Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable hardened runtime for macOS #3383

Closed
bradleySuira opened this issue Oct 12, 2018 · 17 comments
Closed

Enable hardened runtime for macOS #3383

bradleySuira opened this issue Oct 12, 2018 · 17 comments

Comments

@bradleySuira
Copy link

@bradleySuira bradleySuira commented Oct 12, 2018

  • Version: ^20.28.4
  • Target: macOs

With the recent release of macOS Mojave, Apple give us the option to upload a macOS app to be notarized to distribute outside the AppStore to don't have any problem with Gatekeeper. I tried to figure out how to enable the hardened runtime for an Electron app but without success, the first option that I think, was entitlements but isn't, so have the option to enable hardened runtime will be a great feature for macOs distribution outside the AppStore.

I'm a web/mobile developer and don't have all the knowledge how is builded electron and if it's possible enable this feature, to I want to be humble and if this options is impossible to implement or crazy, my apologize in advance.

Refs:

Solution we'd like
If it's possible, have an option in the build configuration to enable the hardened runtime for mac os applications.

Alternatives considered
Not any at this time, but if we can have something similar to react-native, nativescript or cordova, where we have the option to access the native projects and tweak if its necessary will be great

Additional context
The hardened runtime only can be enabled with xcode, because is a flag in the project.pbxproj file and is only available trough native apps with xcode, so the xcodebuild tool when create the archive and sign the app, enable this flag. I don’t now how exactly electron works but I think that have like a template with a compiled app and the electron-builder for example, only replace and bundle the content inside.

Enable hardened runtime (macOS)


image
screen shot 2018-10-11 at 9 18 18 pm

@dariocravero
Copy link

@dariocravero dariocravero commented Oct 20, 2018

I got a dmg generated with electron-builder to work by signing the package with --options runtime!

You can try it by changing electron-osx-sign somewhere here add a line like:

args.push('--options', 'runtime')

I spotted that after searching for the error the notarization service was giving me The executable was not signed with the CS_RUNTIME option. and finding this Cyberduck ticket and their fix.

Then to sign the app, run:

xcrun altool --notarize-app -f yourapp.dmg --primary-bundle-id appId -u your@user.com -p yourpassword

Take appId from what you defined in the build section of your package.json.

When it's done uploading it will output a UUID, run this command to check when it's done notarizing (it will also send you an email):

xcrun altool --notarization-info UUID -u your@user.com -p yourpassword

If it succeeded, you can then staple the package with:

xcrun stapler staple yourapp.dmg

The issue now is that the app crashes when signed like that. Here's the dump in case someone finds it handy.

I wonder if it works for anyone else? Will try on a dummy app when I get a chance.

@bimusiek
Copy link

@bimusiek bimusiek commented Oct 22, 2018

Same issue for our app.
Dump here

Looks like initialisation of JS env is crashing

@bradleySuira
Copy link
Author

@bradleySuira bradleySuira commented Oct 24, 2018

Thanks @dariocravero, awesome, I will try your suggestions, for now is not a priority for our app to be notarized but still necessary for the future, when I have results, I will share here in case that it helps to others.

Regards!

@rajivshah3
Copy link
Contributor

@rajivshah3 rajivshah3 commented Dec 2, 2018

It looks like Hardened Runtime is now supported (electron/electron-osx-sign#176). I haven't tried it in our app yet, but from looking at xamarin/xamarin-macios#4288 I think the com.apple.security.cs.allow-jit entitlement needs to be added in order for the JavaScript to work. If I can get our app to work I'll make a PR to electron-osx-sign and add support for the hardenedRuntime option in electron-builder

@noahott
Copy link

@noahott noahott commented Dec 11, 2018

I'm having a problem with my app where when hardenedRuntime is enabled, the app will crash immediately upon launch without any visible error messages. If I launch from the command line I see this:

#
# Fatal error in , line 0
# Check failed: SetPermissions(area_start, area_size, PageAllocator::kReadWriteExecute).
#
#
#
#FailureMessage Object: 0x7ffee7d1f740Illegal instruction: 4

@bobby-stripe
Copy link

@bobby-stripe bobby-stripe commented Feb 2, 2019

@noahott it looks like it failed to change the permissions on a section of memory to RWX (read/write/execute) -- as @rajivshah3 suggests you need to enable the "allow-jit" entitlement.

