fix(build): make MAS installer signing work; correct verifier checks#22
Merged
Conversation
The mas.identity was set to the full "Apple Distribution: ..." string. electron-builder reuses mas.identity as the search qualifier for the installer cert too, and that string can never match a "3rd Party Mac Developer Installer" line, so the pkg step failed with "Cannot find valid identity". Use the bare "Julia Kafarska (8Y2UTZ2NBZ)" qualifier: the app still resolves to Apple Distribution (tried first for MAS) and the installer resolves to the 3rd Party cert. verify-mas-build.mjs: only require com.apple.security.inherit on Mach-O executables (helpers, login helper, ffmpeg) that spawn as their own process. Dylibs/frameworks/.node bundles load in-process and must not carry it — a valid team signature is enough. Also skip symlinks when walking the bundle so the framework's Versions/Current alias isn't traversed back into Versions/A.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
npm run electron:build:masfailed at the final step with:even though the cert is present and valid in the keychain.
Cause
mas.identitywas set to the full stringApple Distribution: Julia Kafarska (8Y2UTZ2NBZ). electron-builder reusesmas.identityas the search qualifier for the installer cert too (macPackager.js), and that string can never appear in a3rd Party Mac Developer Installer:line, so the lookup returned null.Fix
electron-builder.json— use the bare qualifierJulia Kafarska (8Y2UTZ2NBZ). The app still signs with Apple Distribution (electron-builder tries that type first for MAS) and the installer now resolves to the 3rd Party cert. Build completes and produces a signed.pkg.scripts/verify-mas-build.mjs— only requirecom.apple.security.inheriton Mach-O executables (helpers, login helper, ffmpeg) that spawn as their own process. Dylibs / frameworks /.nodebundles load in-process and must not carry it; a valid team signature is sufficient. Also skip symlinks when walking the bundle so the framework'sVersions/Currentalias isn't traversed back intoVersions/A(was reporting each binary 3×).Verification
npm run electron:build:masnow completes;verify:masreports all checks passing (Apple Distribution signature, App Sandbox, embedded profile + team match, every helper/ffmpeg signed + inherit, every library signed). Output:releases/macos/mas-arm64/Out Loud-2.0.0-arm64.pkg.