NWJS Version : 0.28.0
Operating System : MacOS 10.13.3
Here is a fragment of bash script that I use for codesign:
export IDENTITY=YFXXXXXXXX
export PARENT_PLIST=./certs/parent.plist
export CHILD_PLIST=./certs/child.plist
codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $helpersPath/nwjs\ Helper.app
codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $helpersPath/nwjs\ Framework.framework/Versions/A/Resources/app_mode_loader.app
codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $helpersPath/nwjs\ Framework.framework/Versions/A/XPCServices/AlertNotificationService.xpc
codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $helpersPath/nwjs\ Framework.framework/Versions/A/Helpers/crashpad_handler
codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $helpersPath/nwjs\ Framework.framework/Versions/A/nwjs\ Framework
codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $helpersPath/nwjs\ Framework.framework/libnode.dylib
codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $helpersPath/libffmpeg.dylib
codesign --deep -s $IDENTITY --entitlements $PARENT_PLIST $APP_PATH
chmod -R 777 $APP_PATH
cd $APP_DIR && productbuild --component "$APP_NAME.app" /Applications --sign $IDENTITY "$APP_NAME.pkg"
I signed everything that Application Loader and ITunesConnect asked for. I had a lot of issues before while uploading a package. It all has been solved by codesigning everything. Now the package can be uploaded. However, I can't run .app after codesign. Before codesign it works good.
Here is also child and parent plists.
Child:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
Parent:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
Edit:
Also extracted from system.log:
Feb 6 12:10:43 MacBook-Air-Mac com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.pid.nwjs Helper.779): Path not allowed in target domain: type = pid, path = /Users/mac/Desktop/lal/Trader.app/Contents/Versions/64.0.3282.119/nwjs Framework.framework/Versions/A/XPCServices/AlertNotificationService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Users/mac/Desktop/lal/Trader.app/Contents/Versions/64.0.3282.119/nwjs Helper.app
Related
I have signed files of a NWJS application package using a shell script for Nwjs 0.36 on MacOS 10.14.3. I want to upload a NWJS application to the Mac App store. However, the app crashes after signing it and trying to run it. I think it is due to a lack of permissions in the sandbox entitlements.
It is possible to replicate this issue by signing the default nwjs.app for MacOs without modification using a macOS developer identity. The list of files that I have included in the script are the ones listed by the MacOS "application loader", the application checking package submission to the Mac App store. It was required by the application that a list of programs should include sandbox. https://developer.apple.com/app-sandboxing/
#!/bin/bash
# copy this script in a file & run this by typing "sh thenameofthisfile" in Mac terminal
#directory is just the path name without app.
# app is yourapp without .app extension
#helpername is the name to replace= nwjs in nwjs help.app
#macosuseraccount is your macOS user account for the paths.
# "3rd party mac developer Installer" => for signing pkg // 3rd party mac developer Application => for signing everything in the app + .app
# replace app name / helpen name / macOs user name
#V1 is a variable equals to the current chromium version in the pathname for example: 71.0.3578.98
APP=nwjs
HELPERNAME=nwjs
MACOSUSERACCOUNT=nicolasguerinet
ID_APP="3rd Party Mac Developer Application"
ID_PKR="3rd Party Mac Developer Installer"
DIRECTORY=/users/$MACOSUSERACCOUNT/path/to/your/app
APP_PATH="$DIRECTORY/$APP.app"
PARENT_PLIST=$DIRECTORY/parent.plist
CHILD_PLIST=$DIRECTORY/child.plist
CHROMIUMVERSION=(/$APP_PATH/contents/versions/*/)
V1="$(basename $CHROMIUMVERSION)"
xattr -cr $APP_PATH
codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/$HELPERNAME helper.app" -f -v
codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/$HELPERNAME helper.app/contents/macos/$HELPERNAME helper" -f -v
codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/nwjs framework.framework/versions/a/helpers/crashpad_handler" -f -v
codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/nwjs framework.framework/Versions/A/Resources/app_mode_loader.app/Contents/MacOS/app_mode_loader" -f -v
codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/nwjs framework.framework/Versions/A/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService" -f -v
#codesign --force --verify -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/Versions/$V1/nwjs Framework.framework/nwjs Framework"
codesign --deep --force --verify -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/Versions/$V1/nwjs Framework.framework"
codesign --deep -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/contents/versions/$V1/nwjs framework.framework/libnode.dylib" -f -v
#codesign -s "$ID_APP" --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP" -f -v
codesign --deep -s "$ID_APP" --entitlements "$PARENT_PLIST" $APP_PATH -f -v
Here is my child.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
After signing the programs and the parent package, when i try to run the application crashes right away. I can find errors in my console when filter using "nwjs" or "process:sandboxd"
I think that the major error is:
Sandbox: nwjs(4602) deny(1) network-bind
/private/var/folders/kt/c216x7lx2qg87zhlwx46l6zr0000gn/T/io.nwjs.nwjs/.io.nwjs.nwjs.5zPGi8/SingletonSocket
I also get errors like this one:
Sandbox: nwjs(4676) deny(1) file-read-data
/Users/nicolasguerinet/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Sandbox: nwjs(4676) deny(1) mach-register io.nwjs.nwjs.rohitfork.4676
Sandbox: nwjs(4676) deny(1) mach-register
io.nwjs.nwjs.FieldTrialMemoryServer.4676
[0210/214619.981611:ERROR:mach_extensions.cc(68)] bootstrap_check_in
org.chromium.crashpad.child_port_handshake.6116.258959.GPSJQYHPOAJCMUEY:
Permission denied (1100)
and those two from the application:
[0210/210429.187708:ERROR:directory_reader_posix.cc(42)] opendir: Operation not permitted (1)
[0210/214620.466617:ERROR:mach_port_broker.mm(43)] bootstrap_look_up:
Permission denied (1100)
I guess that some permissions are missing in parents.plist and should be added to the parent.plist to make Nwjs runs after being code signed.
Update:
I have added the following to my parents.plist without success:
<key>com.apple.security.temporary-exception.sbpl</key>
<array>
<string>(allow ipc-posix-sem)</string>
<string>(allow file-issue-extension)</string>
<string>(allow mach-lookup)</string>
<string>(allow file-write-create)</string>
<string>(allow file-read-data)</string>
</array>
I've recently installed Apache 2.4 on my Mac via Homebrew. (I previously used the Apple-supplied Apache.)
In a PHP script, I call Exec(x) on a executable located in /usr/local/bin, but it fails because /usr/local/bin is not included in Apache's PATH environment variable. Running phpinfo() shows that PATH is /usr/bin:/bin:/usr/sbin:/sbin.
I had previously included /usr/local/bin in /System/Library/LaunchDaemons/org.apache.httpd.plist as described here, but it no longer works, I think because I'm using Apache installed by Homebrew.
My shell $PATH includes many directories including /usr/local/bin, so that's not it.
I'd rather not call Exec with an absolute path since I need to run this in several environments where the executable is in different paths.
How do I modify the Homebrew Apache's PATH variable? Thanks!
I found the answer here.
To change Apache environment variables when Apache was installed with Homebrew, edit the homebrew.mxcl.httpd24.plist file located in /usr/local/Cellar/httpd24/your version of Apache/.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.httpd24</string>
<!-- add this -->
<key>EnvironmentVariables</key>
<dict>
<key>PATH</key>
<string>/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin</string>
</dict>
<!-- end add -->
<key>ProgramArguments</key>
<array>
<string>/usr/local/opt/httpd24/bin/httpd</string>
<string>-D</string>
<string>FOREGROUND</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Then restart Apache.