@gniezen
Copy link
Contributor

@gniezen gniezen commented Mar 11, 2019

Not sure how helpful it is, but there is an electron-notarize module in electron-userland. It would be great if electron-builder can automatically notarize macOS apps during packaging!

@gcadmes
Copy link

@gcadmes gcadmes commented Apr 25, 2019

@rajivshah3, regarding your last comment on December 1st 2018, have you added hardenedRuntime support to electron-builder? The documentation for electron-osx-sign has a "TODO" statement for electron-builder support.
Please let me know. thx

@chawei
Copy link

@chawei chawei commented May 18, 2019

just realize this has been implemented in v20.41.0. thanks @loremattei!
7d5f952

@develar
Copy link
Member

@develar develar commented Jul 5, 2019

https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

21.0.10 (not yet released):

  • set hardenedRuntime to true by default
  • set gatekeeperAssess by default to false

I am fighting with Apple support to restore my account (bloody useless security questions), but I hope next week will be first-class support for notarization.

@develar develar added the feature label Jul 5, 2019
develar added a commit that referenced this issue Jul 5, 2019
…ess by default to false

Close #3383
develar added a commit to develar/electron-builder that referenced this issue Jul 5, 2019
@develar develar changed the title Feature request: Enable hardened runtime for macOS Enable hardened runtime for macOS Jul 6, 2019
@develar develar closed this in c8c37f2 Jul 6, 2019
@noahott
Copy link

@noahott noahott commented Sep 30, 2019

@noahott it looks like it failed to change the permissions on a section of memory to RWX (read/write/execute) -- as @rajivshah3 suggests you need to enable the "allow-jit" entitlement.

I've added the allow-jit entitlement, along with a few others and am still getting the same error on launch.

com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.disable-library-validation
com.apple.security.cs.disable-executable-page-protection

Anything else you can think to try for this?

@idoodler
Copy link
Contributor

@idoodler idoodler commented Nov 20, 2019

@noahott Hi I am experiencing the same issue but with the mas-dev target. I discovered that the entitlements are returned as a binary plist, not as a plist.

The entitlements can be viewed with the following command: codesign -d --entitlements :- /Path/to/my.app

May this be an issue. I suspect Electron expects a plist instead of a bplist when setting the permissions.

Apple rejected our App because of a crash and I think its because of this issue. I just discovered the mas-dev target while debugging this issue.

Again, here ist he log I get:




#
# Fatal error in , line 0
# Check failed: SetPermissions(area_start, area_size, PageAllocator::kReadWriteExecute).
#
#
#
#FailureMessage Object: 0x7ffee4cfc5d0Illegal instruction: 4

There is no issue with the dmg version of the app, it is successfully notarized and signed. The mastarget isn't notarized, as it is not required. I just tried to also notarize the mas target, but still no success.

Any input on this issue.

@idoodler
Copy link
Contributor

@idoodler idoodler commented Nov 20, 2019

@noahott I just checked the "Console" Application (The one used for viewing log).

I discovered the following log entry (after filtering for the Application name):
failed to parse entitlements for MyApp[74469]: OSUnserializeXML: syntax error near line 1

Do you get the same log message?

@noahott
Copy link

@noahott noahott commented Nov 22, 2019

@idoodler I'm not finding any console log messages with "OSUnserializeXML"

@noahott
Copy link

@noahott noahott commented Nov 22, 2019

I added "entitlementsInherit": "entitlements.darwin.plist" and i no longer get the SetPermissions error, but my app still crashes with a different error now

cwd = process.cwd(); ^ Error: ENOENT: no such file or directory, uv_cwd

@idoodler
Copy link
Contributor

@idoodler idoodler commented Nov 22, 2019

@noahott thx for your reply. I already have set the property entitlementsInherit. The app in question is already deployed in the AppStore, but I am unable to push an update because of this odd behaviour. I opened an TSI at Apple. I think it‘s a Problem with the codesign tool from Apple.

@idoodler
Copy link
Contributor

@idoodler idoodler commented Sep 3, 2020

Just a follow up on my 'bplist' issue.

We abandoned the macOS application for quite some time, after an platform upgrade session (node.js, electron and its dependencies) everything semes to work again. So no 'bplist', but a proper 'plist'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet