“Cypress” can’t be opened because Apple cannot check it for malicious software.

[MargaretZhao]

I try to open this after download and I see this message on mac.

“Cypress” can’t be opened because Apple cannot check it for malicious software.

This software needs to be updated. Contact the developer for more information.

Firefox downloaded this file today at 1:28 PM from docs.cypress.io.

---

Current behavior:

“Cypress” can’t be opened because Apple cannot check it for malicious software.

This software needs to be updated. Contact the developer for more information.

Firefox downloaded this file today at 1:28 PM from docs.cypress.io.

Desired behavior:

able to open and use after download

Steps to reproduce: (app code and test code)

1. download from here
   https://download.cypress.io/desktop

2. open after download

Versions

firefox 68.2.0esr(64-bit)
mac os catalina 10.15

[Verdagio]

If you go to system preferences > security & Privacy it should ask you if you want to allow it to run.

[jennifer-shehane]

Yes, this will require the workaround as described by @Verdagio for now.

This is a notification automatically sent starting in macOS Catalina. It means that the Cypress App has not undergone the process of notarization which Apple offers - basically they scan the application and verify it contains no malicious components.

We are currently in the process of evaluating what is required to notarize the Cypress application so that this warning will no longer appear on downloads.

We are confident the application will pass the notarization process, but have to go through some steps to get there first: https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution

Current workaround

As described by @Verdagio, you can download Cypress by allowing it's download in your Security & Privacy settings. #5791 (comment)

[bahmutov]

Resources:

• general doc https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
  For CI:

Add a Notarization Step to Your Build Scripts
If you use an automated build system, you can integrate the notarization process into your existing build scripts. The altool and stapler command-line tools (included with Xcode) allow you to upload your software to the Apple notary service, and to staple the resulting ticket to your executable.

For information about how to incorporate notarization into your custom build scripts, see Customizing the Notarization Workflow.

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow

[bahmutov]

More docs https://medium.com/@TwitterArchiveEraser/notarize-electron-apps-7a5f988406db

[bahmutov]

Hmm, electron-builder has removed build script electron-userland/electron-builder@bea9db9 need to upgrade step by step. Also need latest builder for Electron 7

[bahmutov]

hmm, upgrading electron-builder has to go hand in hand with electron upgrade

11:40:34 AM #codeSign /Users/distiller/cypress/build/darwin/Cypress.app darwin
  • electron-builder version=21.0.2
  • loaded configuration file=/Users/distiller/cypress/electron-builder.json
  • effective config config=
                       directories:
                         output: dist
                         buildResources: build
                       mac:
                         forceCodeSigning: true
                         publish: null
                         target: zip
                       
Cannot compute electron version from installed node modules - none of the possible electron modules are installed.
See https://github.com/electron-userland/electron-builder/issues/3984#issuecomment-504968246

[bahmutov]

Testing electron-builder versions in branch electron-upgrade #5849

• 20.41.0 works
• 20.41.0 with hardened os setting works
• 20.44.4 does not work - it does not sign, just skips code sign step completely

#build
6:16:29 PM #codeSign /Users/gleb/git/cypress/build/darwin/Cypress.app darwin
  • electron-builder version=20.44.4
  • loaded configuration file=/Users/gleb/git/cypress/electron-builder.json
  • writing effective config file=dist/builder-effective-config.yaml
  • building        target=macOS zip arch=x64 file=dist/Cypress-3.7.0-mac.zip
  • building embedded block map file=dist/Cypress-3.7.0-mac.zip
6:17:38 PM #verifyAppCanOpen /Users/gleb/git/cypress/build/darwin/Cypress.app darwin
/Users/gleb/git/cypress/build/darwin/Cypress.app: rejected
source=no usable signature
🔥 deploy error
Error: Verifying App via GateKeeper failed

but in 20.41.0 it shows the following (notice signing step is missing)

#build
6:31:57 PM #codeSign /Users/gleb/git/cypress/build/darwin/Cypress.app darwin
  • electron-builder version=20.41.0
  • loaded configuration file=/Users/gleb/git/cypress/electron-builder.json
  • writing effective config file=dist/builder-effective-config.yaml
  • signing         file=build/darwin/Cypress.app identityName=Developer ID Application: Brian Mann (HBY9248HZY) identityHash=67591F94D95F86820F07DE764BAB39F4D95470DD provisioningProfile=none
  • building        target=macOS zip arch=x64 file=dist/Cypress-3.7.0-mac.zip
  • building embedded block map file=dist/Cypress-3.7.0-mac.zip
6:33:57 PM #verifyAppCanOpen /Users/gleb/git/cypress/build/darwin/Cypress.app darwin
/Users/gleb/git/cypress/build/darwin/Cypress.app: accepted
source=Developer ID

[bahmutov]

working on it - seems between 20.41.0 and 20.42.0 this PR has changed the sign step electron-userland/electron-builder#3912

[bahmutov]

20.41.0 signs the app and Taccy shows the following

[bahmutov]

ughh, seems we have a weird situation:

• we use electron-packager to actually build the application, but we do not sign it - because electron-packager does not know how to extract Mac identity from env variables and put into a temporary unlocked keychain
• newer versions of electron-builder that DO KNOW how to work with Mac code sign do not sign a packaged app ...

