Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Order of operation for EVS signing, MacOS code signing, MacOS notarization #166

Closed
gligon101 opened this issue Aug 24, 2023 · 4 comments
Closed

Order of operation for EVS signing, MacOS code signing, MacOS notarization #166

gligon101 opened this issue Aug 24, 2023 · 4 comments

Comments

@gligon101
Copy link

I have an app that involves streaming DRM capabilities with Spotify using the castLabs build here. Here's the problem I'm currently having:

  • I build the app with electron-packager and have the python EVS script executing as a postPackage function
  • It generates myApp.app and I'm able to launch it and stream Spotify music with no problems.
  • If I manually run the EVS signing script, it says the signature is valid and foregoes signing.

Then I take it a step further:

  • Enable osx-sign for electron-packager and include the <key>com.apple.security.cs.disable-library-validation</key> <true/> entitlement as I'd also be notarizing this later.
  • Run electron-packager and it generates myApp.app
  • If I launch myApp.app I get a DRM streaming error and streaming Spotify won't work. (This is a built in error that surfaces after a widevine check)
  • If I manually run the EVS signing script, it says the signature is valid and foregoes signing.
  • If I run codesign -vvv -strict ./myApp.app it comes back as "valid on disk" and "satisfies its Designated Requirement"
  • From this perspective, it should be EVS signed AND MacOS code signed

EVS signing signs the top level of myApp.app where Electron's osx-sign goes in and signs every aspect of the built app. Should I only be osx-signing certain portions of the app? i.e. myApp.app\ Contents/Frameworks/myApp Helper ??

Ultimately if I EVS sign and successfully codesign without breaking EVS signing, will the notarization process break the EVS signing?
@khwaaj
Copy link
Collaborator

khwaaj commented Aug 24, 2023

Looks like you are doing most things right, and the entitlements is the likely culprit. Notarization should not break anything, in fact I know of several projects using this successfully. There are however some potential complications related to what needs to be notarized, e.g. see here:

#161 (comment)

@eXhumer
Copy link

eXhumer commented Apr 18, 2024
edited
Loading

Hello @khwaaj. If I am not mistaken, I have to first VMP sign a package first, then OSX sign the package correct? It seems like using the osxSign from the electron-forge config is out of the question and I instead have to use signAsync from @electron/osx-sign package inside the postPackage hook as the OSX signing process in electron-forge appears to happen before postPackage hook is reached. Using osxSign instead of signAsync causes the package to appear as damaged.

@khwaaj
Copy link
Collaborator

khwaaj commented Apr 18, 2024

Yes, on macOS you should VMP-sign first and code-sign after (on Windows the reverse is true). I'm not familiar with integrating this in electron-forge, but I know there have been some previous threads on the topic that might provide some hints if you get stuck.

@khwaaj
Copy link
Collaborator

khwaaj commented May 23, 2024

Closing due to inactivity.

@khwaaj khwaaj closed this as completed May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@khwaaj @gligon101 @eXhumer