I had a problem when submitting my electron app to the apple store
ERROR ITMS-90296: "App sandbox not enabled. The following executables must include the "com.apple.security.app-sandbox" entitlement with a Boolean value of true in the entitlements property list: [( "com.smarterback.desktop.pkg/Payload/SmarterBack.app/Contents/Frameworks/SmarterBack Helper EH.app/Contents/MacOS/SmarterBack Helper EH", "com.smarterback.desktop.pkg/Payload/SmarterBack.app/Contents/Frameworks/SmarterBack Helper NP.app/Contents/MacOS/SmarterBack Helper NP", "com.smarterback.desktop.pkg/Payload/SmarterBack.app/Contents/Frameworks/SmarterBack Helper.app/Contents/MacOS/SmarterBack Helper", "com.smarterback.desktop.pkg/Payload/SmarterBack.app/Contents/MacOS/SmarterBack" )] Refer to App Sandbox page at https://developer.apple.com/devcenter/mac/app-sandbox/ for more information on sandboxing your app."
so I changed my .plist file to enable sandbox and everything went well with the submitting, but there was another problem with that fix, now my app doesn’t want to start because it can’t find “SmarterBack Helper”
[8801:0907/140725.080936:FATAL:atom_main_delegate_mac.mm(50)] Unable to find helper app
0 Electron Framework 0x000000010c4fdde3 _ZN9brightray12MainDelegate24OverrideChildProcessPathEv + 836531
1 Electron Framework 0x000000010c4d3297 _ZN9brightray12MainDelegate24OverrideChildProcessPathEv + 661607
2 Electron Framework 0x000000010c2c2169 _ZN4atom16AtomMainDelegate24OverrideChildProcessPathEv + 377
3 Electron Framework 0x000000010c4314fb _ZN9brightray12MainDelegate20BasicStartupCompleteEPi + 107
4 Electron Framework 0x000000010c2c17ed _ZN4atom16AtomMainDelegate20BasicStartupCompleteEPi + 237
5 Electron Framework 0x000000010c6a7311 _ZN9brightray12MainDelegate24OverrideChildProcessPathEv + 2578657
6 Electron Framework 0x000000010c6a6bde _ZN9brightray12MainDelegate24OverrideChildProcessPathEv + 2576814
7 Electron Framework 0x000000010c2be747 AtomMain + 71
8 SmarterBack Helper 0x000000010c2b6f26 main + 38
9 libdyld.dylib 0x00007fff9a371235 start + 1
10 ??? 0x0000000000000010 0x0 + 16
This is my child.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<true/>
</dict>
</plist>
parent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.inherit</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<string>com.smarterback.desktop</string>
</dict>
</plist>
and finally my script for sign
#!/bin/bash
# Name of your app.
APP="SmarterBack"
# The path of your app to sign.
APP_PATH="release-builds/SmarterBack-mas-x64/SmarterBack.app"
# The path to the location you want to put the signed package.
RESULT_PATH="/Users/katerina/Desktop/$APP.pkg"
# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: JENGO LLC (63UV74H5Q5)"
INSTALLER_KEY="3rd Party Mac Developer Installer: JENGO LLC (63UV74H5Q5)"
# The path of your plist files.
CHILD_PLIST="child.plist"
PARENT_PLIST="parent.plist"
FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Electron Framework"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A/Libraries/libnode.dylib"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/Electron Framework.framework"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/Contents/MacOS/$APP Helper"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper.app/"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper EH.app/Contents/MacOS/$APP Helper EH"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper EH.app/"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper NP.app/Contents/MacOS/$APP Helper NP"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$FRAMEWORKS_PATH/$APP Helper NP.app/"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/MacOS/$APP"
sudo codesign -s "$APP_KEY" -f --entitlements "$CHILD_PLIST" "$APP_PATH/Contents/Info.plist"
sudo codesign -s "$APP_KEY" -f --entitlements "$PARENT_PLIST" "$APP_PATH"
codesign --verify --deep --display --verbose=4 "$APP_PATH"
sudo productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"
From what I understand I have to sign all my files and to enable sandbox, but when I do that when I start my app I see white box with nothing in it because the the app is unable to find helper. Has anyone had that problem before?