Options to electron-packager that we use via its NPM API

{"dir":"/Users/gleb/git/cypress/dist/darwin","dist":"/Users/gleb/git/cypress/build/darwin","platform":"darwin","appVersion":"3.8.0","osxSign":true,"out":"tmp","name":"Cypress","arch":"x64","asar":false,"prune":true,"overwrite":true,"electronVersion":"7.1.2","icon":"/Users/gleb/git/cypress/packages/electron/node_modules/@cypress/icons/dist/icons/cypress"}

I wonder if I can plug in electron-builder here instead and add code sign option

[bahmutov]

Trying to use electron-builder to pack and build our app

$ as-a codesign ./node_modules/.bin/electron-builder --publish never --c.electronVersion=7.1.2 --c.directories.app=dist/darwin --c.directories.output=build/darwin --c.npmRebuild=false --c.electronCompile=false --c.electronDist=packages/electron/node_modules/electron/dist/

Right now failing with a weird error

 • packaging       platform=darwin arch=x64 electron=7.1.2 appOutDir=build/darwin/mac
  • copying Electron source=/Users/gleb/git/cypress/packages/electron/node_modules/electron/dist/Electron.app destination=/Users/gleb/git/cypress/build/darwin/mac/Electron.app
  • copying         src=/Users/gleb/git/cypress/packages/electron/node_modules/electron/dist/Electron.app destination=/Users/gleb/git/cypress/build/darwin/mac/Electron.app
  • async task error error=ENOENT: no such file or directory, stat '/var/folders/bf/cgb7wvb905q3n6hgtjc1lqrm0000gn/T/.com.microsoft.edgemac.Canary.luXzue/SingletonSocket'
Error: ENOENT: no such file or directory, stat '/var/folders/bf/cgb7wvb905q3n6hgtjc1lqrm0000gn/T/.com.microsoft.edgemac.Canary.luXzue/SingletonSocket'
    at AppFileWalker.handleSymlink (/Users/gleb/git/cypress/node_modules/app-builder-lib/src/util/AppFileWalker.ts:39:14)
    at /Users/gleb/git/cypress/node_modules/app-builder-lib/src/util/AppFileWalker.ts:30:21

printing links and targets

link is ../../../../Library/Application Support/Cypress/cy
parent is /Users/gleb/git/cypress/dist/darwin/packages/server
resolvedLinkTarget /Users/gleb/Library/Application Support/Cypress/cy
link is ../../../../../../var/folders/bf/cgb7wvb905q3n6hgtjc1lqrm0000gn/T/.com.microsoft.edgemac.Canary.luXzue/SingletonSocket
parent is /Users/gleb/git/cypress/dist/darwin/packages/server/.cy/development/browsers/Edge Beta/interactive
resolvedLinkTarget /var/folders/bf/cgb7wvb905q3n6hgtjc1lqrm0000gn/T/.com.microsoft.edgemac.Canary.luXzue/SingletonSocket
  • async task error error=ENOENT: no such file or directory, stat '/var/folders/bf/cgb7wvb905q3n6hgtjc1lqrm0000gn/T/.com.microsoft.edgemac.Canary.luXzue/SingletonSocket'

Probably related to the link we add to the server package

$ ls -la dist/darwin/packages/server/
total 720
drwxr-xr-x    9 gleb  staff     288 Dec  9 17:20 .
drwxr-xr-x   20 gleb  staff     640 Dec  9 17:18 ..
lrwxr-xr-x    1 gleb  staff      50 Dec  9 17:20 .cy -> /Users/gleb/Library/Application Support/Cypress/cy
drwxr-xr-x    3 gleb  staff      96 Dec  9 17:18 config
-rw-r--r--    1 gleb  staff    1056 Dec  9 17:20 index.js
drwxr-xr-x   47 gleb  staff    1504 Dec  9 17:20 lib
drwxr-xr-x  710 gleb  staff   22720 Dec  9 17:19 node_modules
-rw-r--r--    1 gleb  staff  352260 Dec  9 17:19 package-lock.json
-rw-r--r--    1 gleb  staff    4888 Dec  9 17:19 package.json

[bahmutov]

Removed that link with rm dist/darwin/packages/server/.cy and built the signed app

$ codesign --verify --deep --strict --verbose=2 build/darwin/mac/Cypress.app
...
build/darwin/mac/Cypress.app: valid on disk
build/darwin/mac/Cypress.app: satisfies its Designated Requirement
$ spctl --assess --verbose build/darwin/mac/Cypress.app/
build/darwin/mac/Cypress.app/: accepted
source=Developer ID

Taccy shows

[bahmutov]

Next step - add notarization via electron-builder

[bahmutov]

Here is the command where we pass electron version and icons

./node_modules/.bin/electron-builder 
  --publish never --c.electronVersion=7.1.2 
  --c.directories.app=dist/darwin 
  --c.directories.output=build 
  --c.npmRebuild=false 
  --c.electronCompile=false 
  --c.electronDist=packages/electron/node_modules/electron/dist/ 
  --c.icon=dist/darwin/packages/electron/node_modules/\@cypress/icons/dist/icons/cypress

[bahmutov]

hmm, the app that electron-builder produces in this case crashes not being able to find production dependencies from packages/server

Hmm, when doing --asar=false then I can see in build/mac/Cypress.app/Contents/Resources/app/ individual code, but no node_modules folders

[cypress-bot]

The code for this is done in cypress-io/cypress#6013, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

[cypress-bot]

Released in 4.3.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v4.3.0, please open a new issue.