universal icon indicating copy to clipboard operation
universal copied to clipboard

Published 20 hours ago verified publisher icon electron

Codesign fail after universal

Open StephenKe opened this issue 3 years ago • 12 comments

Modified Plist lead to fail when use electron-osx-sign to Codesign universal app: invalid Info.plist (plist or signature have been modified)

Error: Command failed: codesign --verify --deep --verbose=2 ./bst3.app
--prepared:/universal/bst3.app/Contents/Frameworks/bst3 Helper (Renderer).app
--validated:/universal/bst3.app/Contents/Frameworks/bst3 Helper (Renderer).app
--prepared:/universal/bst3.app/Contents/Frameworks/zAutoUpdate.bundle
--validated:/universal/bst3.app/Contents/Frameworks/zAutoUpdate.bundle
--prepared:/universal/bst3.app/Contents/Frameworks/bst3 Helper (Plugin).app
--validated:/universal/bst3.app/Contents/Frameworks/bst3 Helper (Plugin).app
--prepared:/universal/bst3.app/Contents/Frameworks/protobuf.framework/Versions/Current/.
--validated:/universal/bst3.app/Contents/Frameworks/protobuf.framework/Versions/Current/.
--prepared:/universal/bst3.app/Contents/Frameworks/viperex.bundle
--validated:/universal/bst3.app/Contents/Frameworks/viperex.bundle
./bst3.app: invalid Info.plist (plist or signature have been modified)
In subcomponent: /universal/bst3.app/Contents/Frameworks/zSDKRes.bundle

    at ChildProcess.exithandler (child_process.js:303:12)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1021:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5) {
  killed: false,
  code: 1,
  signal: null,
  cmd: 'codesign --verify --deep --verbose=2 ./bst3.app'
}

After I removed the following code.It worked.

        const plistFiles = x64Files.filter((f) => f.type === file_utils_1.AppFileType.INFO_PLIST);
        for (const plistFile of plistFiles) {
            const x64PlistPath = path.resolve(opts.x64AppPath, plistFile.relativePath);
            const arm64PlistPath = path.resolve(opts.arm64AppPath, plistFile.relativePath);
            const _a = plist.parse(await fs.readFile(x64PlistPath, 'utf8')), { ElectronAsarIntegrity: x64Integrity } = _a, x64Plist = __rest(_a, ["ElectronAsarIntegrity"]);
            const _b = plist.parse(await fs.readFile(arm64PlistPath, 'utf8')), { ElectronAsarIntegrity: arm64Integrity } = _b, arm64Plist = __rest(_b, ["ElectronAsarIntegrity"]);
            if (JSON.stringify(x64Plist) !== JSON.stringify(arm64Plist)) {
                throw new Error(`Expected all Info.plist files to be identical when ignoring integrity when creating a universal build but "${plistFile.relativePath}" was not`);
            }
            const mergedPlist = Object.assign(Object.assign({}, x64Plist), { ElectronAsarIntegrity: generatedIntegrity });
            await fs.writeFile(path.resolve(tmpApp, plistFile.relativePath), plist.build(mergedPlist));
        }

StephenKe avatar Feb 10 '22 02:02 StephenKe

Do you sign the x64/arm64 bundles before merging them?

indutny-signal avatar Mar 03 '22 20:03 indutny-signal

Do you sign the x64/arm64 bundles before merging them?

Yes.My x64/arm64 app build on electron-builder and it can not skip codesign.

StephenKe avatar Mar 04 '22 02:03 StephenKe

Usually electron-builder builds two separate copies of x64/arm64 builds before merging them and they are not signed unlike regular arm64/x64 builds.

indutny-signal avatar Mar 04 '22 02:03 indutny-signal

Em...My project includes both electron-builder and @electron-universal.Have any good idea to universal app after electron-builder builded?(respect~)

StephenKe avatar Mar 04 '22 02:03 StephenKe

We just use universal arch here: https://github.com/signalapp/Signal-Desktop/blob/development/package.json#L339-L341

indutny-signal avatar Mar 04 '22 02:03 indutny-signal

I tried and it went wrong: We use zoom-electron-sdk + [email protected] + [email protected]. universal arch can not match zoom-electron-sdk due to [email protected] have no --arch=universal.So I use electron-builder to build x64/arm64 on [email protected] --arch=x64/arm64.And use @electron-universal to universal x64/arm64 manually.

StephenKe avatar Mar 04 '22 03:03 StephenKe

Ah, interesting. So you build two separate builds and then merge them with the help of universal. In this case, you should try merging them before signing and sign the universal binary separately.

indutny-signal avatar Mar 04 '22 04:03 indutny-signal

'you should try merging them before signing'. That's the problem: It seems like electron-builder not provided a configuration to skip signing process.

StephenKe avatar Mar 04 '22 04:03 StephenKe

I see. I suggest we move over to electron-builder issues with regards to this. There has to be a way to avoid signing in such situations, but surely it has nothing to do with @electron/universal!

indutny-signal avatar Mar 04 '22 04:03 indutny-signal

I see. I suggest we move over to electron-builder issues with regards to this. There has to be a way to avoid signing in such situations, but surely it has nothing to do with @electron/universal!

Good idea ^ 0 ^ Already submit an issue to electron-builder.

StephenKe avatar Mar 04 '22 05:03 StephenKe

I make it work like this:

  1. electron-builder build x64/arm64
  2. remove x64/arm64 all _CodeSignature/CodeResources in Contents/**
  3. remove mergedPlist code in electron-universal
  4. add code in electron-universal Don’t lipo binaries that are already a universal file or the same arch.Don’t lipo binaries add zoom-electron-sdk relevant file.
  5. run electron-universal and it work

StephenKe avatar Mar 04 '22 06:03 StephenKe

If it possible that electron-universal remove _CodeSignature before merge? @indutny-signal

StephenKe avatar Mar 04 '22 06:03 StephenKe

Should be closed in #72

erickzhao avatar Jun 12 '24 20:06 erickzhao