electron-builder
electron-builder copied to clipboard
electron-userland
InvalidConfigurationError: Cannot find valid "3rd Party Mac Developer Installer" identity to sign MAS installer
- Electron-Builder Version: 22.14.11
- Node Version: v17.2.0
- Electron Version: 14.2.3
- Electron Type (current, beta, nightly):
- Target: mac/mas
It complains like that when you try to build a final mas pkg even if I have a valid identity in the keychain. It seems to have detected the certificate according to a debug message.
7) F561~~C9 "3rd Party Mac Developer Installer: ~~ Inc. (~~~)"
7 valid identities found
just fyi, export CSC_LINK didn't help.
As a stopgap measure, I commented out that portion of code in the node_modules/app-builder-lib/out/macPackager.js and just did productbuild manually
await this.doSign(signOptions);
// https://github.com/electron-userland/electron-builder/issues/1196#issuecomment-312310209
if (masOptions != null && !isDevelopment) {
const certType = isDevelopment ? "Mac Developer" : "3rd Party Mac Developer Installer";
const masInstallerIdentity = await macCodeSign_1.findIdentity(certType, masOptions.identity, keychainFile);
// if (masInstallerIdentity == null) {
// throw new builder_util_1.InvalidConfigurationError(`Cannot find valid "${certType}" identity to sign MAS installer, please see https://electron.build/code-signing`);
// }
// // mas uploaded to AppStore, so, use "-" instead of space for name
// const artifactName = this.expandArtifactNamePattern(masOptions, "pkg", arch);
// const artifactPath = path.join(outDir, artifactName);
// await this.doFlat(appPath, artifactPath, masInstallerIdentity, keychainFile);
// await this.dispatchArtifactCreated(artifactPath, null, builder_util_1.Arch.x64, this.computeSafeArtifactName(artifactName, "pkg", arch, true, this.platformSpecificBuildOptions.defaultArch));
}
@goodhyun From your original snippet of the debug message, it looks like not only is it finding the identity you want but 6 other valid identities. Have you tried using the CSC_NAME environment variable to specify which of the 7 installed identities that you want it to use?
appropriate certificate will be chosen automatically? what if I assign CSC_NAME to an identity that will be just needed to sign a pkg, what happen with those needed for the actual codesigining. ?
@goodhyun good question. I haven’t had to deal with signing the installer since my projects are only using unsigned DMG installers. I think the automatic selection does the best that it can but, in my experience, if there is more than one possible identity with an appropriate “type”, it will fail rather than trying to guess.
Are you getting the actual files signed and notarized before you see this error or is it happening just trying to sign the code?
Code signing part is working well, the problem is the post-processing around pkg packaging, which is required for uploading onto mas.
Moreover, even if there are similar certificates in keychain, recent version seems to be using the first one, in my case.
@goodhyun I am able to replicate the problem, though I am not sure that the application code signing is working properly. According to the Apple Developer Certificate Generation page, apps being uploaded to the AppStore should be signed with a Mac App Distribution certificate (i.e., a 3rd Party Mac Developer Application certificate).
If I follow the call chain in macPackager.ts, it ends up calling doPack(), which in turn calls the packager.ts file's doPack() method, which calls this.signApp() (which is back in macPackager.ts). That method ends up calling sign() but passes null for all but the first argument. This causes the sign() method to call getCertificateTypes() with isMas set to false, which means that the certificate types returned is always ["Developer ID Application"]. According to the screenshot above, Developer ID Application certificates are used to sign the app for distribution outside the App Store.
After application signing is complete and doPack() returns, the sign() method is called again to sign the installer. Again, it calls the getCertificateTypes() method but this time isMas is true. However, the certificate types returned do not include Mac Installer Distribution (aka. 3rd Party Mac Developer Installer).
This method was updated several months back to fix the isMas = false case for my unsigned DMG-based installer. As you can see, the 3rd Party Mac Developer Application option was removed. However, simply adding it back isn't sufficient since that certificate type is for signing the app and, as shown above, the app is always signed with isMas=false currently.
@mmaietta I am not sure what the right solution is but it seems like we need account for these MAS-related certificate types so that they can be used to sign the app and installer for a mas target.
Thanks @robertpatrick for the investigation.
