After successful signing, notarization, and stapling Mac still refuses to verify the app ("... was blocked from use because it was not from an identified developer")

[davidmurdoch]

I've been trying to get this to work for a week but can't seem to appease Apple. This is probably not even an issue with @electron/notarize, but I'm at my wits ends here and don't know what else to do.

Anyone able to point me in the right direction or suggest possible reasons?

Full logs are here: https://github.com/trufflesuite/ganache-ui/actions/runs/6054222144/job/16431228939#step:11:4484

Code that runs electron notarize: https://github.com/trufflesuite/ganache-ui/blob/chore/github_actions/scripts/build/afterSignHook.js

@electron/notarize DEBUG logs:

signing         file=dist/mac/Ganache.app identityName=Developer ID Application: ConsenSys AG (***) identityHash=C927DD3B556DC334E4573E643FB6F2F142E5FC5F provisioningProfile=none
afterSign hook triggered {
  appOutDir: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac',
  outDir: '/Users/runner/work/ganache-ui/ganache-ui/dist',
  arch: 1,
  targets: [
    ArchiveTarget {
      name: 'zip',
      isAsyncSupported: true,
      outDir: '/Users/runner/work/ganache-ui/ganache-ui/dist',
      packager: [MacPackager],
      isWriteUpdateInfo: true,
      options: undefined
    },
    DmgTarget {
      name: 'dmg',
      isAsyncSupported: true,
      packager: [MacPackager],
      outDir: '/Users/runner/work/ganache-ui/ganache-ui/dist',
      options: [Object]
    }
  ],
  packager: MacPackager {
    info: Packager {
      cancellationToken: [CancellationToken],
      _metadata: [Object],
      _nodeModulesHandledExternally: false,
      _isPrepackedAppAsar: false,
      _devMetadata: [Object],
      _configuration: [Object],
      isTwoPackageJsonProjectLayoutUsed: false,
      eventEmitter: [EventEmitter],
      _appInfo: [AppInfo],
      tempDirManager: [TmpDir],
      _repositoryInfo: [Lazy],
      afterPackHandlers: [Array],
      debugLogger: [DebugLogger],
      nodeDependencyInfo: [Map],
      stageDirPathCustomizer: [Function (anonymous)],
      _buildResourcesDir: '/Users/runner/work/ganache-ui/ganache-ui/build',
      _framework: [ElectronFramework],
      toDispose: [Array],
      projectDir: '/Users/runner/work/ganache-ui/ganache-ui',
      _appDir: '/Users/runner/work/ganache-ui/ganache-ui',
      options: [Object]
    },
    platform: Platform {
      name: 'mac',
      buildConfigurationKey: 'mac',
      nodeName: 'darwin'
    },
    _resourceList: Lazy { _value: [Promise], creator: null },
    platformSpecificBuildOptions: {
      icon: 'static/icons/mac/icon.icns',
      hardenedRuntime: true,
      entitlements: './build/dmg/entitlements.mac.inherit.plist',
      category: 'public.app-category.developer-tools'
    },
    appInfo: AppInfo {
      info: [Packager],
      platformSpecificOptions: [Object],
      description: 'Personal Blockchain for Ethereum',
      version: '2.7.2',
      buildNumber: undefined,
      buildVersion: '2.7.2',
      productName: 'Ganache',
      sanitizedProductName: 'Ganache',
      productFilename: 'Ganache'
    },
    codeSigningInfo: Lazy { _value: [Promise], creator: null },
    _iconPath: Lazy { _value: [Promise], creator: null }
  },
  electronPlatformName: 'darwin'
}
Notarizing org.trufflesuite.ganache found at /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-01T21:54:27.174Z electron-notarize:spawn spawning cmd: xcrun args: [ '--find', 'notarytool' ] opts: {}
2023-09-01T21:54:31.123Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-01T21:54:31.124Z electron-notarize:notarytool starting notarize process for app: /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-01T21:54:31.125Z electron-notarize:helpers doing work inside temp dir: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-ddefAu
2023-09-01T21:54:31.125Z electron-notarize:notarytool zipping application to: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-ddefAu/Ganache.zip
2023-09-01T21:54:31.125Z electron-notarize:spawn spawning cmd: ditto args: [
  '-c',
  '-k',
  '--sequesterRsrc',
  '--keepParent',
  'Ganache.app',
  '/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-ddefAu/Ganache.zip'
] opts: { cwd: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac' }
2023-09-01T21:56:07.907Z electron-notarize:spawn cmd ditto terminated with code: 0
2023-09-01T21:56:07.907Z electron-notarize:notarytool zip succeeded, attempting to upload to Apple
2023-09-01T21:56:07.908Z electron-notarize:spawn spawning cmd: xcrun args: [
  'notarytool',
  'submit',
  '/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-ddefAu/Ganache.zip',
  '--apple-id',
  '*********',
  '--password',
  '*********',
  '--team-id',
  '*********',
  '--wait',
  '--output-format',
  'json'
] opts: {}
2023-09-01T22:14:38.317Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-01T22:14:38.318Z electron-notarize:notarytool notarization success
2023-09-01T22:14:38.318Z electron-notarize:helpers work succeeded
2023-09-01T22:14:38.349Z electron-notarize:staple attempting to staple app: /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-01T22:14:38.349Z electron-notarize:spawn spawning cmd: xcrun args: [ 'stapler', 'staple', '-v', 'Ganache.app' ] opts: { cwd: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac' }
2023-09-01T22:14:42.888Z electron-notarize:spawn cmd xcrun terminated with code: 0
Done notarizing org.trufflesuite.ganache
2023-09-01T22:14:42.888Z electron-notarize:staple staple succeeded
  • building        target=macOS zip arch=x64 file=dist/Ganache-2.7.2-mac.zip
  • building        target=DMG arch=x64 file=dist/Ganache-2.7.2-mac.dmg
  • building block map  blockMapFile=dist/Ganache-2.7.2-mac.zip.blockmap
  • publishing      publisher=Github (owner: trufflesuite, project: ganache-ui, version: 2.7.2)
  • uploading       file=Ganache-2.7.2-mac.zip.blockmap provider=github
  • uploading       file=Ganache-2.7.2-mac.zip provider=github
  • copy files      from=/Users/runner/work/ganache-ui/ganache-ui/static/icons/mac/icon.icns to=/Volumes/Ganache 2.7.2/.VolumeIcon.icns isUseHardLinks=false
  • copy files      from=/Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff to=/Volumes/Ganache 2.7.2/.background/background.tiff isUseHardLinks=false
  • execute command  command=sips -g pixelHeight -g pixelWidth /Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff workingDirectory=
  • command executed  executable=sips out=/Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff
  pixelHeight: 498
  pixelWidth: 658

