macOS Sign error while uploading to apple store.

[ahmadwaliesipick]

Electron Version : 6.0.10
Electron Build version: 21.2.0

The following signing errors are shown during uploading mac pkg to apple store.

I have all these certificates at keychain:
command: security find-identity -p codesigning -v

1. 02D559EF08AC6CB6BC0F255035DA50A0EE8FDD7A "Developer ID Application: MyCompany, Inc. (4VXK2DP174)"
2. 8AF5BD5FDE2078BC55DD09F709068EDF93C3498B "3rd Party Mac Developer Application: MyCompany, Inc. (4VXK2DP174)"
3. 6127C61FCB71B8A94B55918DD67FCF0FE78EA621 "Mac Developer: Ahmed Wali (K8PV65GGCB)"
   3 valid identities found

Errors on upload pkg:

1. ERROR ITMS-90287: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.developer.team-identifier' in 'com.myapp.myappformac.pkg/Payload/My App.app/Contents/MacOS/My App'."
2. ERROR ITMS-90287: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.application-identifier' in 'com.myapp.myappformac.pkg/Payload/My App.app/Contents/MacOS/My App'."
3. ERROR ITMS-90237: "The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate."
4. ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (GPU) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (GPU).app] using the bundle identifier 'com.myapp.myappformac.helper.(GPU)', which is not a valid bundle identifier."
5. ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (Plugin) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (Plugin).app] using the bundle identifier 'com.myapp.myappformac.helper.(Plugin)', which is not a valid bundle identifier."
6. ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (Renderer) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (Renderer).app] using the bundle identifier 'com.myapp.myappformac.helper.(Renderer)', which is not a valid bundle identifier."

Here are mac settings in package.json file;

"mac": {
     "category": "public.app-category.productivity",
     "target": [
       "pkg"
     ],
     "identity": "MyCompany, Inc. (4VXK2DP174)",
     "icon": "My-APP.icns",
     "entitlements": "dist/entitlements.mac.plist",
     "entitlementsInherit": "dist/entitlements.mac.plist",
   },
   "dmg": {
     "background": "electron-config/dmg/todo-background.tiff",
     "contents": [
       {
         "type": "file",
         "x": 120,
         "y": 275
       },
       {
         "type": "link",
         "path": "/Applications",
         "x": 420,
         "y": 275
       }
     ],
     "window": {
       "width": 540,
       "height": 400
     }
   },
   

entitlements.mac.plist:

<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
   <dict>
    <key>com.apple.security.cs.allow-jit</key>
        <true/>
        <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
        <true/>
    	<key>com.apple.security.cs.disable-library-validation</key>
        <true/>
    	<key>com.apple.security.cs.disable-executable-page-protection</key>
        <true/>
     <key>com.apple.security.app-sandbox</key>
        <true/>
     <key>com.apple.security.inherit</key>
        <true/>
   </dict>
 </plist>

[kellerchch]

@develar and @stefanjudis thanks for your commitment to this repo. So awesome. I'm not an experienced dev but perhaps our team can help a bit more to resolve the other issues logged in this repo.

Admittedly I and @ahmadwaliesipick are under a lot of pressure right now to figure out how to fix the build issues with our angular app using electron for MacOS. Do you have any ideas or could you direct us to others in the community who might be able to help? We can hire the right dev to help us fix this for our commercial product. Thanks.

[codebytere]

@kellerchch how did you generate the codesigning information? We have a document in the main codebase that should outline the necessary steps.

This module partially abstracts that process away should you prefer that: https://github.com/electron/electron-osx-sign

[kellerchch]

Thanks @codebytere. I'll alert @ahmadwaliesipick to check these links you shared. Thank you for the reply.

[codebytere]

happy to help 🙇‍♀ feel free to follow up if that doesn't work as expected!

[amargautam]

To me it looks like you are using a wrong bundle id for your app during notarize. Following is my notarize script which requires you to provide the app bundle id.

I use electron-notarize.

const { notarize } = require('electron-notarize');

exports.default = async function notarizing(context) {
  const { electronPlatformName, appOutDir } = context;  
  if (electronPlatformName !== 'darwin') {
    return;
  }

  const appName = context.packager.appInfo.productFilename;

  return await notarize({
    appBundleId: 'com.xxx.<app-name>',
    appPath: `${appOutDir}/${appName}.app`,
    appleId: process.env['APPLE_ID'],
    appleIdPassword: `@keychain:AppleNotarize`,
    ascProvider: 'XXXXXXXXXX'
  });
};

appBundleId should match with what you have in your provisioning profile. This is important. And also the entitlements should match what you have in your provisioning profile.

Here is my entitlement file -

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

Let me know how it goes. I hope this helps. Good luck.

[ahmadwaliesipick]

happy to help feel free to follow up if that doesn't work as expected!

@codebytere thanks for sharing the document link but i am already following that document. Can you please check above package.json and entitlements.mac.plist. Do you have any suggestion to used some specific electron-builder & electron version?

[ahmadwaliesipick]

To me it looks like you are using a wrong bundle id for your app during notarize. Following is my notarize script which requires you to provide the app bundle id.