I'm trying to submit an Electron based app to the Mac App Store.
To sign the app I'm using this script (according to https://github.com/atom/electron/blob/master/docs/tutorial/mac-app-store-submission-guide.md):
#!/bin/bash
# Name of your app.
APP="MyApp"
# The path of you app to sign.
APP_PATH="MyApp.app"
# The path to the location you want to put the signed package.
RESULT_PATH="$APP.pkg"
# The name of certificates you requested.
APP_KEY="3rd Party Mac Developer Application: MYCOMPANY (XXX)"
INSTALLER_KEY="3rd Party Mac Developer Installer: MYCOMPANY (XXX)"
FRAMEWORKS_PATH="$APP_PATH/Contents/Frameworks"
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/Electron Framework.framework/Versions/A"
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper.app/"
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper EH.app/"
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/$APP Helper NP.app/"
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/$APP Framework.framework/Libraries/libnode.dylib"
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/$APP Framework.framework/Electron Framework"
# Signage of terminal-notifier
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$APP_PATH/Contents/Resources/app/node_modules/node-notifier/vendor/terminal-notifier.app"
if [ -d "$FRAMEWORKS_PATH/Squirrel.framework/Versions/A" ]; then
# Signing a non-MAS build.
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/Mantle.framework/Versions/A"
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/ReactiveCocoa.framework/Versions/A"
codesign --deep -fs "$APP_KEY" --entitlements child.plist "$FRAMEWORKS_PATH/Squirrel.framework/Versions/A"
fi
codesign -fs "$APP_KEY" --entitlements parent.plist "$APP_PATH"
productbuild --component "$APP_PATH" /Applications --sign "$INSTALLER_KEY" "$RESULT_PATH"
with the two entitlements files:
child.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
and parent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
</dict>
</plist>
After running the script I used the Application Loader to submit the PKG-File to the MAS. So far its working. But after the submitting process I'm receiving a mail from Apple with the following error:
Invalid Signature - This error occurs when you have signed your app's installer incorrectly. There are two certs required for this process: the "3rd Party Mac Developer Application" cert and the "3rd Party Mac Developer Installer" cert. When signing your package, you need to ensure that you are using the Installer cert to sign your package. Ensure that you are specifying this cert when submitting your app via the Xcode Organizer or when running productbuild from the command line.
I used the "3rd Party Mac Developer Installer" cert to sign the package. How can I solve this problem?
After you generated the package by electron-packager.
You shoud edit the info.plist in the package.
Add a pair of (key,value) to info.plist. The key is "ElectronTeamId" and the value is your Team ID.
To locate your Team ID, Sign in to Apple Developer Center, and click Membership in the sidebar. Your Team ID appears in the Membership Information section under the team name.
I would recommend have a check on electron-osx-sign. From the excerpts of your signing script it's slightly uncertain to tell where the process went wrong. So with this module, all you'll have to do is:
$ electron-osx-sign path/to/my.app
And the rest of setting up entitlements and signing different versions of the containing frameworks could be done for you.
Am trying to signing my app build with nwjs in Mac.
https://github.com/nwjs/nw.js/wiki/MAS:-Signing-the-app
Following are the steps i tried. Out of 8 steps upto 7 worked for me. When i run the 8th command am getting
"unsealed contents present in the bundle root" error message.
1. export IDENTITY= "*******"
2. export PARENT_PLIST=/path/to/parent.plist
3. export CHILD_PLIST=/path/to/child.plist
4. export APP_PATH=/path/to/yourapp/YourApp.app
5. codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $APP_PATH"/Contents/Frameworks/nwjs Helper.app"
6. codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $APP_PATH"/Contents/Frameworks/nwjs Helper EH.app"
7. codesign --deep -s $IDENTITY --entitlements $CHILD_PLIST $APP_PATH"/Contents/Frameworks/nwjs Helper NP.app"
8. codesign --deep -s $IDENTITY --entitlements $PARENT_PLIST $APP_PATH
Please see the screen shot for my file structure