]

I got similar output from debug, but in reversed order:

[ghost]

@KrzysZG37 I don't think the order matters as long all 5 identities are found.
Is the problem solved or still not working?

check if the application is really signed by executing:
code sign -dv --verbose=4 /Path/To/Application.app

[KrzysZG37]

@hgbloch I check whether my .dmg and .app are signed using the following commands:
codesign --verify -vvvv
codesign -dv --verbose=4
spctl --assess -vvvv

And all three of them gave me positive results:

1. valid on disk
   satisfies its Designated Requirement
2. Authority=Developer ID Application: <<CERTIFICATE_NAME>>
   Authority=Developer ID Certification Authority
   Authority=Apple Root CA
3. accepted

However trying to check .zip file (which is the most important here, because autoupdater is unzipping this file during update), gives me the following output:

1. code object is not signed at all
2. code object is not signed at all
3. accepted

[ghost]

@KrzysZG37
My zip gets the same for the 2 top commands and fails to assess with scptl (no usable signature)

What is the Squirrel.Mac error?

[KrzysZG37]

@hgbloch

These errors return during update:
Error: Code signature at URL file:///.../Library/Caches/pqpexam..ShipIt/update.mo6UFtO/desktop-presenter.app/ did not pass validation: code object is not signed at all
file:///.../Library/Caches/pqpexam..ShipIt/update.mo6UFtO/desktop-presenter.app/ did not pass validation: code object is not signed at all
Proxy server for native Squirrel.Mac is closed (was started to download https://desktop-presenter-releases-public.s3.amazonaws.com/desktop-presenter-0.3.1-mac.zip)

[KrzysZG37]

@hgbloch Fortunately, I found the solution. I had multiple dependencies included in the project (golang server, ffmpeg, AppleScript). It was caused by extra dependency (AppleScript). Saving the file again as application (run only, .app extension) fixed the problem

[elliemaynard]

@hgbloch Fortunately, I found the solution. I had multiple dependencies included in the project (golang server, ffmpeg, AppleScript). It was caused by extra dependency (AppleScript). Saving the file again as application (run only, .app extension) fixed the problem

What does this mean? What file? I'm having this problem as well

[KrzysZG37]

@hgbloch Fortunately, I found the solution. I had multiple dependencies included in the project (golang server, ffmpeg, AppleScript). It was caused by extra dependency (AppleScript). Saving the file again as application (run only, .app extension) fixed the problem

What does this mean? What file? I'm having this problem as well

1. I codesign each .sh, .app files inside my electron application (if you have any included extra files in the project) using the following command:
   codesign --verbose --force --sign <<YOUR_CERTIFICATE_FULL_NAME>>
2. Then, when the electron builder generates zip file, i unpack it and codesign every included extra file again
3. Zip the whole directory as it was after build and again and code sign this new .zip file
4. Check current sha512 using openssl dgst -sha512 and copy it into proper place in latest.yml file
5. Finally those files (.app and .zip should be properly signed)

[abhimatta]

I do not have any such extra dependency, but still, I'm having the same error. Can anyone help me in this.

[kaitmore]

For others that might come across this issue...

I saw this error using electron-forge - I did have a few native dependencies (like node sqlite) however I didn't have to sign them manually like OP. My issue ended up being that I was trying to add an extra yaml file to my build using the postPackage hook, which meant that it wasn't being signed during the build process. This error will happen if ANY files are unsigned. I resolved it by copying the file to the build using the extraResources field instead of postPackage. Now this extra file is signed by electron-builder and I don't have to do anything manually.

This stackoverflow answer was super helpful in debugging: https://stackoverflow.com/a/54198225/8951999