I use electron-notarize.

const { notarize } = require('electron-notarize');

exports.default = async function notarizing(context) {
  const { electronPlatformName, appOutDir } = context;  
  if (electronPlatformName !== 'darwin') {
    return;
  }

  const appName = context.packager.appInfo.productFilename;

  return await notarize({
    appBundleId: 'com.xxx.<app-name>',
    appPath: `${appOutDir}/${appName}.app`,
    appleId: process.env['APPLE_ID'],
    appleIdPassword: `@keychain:AppleNotarize`,
    ascProvider: 'XXXXXXXXXX'
  });
};

appBundleId should match with what you have in your provisioning profile. This is important. And also the entitlements should match what you have in your provisioning profile.

Here is my entitlement file -

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

Let me know how it goes. I hope this helps. Good luck.

@amargautam i am using same bundle id which i have created at https://appstoreconnect.apple.com

[amargautam]

@ahmadwaliesipick Did you solve this?

Something is wrong with your config or else you should not get this error. This is not a problem with Electron Builder. Do you mind posting your complete build config (minus any sensitive info)? Also note that you posted the build config above which says your target is pkg build. In my project I am not doing pkg but only dmg, I will try pkg tonight and see if it still works for me.

All the following errors you are getting is usually when your provisioning profile is incorrectly configured and you have wrong distribution/ installer certificates.

ERROR ITMS-90287: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.developer.team-identifier' in 'com.myapp.myappformac.pkg/Payload/My App.app/Contents/MacOS/My App'."
ERROR ITMS-90287: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.application-identifier' in 'com.myapp.myappformac.pkg/Payload/My App.app/Contents/MacOS/My App'."
ERROR ITMS-90237: "The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate."
ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (GPU) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (GPU).app] using the bundle identifier 'com.myapp.myappformac.helper.(GPU)', which is not a valid bundle identifier."
ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (Plugin) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (Plugin).app] using the bundle identifier 'com.myapp.myappformac.helper.(Plugin)', which is not a valid bundle identifier."
ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (Renderer) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (Renderer).app] using the bundle identifier 'com.myapp.myappformac.helper.(Renderer)', which is not a valid bundle identifier."

[ghost]

@ahmadwaliesipick Have you resolved this? I am getting the same error while verifying the Electron App.

[kellerchch]

@sonamgupta-kiwi and @amargautam thanks for weighing in on this thread. This was a top priority to fix but because of the complexity of it, @ahmadwaliesipick moved to other items. Even today he was about to pick this task back up to solve this but we reprioritized other items. I'm guessing Wali is probably a week to 10 days out from working on this again and then with his brains combined with yours, I am confident he will find a solution. Thanks.

[ahmadwaliesipick]

@ahmadwaliesipick Did you solve this?

Something is wrong with your config or else you should not get this error. This is not a problem with Electron Builder. Do you mind posting your complete build config (minus any sensitive info)? Also note that you posted the build config above which says your target is pkg build. In my project I am not doing pkg but only dmg, I will try pkg tonight and see if it still works for me.

All the following errors you are getting is usually when your provisioning profile is incorrectly configured and you have wrong distribution/ installer certificates.
ERROR ITMS-90287: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.developer.team-identifier' in 'com.myapp.myappformac.pkg/Payload/My App.app/Contents/MacOS/My App'."
ERROR ITMS-90287: "Invalid Code Signing Entitlements. The entitlements in your app bundle signature do not match the ones that are contained in the provisioning profile. The bundle contains a key that is not included in the provisioning profile: 'com.apple.application-identifier' in 'com.myapp.myappformac.pkg/Payload/My App.app/Contents/MacOS/My App'."
ERROR ITMS-90237: "The product archive package's signature is invalid. Ensure that it is signed with your "3rd Party Mac Developer Installer" certificate."
ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (GPU) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (GPU).app] using the bundle identifier 'com.myapp.myappformac.helper.(GPU)', which is not a valid bundle identifier."
ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (Plugin) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (Plugin).app] using the bundle identifier 'com.myapp.myappformac.helper.(Plugin)', which is not a valid bundle identifier."
ERROR ITMS-90277: "Invalid Bundle Identifier. The application bundle contains a tool or framework Electron Helper (Renderer) [com.myapp.myappformac.pkg/Payload/My App.app/Contents/Frameworks/My App Helper (Renderer).app] using the bundle identifier 'com.myapp.myappformac.helper.(Renderer)', which is not a valid bundle identifier."

i have posted config above

[salomvary]

I was getting similar errors when verifying the bundle with altool before uploading. The solution was to create a provisioning profile for Mac App distribution, download it and set provisioningProfile for electron-builder to point to the downloaded provisioning profile file.

After this the build passed all verifications and uploaded with no issues.

[johannesjo]

I am running into the same issue. I recreated the certificates and the provisioning profile multiple times and my config looks alright to me. @ahmadwaliesipick were you able to make it work in the end somehow?

[chetan1406]

I have also facing this issue.

ITMS-90237: The product archive package's signature is invalid. Ensure that it is signed with your '3rd Party Mac Developer Installer' certificate.

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[Vladimir-Nn]

In my case, expired certificates were not removed from the Keychain. (New ones were automatically generated by XCode)