node-keytar icon indicating copy to clipboard operation
node-keytar copied to clipboard

Published 20 hours ago verified publisher icon atom

unable to use keytar without disabling hardenedruntime setting

Open ruettenm opened this issue 5 years ago • 7 comments

Hi 👋

I'm trying to use your library to encrypt some access token used in my electron app into the mac keychain. I'm only using your library in the main process.

It's perfectly working in my dev mode. But when I try to use my packaged (and also signed app) I'm getting the following exception.

When I comment out all the usages and the import of your library everything is fine again.

Do you understand what is going wrong here?

Best regards and thanks in advance Matthias

Uncaught Exception:
Error: dlopen(/var/folders/6z/2mcpzy7j55zgrgb0q546nlhr0000gn/T/.de.codecentric.ruettenm.mergeRequestNotifier.zIsKhv, 1): no suitable image found.  Did find:
	/var/folders/6z/2mcpzy7j55zgrgb0q546nlhr0000gn/T/.de.codecentric.ruettenm.mergeRequestNotifier.zIsKhv: code signature in (/var/folders/6z/2mcpzy7j55zgrgb0q546nlhr0000gn/T/.de.codecentric.ruettenm.mergeRequestNotifier.zIsKhv) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
	/var/folders/6z/2mcpzy7j55zgrgb0q546nlhr0000gn/T/.de.codecentric.ruettenm.mergeRequestNotifier.zIsKhv: stat() failed with errno=17
    at process.func (electron/js2c/asar.js:140:31)
    at process.func [as dlopen] (electron/js2c/asar.js:140:31)
    at Object.Module._extensions..node (internal/modules/cjs/loader.js:922:18)
    at Object.func (electron/js2c/asar.js:140:31)
    at Object.func [as .node] (electron/js2c/asar.js:149:18)
    at Module.load (internal/modules/cjs/loader.js:735:32)
    at Module._load (internal/modules/cjs/loader.js:648:12)
    at Module._load (electron/js2c/asar.js:717:26)
    at Function.Module._load (electron/js2c/asar.js:717:26)
    at Module.require (internal/modules/cjs/loader.js:775:19)

ruettenm avatar Jul 03 '20 13:07 ruettenm

@ruettenm can you tell me a bit more about your setup?

  • OS version
  • Electron version
  • version of keytar used
  • how the app is being signed
  • how you verify the signed app is correct

shiftkey avatar Jul 03 '20 13:07 shiftkey

Thanks for the quick answer 👍

OS version: Catalina 10.15.5

Electron version: 7.3.1

version of keytar used: 6.0.1

how the app is being signed: electron builder (https://www.electron.build/code-signing)

how you verify the signed app is correct: There are no issues in my pipeline. When the signing and notarizing is working for mac you don't receive a security alert when you try to open the app.

This is my app: https://github.com/codecentric/merge-request-notifier

ruettenm avatar Jul 03 '20 13:07 ruettenm

I just found this post here: https://github.com/google/or-tools/issues/1858

and a link to this one: https://github.com/electron-userland/electron-builder/issues/3940#issuecomment-501702531

The suggested solution/workaround seems to work 🙌

So it looks like your library is not signed and/or notarized and in this case it's a problem when using it inside a signed and notarized app.

So I added this configuration (*.plist file)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

and configured it in my package.json

"build": {
   "mac": {
      [...],
      "entitlements": "build/entitlements.mac.plist",
      "entitlementsInherit": "build/entitlements.mac.plist"
   },
},

and now it's working 🎉

ruettenm avatar Jul 03 '20 14:07 ruettenm

So it looks like your library is not signed and/or notarized and in this case it's a problem when using it inside a signed and notarized app.

The keytar library itself is not signed because of how macOS works. From this resource (emphasis mine):

Typically, the Hardened Runtime’s library validation prevents an app from loading frameworks, plug-ins, or libraries unless they’re either signed by Apple or signed with the same team ID as the app.

Adding this new entitlement goes against the Hardened Runtime setting you have previously set, so I'm not sure that's the whole solution. electron-builder should handle signing the native node modules you use in your project, and this workaround feels like it might introduce other problems if users are concerned about Library Validation. I skimmed the repository but couldn't spot anything obviously off about it, but I am very rusty on electron-builder.

shiftkey avatar Jul 03 '20 14:07 shiftkey

I‘m also only a user of electron-builder and don’t know any insights but I just found this issue which initially requested the option to set the „hardening“.

https://github.com/electron-userland/electron-builder/issues/3383

In the issue you find a screenshot from Xcode and for me it looks like this is some official option you have when using the hardening feature.

screenshot

ruettenm avatar Jul 03 '20 15:07 ruettenm

Same issue here. When setting the <key>com.apple.security.cs.disable-library-validation</key> as suggested above, this works only when building+signing+notarizing for mac for distribution Outside the Mac App store (with electron-builder)

However, for the Mac App Store (MAS), I assume the hardenedruntime needs to be set to 'false' resulting in errors when the app is started. I haven't found a solution for configuration for a build with node-keytar for the MAS.

vanhumbeecka avatar Sep 28 '20 14:09 vanhumbeecka

in package.json. set mas: {"asarUnpack": ["**/*.node"], ...others}, node cannot packed into asar

replace5 avatar Dec 14 '20 13:12 replace5