-
Notifications
You must be signed in to change notification settings - Fork 15.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Electron apps code-signed on OSX 10.11.4 do not verify on <= 10.11.3 #4899
Comments
@joshaber have you heard anything about signing problems on the latest el cap update? |
I haven't, though it's not unheard of for Apple to change how code signing works without publicizing it. |
Yeah... unfortunately they changed some things in 10.10 as well without really publicizing it. Can you try analyzing the codesigned app with these commands? They give more detail than
|
@bengotow thanks! I tried that with a real cert (
|
I ran into the same issue code signing an Electron 0.37.3 app on OS X 10.11.4 using electron-packager 5.2.1 and resolved it by updating to 6.0.0. I didn't investigate what changed in 6.0.0, but figured I'd share in case it's helpful to others. Like others, I saw this error on OS X 10.11.3: $ codesign -vvvv Basecamp\ 3.app
Basecamp 3.app: invalid signature (code or signature have been modified)
In subcomponent: /Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Basecamp 3 Helper EH.app Here's the same app on 10.11.3 signed using electron-packager 6.0.0: $ codesign -vvvv Basecamp\ 3.app
--prepared:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Basecamp 3 Helper EH.app
--validated:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Basecamp 3 Helper EH.app
--prepared:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Basecamp 3 Helper NP.app
--validated:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Basecamp 3 Helper NP.app
--prepared:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Basecamp 3 Helper.app
--validated:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Basecamp 3 Helper.app
--prepared:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--validated:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Electron Framework.framework/Versions/Current/.
--prepared:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--validated:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Mantle.framework/Versions/Current/.
--prepared:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.
--validated:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/ReactiveCocoa.framework/Versions/Current/.
--prepared:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
--validated:/Users/chef/Downloads/Basecamp 3.app/Contents/Frameworks/Squirrel.framework/Versions/Current/.
Basecamp 3.app: valid on disk
Basecamp 3.app: satisfies its Designated Requirement |
@javan confirmed! FWIW, we're not using |
I'm not sure if this is an Electron, OS X 10.11.4, or code signing issue, but it's particularly troubling. In my case, I released a signed app that appeared to work perfectly, and almost immediately people on earlier OS X versions reported autoUpdater and install errors. This caused OS X's Gatekeeper to kick in, preventing launching the app even after downloading a newer, correctly signed version. See http://www.mackungfu.org/dealing-with-damaged-and-can-t-be-opened-error-messages for a solution if you encounter this. No disrespect to the Electron maintainers intended. I'll continue to investigate and report back if I discover the source of the problem. |
It seems that Making them match worked for me. Can someone else try this and see if it works for them too? |
@hongrich yep, that seems to be it. Confirmed I can do this on 10.11.4:
Then I can take the signed app to 10.11.3 and pass Still unclear to me how 10.11.4 fits into this picture! |
Going to close this out since it seems to be an Thanks so much to everyone who helped out here 👍 👍 👍 |
❤️ |
If someone else encounters this in the future: another reason this can happen is if you have another executable in the MacOS folder that is not referenced by the Info.plist file. |
Thanks for tracking this down @hongrich |
Repro Gist: https://gist.github.com/mkscrg/a6f85dba729be431748b (BYO signing cert)
Electron apps signed on OSX 10.11.4 fail
codesign --verify
on 10.11.3 and lower. We hit this in our production builds, then reproduced it with a minimal Electron app (see Gist) and self-signed cert.codesign --verify
on <= 10.11.3 returns errors similar to this:Things we tried/learned along the way:
.app
(as in the MAS Submission Guide): no difference from repro Gistelectron-osx-sign@0.3.0
: no difference from repro GistWorkaround: none, except to sign on a machine running <= 10.11.3.
The text was updated successfully, but these errors were encountered: