Skip to content

Commit 980dcb3

Browse files
CydeSwypewildfire-corp
CydeSwype
and
wildfire-corp
authored
Fix MAS signing - remove --options runtime flag (#14)
* Add unique-slug@5.0.0 to package-lock.json * Add explicit PKG installer signing for MAS builds * Fix MAS signing: Remove --options runtime flag The --options runtime flag causes codesign to add the com.apple.developer.team-identifier entitlement, which is not in the MAS provisioning profile. This flag is only for Developer ID distribution, not Mac App Store builds. Fixes Transporter validation error 409. --------- Co-authored-by: Ian Miller <ian@wildfire-corp.com>
1 parent aeb334a commit 980dcb3

2 files changed

Lines changed: 53 additions & 10 deletions

File tree

.github/workflows/release.yml

Lines changed: 43 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -168,7 +168,49 @@ jobs:
168168
set -o pipefail
169169
# Build MAS package (notarization disabled by unsetting APPLE_API_KEY* vars above)
170170
npm run build:desktop:mas 2>&1 | tee /tmp/electron-builder-mas.log
171-
exit ${PIPESTATUS[0]}
171+
BUILD_EXIT=$?
172+
173+
# Verify and fix PKG signing if needed
174+
PKG_FILE=$(find dist -name "*.pkg" -type f | head -1)
175+
if [ -n "$PKG_FILE" ] && [ -f "$PKG_FILE" ]; then
176+
echo "Checking PKG signature: $PKG_FILE"
177+
178+
# Check if PKG is signed with installer certificate
179+
if ! pkgutil --check-signature "$PKG_FILE" 2>&1 | grep -q "3rd Party Mac Developer Installer"; then
180+
echo "⚠️ PKG not signed with installer certificate, re-signing..."
181+
182+
# Find installer identity
183+
INSTALLER_IDENTITY=$(security find-identity -v -p basic | grep "3rd Party Mac Developer Installer" | head -1 | sed 's/.*"\(.*\)".*/\1/')
184+
185+
if [ -n "$INSTALLER_IDENTITY" ]; then
186+
echo "Found installer identity: $INSTALLER_IDENTITY"
187+
188+
# Re-sign the PKG with installer certificate
189+
TEMP_PKG="${PKG_FILE}.temp"
190+
productsign --sign "$INSTALLER_IDENTITY" "$PKG_FILE" "$TEMP_PKG"
191+
192+
if [ -f "$TEMP_PKG" ]; then
193+
mv "$TEMP_PKG" "$PKG_FILE"
194+
echo "✅ PKG re-signed with installer certificate"
195+
196+
# Verify the signature
197+
pkgutil --check-signature "$PKG_FILE"
198+
else
199+
echo "❌ Failed to re-sign PKG"
200+
exit 1
201+
fi
202+
else
203+
echo "❌ Could not find 3rd Party Mac Developer Installer certificate"
204+
exit 1
205+
fi
206+
else
207+
echo "✅ PKG already signed with installer certificate"
208+
fi
209+
else
210+
echo "⚠️ No PKG file found"
211+
fi
212+
213+
exit $BUILD_EXIT
172214
env:
173215
# Enable signing for MAS builds (but NOT notarization)
174216
CI: true

scripts/fix-mas-icon.js

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,8 @@ exports.default = async function(context) {
118118
const helperPath = path.join(helpersPath, helper);
119119
if (fs.statSync(helperPath).isFile() && !helper.endsWith('.plist')) {
120120
try {
121-
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${helperPath}"`, {
121+
// Don't use --options runtime for MAS builds (that's for Developer ID only)
122+
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${helperPath}"`, {
122123
stdio: 'inherit'
123124
});
124125
console.log(`✅ Re-signed helper: ${helper}`);
@@ -133,8 +134,8 @@ exports.default = async function(context) {
133134
helperApps.sort((a, b) => b.split(path.sep).length - a.split(path.sep).length);
134135
for (const helperApp of helperApps) {
135136
try {
136-
// Sign the helper app
137-
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${helperApp}"`, {
137+
// Sign the helper app (no --options runtime for MAS builds)
138+
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${helperApp}"`, {
138139
stdio: 'inherit'
139140
});
140141

@@ -154,25 +155,25 @@ exports.default = async function(context) {
154155
const electronFrameworkPath = path.join(frameworksPath, 'Electron Framework.framework');
155156
const electronFrameworkExecutable = path.join(electronFrameworkPath, 'Versions', 'A', 'Electron Framework');
156157
if (fs.existsSync(electronFrameworkExecutable)) {
157-
// Sign the executable inside the framework first
158-
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${electronFrameworkExecutable}"`, {
158+
// Sign the executable inside the framework first (no --options runtime for MAS)
159+
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${electronFrameworkExecutable}"`, {
159160
stdio: 'inherit'
160161
});
161162
// Then sign the framework bundle
162-
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${electronFrameworkPath}"`, {
163+
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${electronFrameworkPath}"`, {
163164
stdio: 'inherit'
164165
});
165166
console.log('✅ Re-signed Electron Framework (executable and bundle)');
166167
} else if (fs.existsSync(electronFrameworkPath)) {
167168
// Fallback: sign the framework bundle if executable path doesn't exist
168-
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${electronFrameworkPath}"`, {
169+
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${electronFrameworkPath}"`, {
169170
stdio: 'inherit'
170171
});
171172
console.log('✅ Re-signed Electron Framework (bundle only)');
172173
}
173174

174-
// Sign main app bundle last
175-
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlements}" --options runtime "${appBundlePath}"`, {
175+
// Sign main app bundle last (no --options runtime for MAS builds)
176+
execSync(`codesign --force --sign "${identity}" --entitlements "${entitlements}" "${appBundlePath}"`, {
176177
stdio: 'inherit'
177178
});
178179
console.log('✅ App bundle re-signed successfully');

0 commit comments

Comments
 (0)