  • building block map  blockMapFile=dist/Ganache-2.7.2-mac.dmg.blockmap
  • uploading       file=Ganache-2.7.2-mac.dmg.blockmap provider=github
  • uploading       file=Ganache-2.7.2-mac.dmg provider=github

[davidmurdoch]

Update: I tried using the built-in "notarize" option in electron-builder and it notarized and stapled successfully, just like before, but the app is still unable to be opened on Mac. So perhaps this is indeed a bug.

I can launch the .dmg, which Mac briefly says "Verifying" before successfully opening the installer screen (drag to "Applications"). It then installs, but when I try to open the app it again says "Verifying [...]", but for a minute or two, before failing with the message "Ganache" cannot be opened because the developer cannot be verified. macOS cannot verify that this app is free from malware. [...].

Logs:

  • signing         file=dist/mac/Ganache.app identityName=Developer ID Application: ConsenSys AG (48XVW22RCG) identityHash=C927DD3B556DC334E4573E643FB6F2F142E5FC5F provisioningProfile=none
2023-09-02T14:51:51.458Z electron-notarize:spawn spawning cmd: xcrun args: [ '--find', 'notarytool' ] opts: {}
2023-09-02T14:51:54.462Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T14:51:54.462Z electron-notarize:notarytool starting notarize process for app: /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-02T14:51:54.463Z electron-notarize:helpers doing work inside temp dir: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U
2023-09-02T14:51:54.464Z electron-notarize:notarytool zipping application to: /var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip
2023-09-02T14:51:54.464Z electron-notarize:spawn spawning cmd: ditto args: [
  '-c',
  '-k',
  '--sequesterRsrc',
  '--keepParent',
  'Ganache.app',
  '/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip'
] opts: { cwd: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac' }
2023-09-02T14:53:33.252Z electron-notarize:spawn cmd ditto terminated with code: 0
2023-09-02T14:53:33.252Z electron-notarize:notarytool zip succeeded, attempting to upload to Apple
2023-09-02T14:53:33.252Z electron-notarize:spawn spawning cmd: xcrun args: [
  'notarytool',
  'submit',
  '/var/folders/24/8k48jl6d249_n_qfxwsl6xvm0000gn/T/electron-notarize-5htv5U/Ganache.zip',
  '--apple-id',
  '*********',
  '--password',
  '*********',
  '--team-id',
  '*********',
  '--wait',
  '--output-format',
  'json'
] opts: {}
2023-09-02T15:19:19.320Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T15:19:19.322Z electron-notarize:notarytool notarization success
2023-09-02T15:19:19.323Z electron-notarize:helpers work succeeded
2023-09-02T15:19:19.422Z electron-notarize:staple attempting to staple app: /Users/runner/work/ganache-ui/ganache-ui/dist/mac/Ganache.app
2023-09-02T15:19:19.423Z electron-notarize:spawn spawning cmd: xcrun args: [ 'stapler', 'staple', '-v', 'Ganache.app' ] opts: { cwd: '/Users/runner/work/ganache-ui/ganache-ui/dist/mac' }
2023-09-02T15:19:23.628Z electron-notarize:spawn cmd xcrun terminated with code: 0
2023-09-02T15:19:23.629Z electron-notarize:staple staple succeeded
  • notarization successful
  • building        target=macOS zip arch=x64 file=dist/Ganache-2.7.2-mac.zip
  • building        target=DMG arch=x64 file=dist/Ganache-2.7.2-mac.dmg
  • building block map  blockMapFile=dist/Ganache-2.7.2-mac.zip.blockmap
  • publishing      publisher=Github (owner: trufflesuite, project: ganache-ui, version: 2.7.2)
  • uploading       file=Ganache-2.7.2-mac.zip.blockmap provider=github
  • uploading       file=Ganache-2.7.2-mac.zip provider=github
  • overwrite published file  file=Ganache-2.7.2-mac.zip.blockmap reason=already exists on GitHub
  • overwrite published file  file=Ganache-2.7.2-mac.zip reason=already exists on GitHub
  • copy files      from=/Users/runner/work/ganache-ui/ganache-ui/static/icons/mac/icon.icns to=/Volumes/Ganache 2.7.2/.VolumeIcon.icns isUseHardLinks=false
  • copy files      from=/Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff to=/Volumes/Ganache 2.7.2/.background/background.tiff isUseHardLinks=false
  • execute command  command=sips -g pixelHeight -g pixelWidth /Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff workingDirectory=
  • command executed  executable=sips out=/Users/runner/work/ganache-ui/ganache-ui/build/dmg/background.tiff
  pixelHeight: 498
  pixelWidth: 658

