macOS Hardened Runtime Fails - $250 Bounty #4693
Comments
|
did you try with one of the boilerplates? https://www.electron.build/#boilerplates |
|
Thanks, but the point is that our app was working like a charm on macOS, with code signing, notarisation and all. It was hardening that killed it. Going back to square one with a boilerplate won't make our application work, sadly. |
|
Yes, you're right. But, how do you want to solve your problem without testing step by step? If the app was working fine before February, the problem can be caused by hardened runtime. I would recommend to delete all your business code first (is not a joke!). Make sure your app looks like a boilerplate and try to build with hardenedRuntime=true. If your "boilerplate" app will start and work, add your business code step by step back and test when the build fails. If you already tried everything, this could be the only way to to go... |
|
Finally solved. In depth description here: |
Version: electron-updater 4.2.0
macOS SDK: 10.15 (verified using
xcodebuild -showsdks)We have a project that was working perfectly on macOS, signed and notarised, using the above technologies. Since we are not releasing via MAS, just on Mac, we didn't need sandboxing or hardening.
Then Apple decreed we needed to do hardened runtime just to get signed and notarised from February. This was turned on using the below configurations. We do not need sandboxing, just the hardened runtime. The signing and notarising still works fine.
But despite trying dozens of entitlement variations, nothing is working. Electron never appears, and the crash dump shows it gets as far as starting V8, and then a memory problem occurs, according to Apple support. We have tested out the end result on macOS using Taccy which has confirmed that changes to the entitlements file do get through to the signed software on the Mac.
There are two curious points. One is a side issue of no great importance, that Taccy insists the camera and microphone are needed, which they aren't. This doesn't seem to be due to a dependency, because even with no code and no dependencies, this is requested. Is it something inside electron / electron-builder / electron-updater? This isn't the big point though.
More importantly, our build machine is 10.15, but looking at Taccy shows that it claims that our app has been built with macOS SDK10.13 which of course may not be modern enough. Apple states we should be using a build machine with macOS 10.13.6 (High Sierra), and its SDK might well be only 10.13. But given that the build machine is using 10.15, as verified using
xcodebuild -showsdksat build time, where is Taccy getting the 10.13 information? Is there something in electron-builder or electron-updater that is using an old SDK? Or is Taccy wrong?This problem affects us even when we strip out all of our code! An empty page saying 'hello' in Electron fails. With or without entitlementsInherit, with some or all hardened runtime entitlements, and even with some sandboxing ones thrown in (to provide the microphone entitlement). No variation works.
If you can solve this, we'll donate $250!
Main config
Entitlements
The text was updated successfully, but these errors were encountered: