nexe converted node.js file no longer produces valid Mach-O (fails codesign)

[kgaidis]

This is a

• Bug Report
• Feature Request
• Other

---

Hi,

I used nexe to transform a Node.js file to an executable used by a macOS application.

I recently updated to 2.0.0-rc.29 (from a version a ~year ago) and it no longer works.

First, I had an issue where Xcode codesign would fail:

codesign says my main executable failed strict validation.
- Your Mach-O executable does not conform to modern Mach-O layout rules.
- You may be using a third party development product that hasn't been brought up to date, or post-processed your file in unsupported ways.

That got fixed by the following issues / hack:

#446
#470

But then I had another error:

caught error in https
ReferenceError: net is not defined
    at Server.server.on (_third_party_main.js:212:14)
    at Server.emit (events.js:182:13)
    at onParserExecuteCommon (_http_server.js:535:14)
    at onParserExecute (_http_server.js:482:3)

These are the "imports" I used:

const http = require('http');
const httpProxy = require('http-proxy');
const fs = require('fs');
const parseDomain = require('parse-domain');

I guess this is a result of "resources" not working:

Nexe relies on mangling the base binary which inherently breaks signing. Using the patch shown in that comment should allow you to embed your application fully. However, resources will not work.

Is there any way around this? Maybe I should use something else? Or maybe there is planned support for it?

Thank you, and I appreciate the library. It helped to quickly transform code written in Node to be used in macOS.

---

• Platform(OS/Version): macOS 10.13.15
• Host Node Version: v10.3.0
• Target Node Version: v10.3.0
• Nexe version: 2.0.0-rc.29
• Python Version: 2.7.10

[Nantris]

@kgaidis can you mention which version worked for you? Were you able to build and sign for Node 10.3 with the latest or the previous one?

[bdruth]

@calebboyd - is there any current path to get nexe to create a signable binary on mac w/ a resource file? Is there any current path that works without a resource? I've been trawling through the various linked issues/comments/etc. and can't get anything usable to work.

[btsimonh]

OSX signing is evil.
Basically, you can't sign something which has had stuff appended to it (like a new nexe app has).
I recently spend 2 weeks making my (heavily modified old NEXE app using lockwrap for a filesystem) work for OSX.
The solution I came up with was as follows:
Because an OSX 'APP' is normally delivered as a folder structure, you can include data files in your deployment.
So, quite simply, I modified my 'internal' nexe javascript (the stuff which is compiled in) to look for the packaged filesystem in a known datafile, and if that failed, look on the end of the exe (e.g. for win32 or linux).
This allows you to sign the (now valid) OSX plain executable, and the data file get's signed separately, then it all works, and even passed their new 'let apple virus scan it' system.... :).

Now trying to upgrade from node 6.9.11 to node 12.10.0 using latest nexe... more heavy nexe modifications required :) (but once done the OSX should still be fine).

p.s. if someone really wants a challenge, check out my fork of isign - OSX signing without OSX - I gave up at the last hurdle, but maybe someone with better python/openssl experience can take it on....

[saurabh-deep]

Hey @btsimonh - Are you able to sign your MacOS binaries built with Node 12 or 14? If yes, what are you using for this? I am pretty lost at this point. Not seeing a way forward!

[btsimonh]

yes, actually build node 12.13.0 version in dec, and the process works fine. Remember, your executable CANNOT have anything appended to it - your packaged filesystem MUST be separate or INSIDE. External filesystem can then be delivered in the signed app folder structure - mine is in a bin file in Resources. Signs and notifies fine using the normal OSX signing on Mojave.

[saurabh-deep]

@btsimonh - This is just great to know! Would it be possible for you to provide some guidance on how to do this? What kind of changes did you have to do to nexe?

It would be so amazing to get the Mac binary built by nexe signed and then embed into the Mac App to get the same notarized.

[btsimonh]

my nexe is fairly 'standard' - its the filesystem which is special (and proprietary). Needless to say, you need the exe to be complete and not appended to, and your data in a separate file. Once you have that, it's a normal OSX app....

[saurabh-deep]

@btsimonh - If your nexe is 'standard', how does it know to look for the data file? 😃 It's obviously great (and miraculous for me) that you have got this to work. But it sounds too complex for someone like me with just JS knowledge to get this to work without some helping hand or help content. I will give it a go and see if I can take this anywhere forward. Thanks for the help.

Edit: Did you use isign anywhere in this process?

[btsimonh]

The signing is:
sudo codesign -vvvv --force --options runtime --timestamp --entitlements ./osx-entitlements.plist -fs "my stuff" ./dmg.12.13.0/myapp.app

and test:
echo test signing
codesign -dv --verbose=4 ./dmg.12.13.0/myapp.app
echo test signing with spctl
spctl --assess --verbose ./dmg.12.13.0/myapp.app

what fun OSX is!