  • building block map  blockMapFile=dist/Ganache-2.7.2-mac.dmg.blockmap
  • uploading       file=Ganache-2.7.2-mac.dmg.blockmap provider=github
  • uploading       file=Ganache-2.7.2-mac.dmg provider=github
  • overwrite published file  file=Ganache-2.7.2-mac.dmg.blockmap reason=already exists on GitHub
  • overwrite published file  file=Ganache-2.7.2-mac.dmg reason=already exists on GitHub
  • overwrite published file  file=latest-mac.yml reason=already exists on GitHub

[davidmurdoch]

I've opened an issue on electron-builder as well: electron-userland/electron-builder#7755

[mulgurul]

Hi David
I got similar problems with an App, quite like yours. Using electron/notarize seems to complete successfully.
On my development/signing machine I validate the resulting files with:
Codesigning:
codesign --verify --verbose=2 our.app
--prepared:/Users/mac20rd01/Source/DPA Audio Controller Test/DPA%20Audio%20Controller/release/build/mac/DPA Audio Controller.app/Contents/Frameworks/DPA Audio Controller Helper (GPU).app
--validated:/Users/mac20rd01/Source/DPA Audio Controller Test/DPA%20Audio%20Controller/release/build/mac/DPA Audio Controller.app/Contents/Frameworks/DPA Audio Controller Helper (GPU).app
--prepared:/Users/mac20rd01/Source/DPA Audio Controller Test/DPA%20Audio%20Controller/release/build/mac/DPA Audio Controller.app/Contents/Frameworks/DPA Audio Controller Helper (Renderer).app
...
./release/build/mac/DPA Audio Controller.app: valid on disk
./release/build/mac/DPA Audio Controller.app: satisfies its Designated Requirement

codesign --verify --verbose=2 ./release/build/DPA\ Audio\ Controller-1.0.0.dmg
./release/build/DPA Audio Controller-1.0.0.dmg: valid on disk
./release/build/DPA Audio Controller-1.0.0.dmg: satisfies its Designated Requirement

Checking the notarization
spctl -a -v --assess --type execute ./release/build/mac/DPA\ Audio\ Controller.app
./release/build/mac/DPA Audio Controller.app: accepted
source=Notarized Developer IDChecking the stapling:
spctl -a -v --assess --type execute ./release/build/mac/DPA\ Audio\ Controller.app
./release/build/mac/DPA Audio Controller.app: accepted
source=Notarized Developer ID

I'm not able to check the stabling on the dmg file, I havent found out why...
And it's hard to tell from the net if a dmg should be notarized or not. I read 50/50 arguments for or against:-)
Moving the dmg or app file to another mac and cleaning Gatekeeper cache before trying to execute using:
sudo spctl --reset-default
And I'm still getting the gatekeeper "unidentified develop" on another machine.
Pretty strange...

I have to get this solved, so I'll keep you updated if I get it solved.

Best regards from Peter

[billyct]

bump

my fault, in my case, i removed com.apple.security.cs.disable-library-validation in my plist file, then it worked

[davidmurdoch]

There's a solution here: electron-userland/electron-builder#7755