The Developer ID thing looks like a known problem for a while :
https://github.com/electron-userland/electron-builder/issues/4960
It really signs twice for MAS build, but It eventually signs using Apple Distribution or Apple Development. So, it creates a decent code-signed app, and no big deal for me. It works well up until then. You will have to productbuild on your own from there though.
@goodhyun I think we should fix it so that it is able to run productbuild properly. I have a local environment where I have a build (invoking productbuild) working. Unfortunately, since I have no AppStore app to distribute, it is hard to verify if my changes produce a working pkg installer for uploading to the App Store.
In order to go any further, I need some way to verify the results. This probably means I need to go through all the steps to create a sample app that can be uploaded to the Mac App Store...
Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
I have been tormented by this issue for hours. It all started when one or both of these things happened:
a) My app's "Developer ID Installer" expired ("easily" fixed) b) I added "Apple Distribution" for a second organization, effectively making two available, and electron-builder was silently choosing the first
To troubleshoot I used the trusty: security find-identity -v
I've found a few ways to mitigate this issue:
- Move the second "Apple Distribution" cert and associated private-key into a dedicated Keychain. I just moved all of that team's signing-related certs/keys into the Keychain, and then LOCKED it.
- Remove any "-c.mac.identity=" for the mas build step, because defining it seems to cause other issues related to the same arch being built twice, or maybe it was something else. Regardless, specifying the identity breaks things.
I need to get a "F@%& CODE SIGNING" t-shirt made. This stuff is brutal.
I have been tormented by this issue for hours. It all started when one or both of these things happened:
a) My app's "Developer ID Installer" expired ("easily" fixed) b) I added "Apple Distribution" for a second organization, effectively making two available, and electron-builder was silently choosing the first
To troubleshoot I used the trusty:
security find-identity -vI've found a few ways to mitigate this issue:
- Move the second "Apple Distribution" cert and associated private-key into a dedicated Keychain. I just moved all of that team's signing-related certs/keys into the Keychain, and then LOCKED it.
- Remove any "-c.mac.identity=" for the mas build step, because defining it seems to cause other issues related to the same arch being built twice, or maybe it was something else. Regardless, specifying the identity breaks things.
I need to get a "F@%& CODE SIGNING" t-shirt made. This stuff is brutal.
I AGREE with you. This "F@%& CODE SIGNING" requirement is silly trick of Apple to stop you making profit. They are arrogant to provide few instructions and rename the FXXKING certificates randomly.
As a stopgap measure, I commented out that portion of code in the
node_modules/app-builder-lib/out/macPackager.jsand just didproductbuildmanuallyawait this.doSign(signOptions); // https://github.com/electron-userland/electron-builder/issues/1196#issuecomment-312310209 if (masOptions != null && !isDevelopment) { const certType = isDevelopment ? "Mac Developer" : "3rd Party Mac Developer Installer"; const masInstallerIdentity = await macCodeSign_1.findIdentity(certType, masOptions.identity, keychainFile); // if (masInstallerIdentity == null) { // throw new builder_util_1.InvalidConfigurationError(`Cannot find valid "${certType}" identity to sign MAS installer, please see https://electron.build/code-signing`); // } // // mas uploaded to AppStore, so, use "-" instead of space for name // const artifactName = this.expandArtifactNamePattern(masOptions, "pkg", arch); // const artifactPath = path.join(outDir, artifactName); // await this.doFlat(appPath, artifactPath, masInstallerIdentity, keychainFile); // await this.dispatchArtifactCreated(artifactPath, null, builder_util_1.Arch.x64, this.computeSafeArtifactName(artifactName, "pkg", arch, true, this.platformSpecificBuildOptions.defaultArch)); }
According to this snippet code which generated error debug message, I found a way to solve this issue. We just need to select both Apple Distribution and 3rd Party Mac Developer Installer certificates in the keychain and export them in a single p12 file, and then add to our project, then everything works fine.
I was able to successfully sign the MAS installer.
Here are the steps I followed, with the following mas config.
"mas": {
"identity": "<name> (<TeamID>)"
}
- Create a Mac Installer Distribution
- Download the certificate
- Double tap to install the certificate in Keychain Access
Thats it.
After that run electron-builder
