Code Signing and Notarizing macOS

[ibnyusuf]

Issue Details

• Electron Forge Version:
  • 6.0.0-beta.51
• Electron Version:
  • 8.2.4
• Operating System:
  • macOS

Expected Behavior

On running npm run make application is notarized, signed and packaged

Actual Behavior

Notarization fails, leading to signing failing

Additional Information

Below is contents of package.json:

{
  "name": "NAME",
  "productName": "NAME",
  "version": "1.0.21",
  "description": "My Electron application description",
  "main": "src/index.js",
  "scripts": {
    "start": "electron-forge start",
    "package": "electron-forge package",
    "make": "electron-forge make",
    "publish": "electron-forge publish",
    "lint": "echo \"No linting configured\""
  },
  "keywords": [],
  "author": {
    "name": NAME"
  },
  "config": {
    "forge": {
      "packagerConfig": {
        "icon": "src/icons/icon.icns",
        "osxSign": {
          "identity": "NAME",
          "hardened-runtime": true,
          "entitlements": "src/entitlements.plist",
          "entitlements-inherit": "src/entitlements.plist",
          "signature-flags": "library"
        },
        "osxNotarize": {
          "appleId": "id",
          "appleIdPassword": "pword"
        }
      },
      "makers": [
        {
          "name": "@electron-forge/maker-dmg",
          "platforms": [
            "darwin"
          ],
          "config": {}
        },
        {
          "name": "@electron-forge/maker-squirrel",
          "config": {
            "name": "NAME",
            "loadingGif": "C:/Users/NAME/Documents/portable/src/icons/loading_gif.gif",
            "setupIcon": "C:/Users/NAME/Documents/portable/src/icons/icon.ico",
            "iconUrl": "url"
          }
        },
        {
          "name": "@electron-forge/maker-zip",
          "platforms": [
            "darwin"
          ]
        },
        {
          "name": "@electron-forge/maker-deb",
          "config": {}
        },
        {
          "name": "@electron-forge/maker-rpm",
          "config": {}
        }
      ]
    }
  },
  "dependencies": {
    "adm-zip": "^0.4.14",
    "dragula": "^3.7.2",
    "electron-context-menu": "^2.0.0",
    "electron-is-dev": "^1.2.0",
    "electron-squirrel-startup": "^1.0.0",
    "electron-store": "^5.1.1",
    "electron-tabs": "^0.10.0",
    "jquery": "^3.5.0"
  },
  "devDependencies": {
    "@electron-forge/cli": "6.0.0-beta.51",
    "@electron-forge/maker-deb": "6.0.0-beta.51",
    "@electron-forge/maker-rpm": "6.0.0-beta.51",
    "@electron-forge/maker-squirrel": "6.0.0-beta.51",
    "@electron-forge/maker-zip": "6.0.0-beta.51",
    "electron": "8.2.4"
  }
}

[huntercaron]

Also been running into this, haven't found a fix yet :/

EDIT: Rolling back everything electron-forge back to 50, then removing node_modules and yark.lock seems to work

[ibnyusuf]

Also been running into this, haven't found a fix yet :/

EDIT: Rolling back everything electron-forge back to 50, then removing node_modules and yark.lock seems to work

This didn't work for me. Would you mind posting your package.json here so that I could compare. Thank you.

[psukhanov]

@ibnyusuf I had this issue awhile back, make sure you have an application-specific password set up on your account: https://support.apple.com/en-au/HT204397 Also note, it's not a good idea to stick your Apple Id and Password directly into your package.json. Best way to do it is to use keychain aliases, but at the very least use an environment variable. Cheers

[ibnyusuf]

@psukhanov Thank you. The application specific password fixes the notarization issue. However, it does not fix the signing issue. I still receive the message "codesign failed. please retry manually..." message visible in the screenshot above.

[psukhanov]

@ibnyusuf that looks like it could be due to this electron-osx-sign bug: electron/osx-sign#196. Setting gatekeeper-assess to false is a workaround in that case.

One another thing I noticed (unrelated to your question but maybe you'll find it helpful), electron-notarize will work with your bundled app package, but it won't properly notarize the .dmg output (because it zips it before uploading). Apple's recommendation is to also sign the .dmg and notarize only the outermost container you plan to distribute the app in (in your case, the .dmg). In order to do that, you'll need to insert a postMake hook in your forge config which either calls a modified version of electron-notarize module which doesn't zip the .dmg, or just calls altool directly (for example:
xcrun altool --notarize-app --primary-bundle-id $bundleId --username $appleId --password $appleIdPassword --asc-provider $appleTeamId --file $DMG_PATH --verbose
That's what I ended up doing anyway

[malept]

Since this isn't Electron Forge specific, I'm going to close this. Issues in this issue tracker are meant to track bugs and feature requests that are directly actionable to the Electron Forge codebase and not its dependencies.