Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MacOS Code Signing and Notarization require two different certificates? #6094

Closed
rpatrick00 opened this issue Jul 25, 2021 · 3 comments · Fixed by #6105 or #6109
Closed

MacOS Code Signing and Notarization require two different certificates? #6094

rpatrick00 opened this issue Jul 25, 2021 · 3 comments · Fixed by #6105 or #6109
Labels
bug mac

Comments

@rpatrick00
Copy link

rpatrick00 commented Jul 25, 2021
edited
Loading

  • Electron-Builder Version: 22.11.7
  • Node Version: 14.17.3
  • Electron Version: 12.0.14
  • Electron Type (current, beta, nightly): current
  • Target: MacOS

I am trying to sign my Electron-based application using the process documented in the electron-builder code signing guide. Since my developer machine has multiple identities, I am using the CSC_NAME environment variable to specify the certificate to use. If I try to use my Developer ID Application certificate, the code signing process fails with the following warning:

  • skipped macOS application code signing  reason=cannot find valid "Mac Developer, Apple Development" identity or custom non-Apple code signing certificate, see https://electron.build/code-signing allIdentities=  1) 15437472F847556CAE0A699CDA57EAF3CCB1A929 "robert.patrick@mycompany.com" (CSSMERR_TP_NOT_TRUSTED)
  2) 44CA2421EB0C30642C65DB3797B0BF19B9D44CCD "Developer ID Application: Robert Patrick (T9JYPMT298)"
  3) 68307094FC5A34F9222D288F9ECAA8303C6B037E "Mac Developer: Robert Patrick (F7GHKUXZFV)"
  4) A7E16BE121566018731123B9BA175BFBF9A5778A "0f7855fa-879d-4d9f-9fdb-1c0bdaf98e5a-MDMIdentity"
     4 identities found
                                                Valid identities only
  1) 44CA2421EB0C30642C65DB3797B0BF19B9D44CCD "Developer ID Application: Robert Patrick (T9JYPMT298)"
  2) 68307094FC5A34F9222D288F9ECAA8303C6B037E "Mac Developer: Robert Patrick (F7GHKUXZFV)"
  3) A7E16BE121566018731123B9BA175BFBF9A5778A "0f7855fa-879d-4d9f-9fdb-1c0bdaf98e5a-MDMIdentity"
     3 valid identities found

If I switch CSC_NAME to point at my Mac Developer certificate, the code signing portion of the process completes successfully but Apple notarization fails with errors coming back from the Apple notarization server saying that the binaries were not signed with a valid Developer ID certificate.

  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/MacOS/WebLogic Kubernetes Toolkit UI",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/WebLogic Kubernetes Toolkit UI Helper (Plugin).app/Contents/MacOS/WebLogic Kubernetes Toolkit UI Helper (Plugin)",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libvk_swiftshader.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libGLESv2.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/ReactiveObjC.framework/Versions/A/ReactiveObjC",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Squirrel.framework/Versions/A/Squirrel",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Squirrel.framework/Versions/A/Resources/ShipIt",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/Mantle.framework/Versions/A/Mantle",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/WebLogic Kubernetes Toolkit UI Helper (GPU).app/Contents/MacOS/WebLogic Kubernetes Toolkit UI Helper (GPU)",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/WebLogic Kubernetes Toolkit UI Helper (Renderer).app/Contents/MacOS/WebLogic Kubernetes Toolkit UI Helper (Renderer)",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "WebLogic_Kubernetes_Toolkit_UI.zip/WebLogic Kubernetes Toolkit UI.app/Contents/Frameworks/WebLogic Kubernetes Toolkit UI Helper.app/Contents/MacOS/WebLogic Kubernetes Toolkit UI Helper",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]

According to Apple's Notarization Process FAQ, the binaries should be signed with the Developer ID Application certificate.

Is this really a bug or am I just doing something wrong?
@rpatrick00
Copy link
Author

rpatrick00 commented Jul 25, 2021
edited
Loading

The problem seems to be that the getCertificateTypes() function in macPackager.js does not allow the Developer ID Application when type is set to development (and building a DMG installer). If I add it as shown, the entire process works:

function getCertificateTypes(isMas, isDevelopment) {
    if (isDevelopment) {
        return isMas ? ["Mac Developer", "Apple Development"] : ["Developer ID Application"];
    }
    return isMas ? ["3rd Party Mac Developer Application", "Apple Distribution"] : ["Developer ID Application"];
}

Thoughts?

mmaietta added a commit to mmaietta/electron-builder that referenced this issue Jul 28, 2021
@mmaietta
fix(mac): Adding Developer ID Application entry for development signi…
54b93ba 
…ng when not mas (electron-userland#6094)

fix(mac): Removing 3rd Party Mac Developer Application certificate selector (electron-userland#6101)
@mmaietta mmaietta mentioned this issue Jul 28, 2021
Merged
@mmaietta
Copy link
Collaborator

Nice find! Glad to hear that you were able to get it working as well. I thought DMG installers weren't supposed to be signed though?

@rpatrick00
Copy link
Author

rpatrick00 commented Jul 28, 2021
edited
Loading

@mmaietta The installer itself is not signed but the application must be signed and notarized prior to building the installer. As long as you set sign to false in the dmg section of the electron builder config file, electron builder does the right thing.

mmaietta added a commit that referenced this issue Jul 28, 2021
@mmaietta
fix(mac): signing cert filter incorrectly selects certificates (#6094) (
4a177dc 
#6101) (#6105)

* fix(mac): Adding Developer ID Application entry for development signing when not mas (#6094)
* fix(mac): Removing 3rd Party Mac Developer Application certificate selector (#6101)
This was referenced Jul 28, 2021
Merged
Closed
@regentcid434 regentcid434 mentioned this issue Jan 18, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug mac
Projects
None yet
Milestone
No milestone
2 participants
@mmaietta @rpatrick00