"app can't be opened" even if notarization succeeds

[jhh-ncurity]

• Electron-Builder Version: 25.0.5

• Node Version: 20.12.1

• Electron Version: 32.1.1
• Electron Type (current, beta, nightly): current

• Target: macOS, dmg, x64

Does anyone has same phenomenon, where all builds succeeds but then, can't be opened on other macOS?

It is code-signed, and notarized successfully... (spctl command result captured)

When I run it on terminal using open command, I get following error:

The application cannot be opened for an unexpected reason, error=Error Domain=NSOSStatusErrorDomain Code=-10810 "kLSUnknownErr: Unexpected internal error" UserInfo={_LSFunction=_LSLaunchWithRunningboard, _LSLine=3090, NSUnderlyingError=0x600000ad4090 {Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x600000ad4f60 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}}}

[mmaietta]

Code=1 "Operation not permitted" UserInfo={NSLocalizedDescription=Launchd job spawn failed}

Looks like your app is trying to do something that it doesn't have Entitlements for? That and/or the provisioning profile could be misconfigured.

[jhh-ncurity]

I believe that provisioning profile is for development purpose only, isn't it? I don't have any explicit settings for the profile. Here is what I did:

electron-builder's internal process doesn't recognize my env var properly so I disabled its process by setting notarize: false, then I notarized my app using old-fashioned afterSign hook.

scripts/notarize.cjs

const { notarize } = require("@electron/notarize")
const path = require("node:path")

module.exports = async (context) => {
    if (process.platform !== 'darwin') {
        return;
    }

    await notarize({
        appPath: path.join(context.appOutDir, `${context.packager.appInfo.productFilename}.app`),
        appleId: "XXX",
        appleIdPassword: "XXX",
        teamId: "XXX"
    })

    console.log(`(scripts/notarize.cjs) Notarization complete.`)
};

(credentials are hard-coded only for test purpose, did not upload to any repository)

Did I miss something here?

here is my electron-builder's setting. (json5)

// @see - https://www.electron.build/configuration/configuration
{
  "$schema": "https://raw.githubusercontent.com/electron-userland/electron-builder/master/packages/app-builder-lib/scheme.json",
  "appId": "...",
  "asar": true,
  "directories": {
    "output": "release/${version}"
  },
  "files": [
    "dist",
    "dist-electron"
  ],
  "mac": {
    "target": { "target": "default", "arch": "x64" },
    "artifactName": "${productName}-${version}-Installer.${ext}",
    "notarize": false
  },
  "afterSign": "scripts/notarize.cjs",
  "win": {
    "requestedExecutionLevel": "requireAdministrator",
    "target": { "target": "nsis", "arch": "x64" },
    "artifactName": "${productName}-${version}-Setup.${ext}",
    "certificateSubjectName": "..."
  },
  "nsis": {
    "oneClick": false,
    "perMachine": true,
    "allowToChangeInstallationDirectory": false,
    "deleteAppDataOnUninstall": false
  },
  "extraResources": ["vpn", "!vpn/*.ovpn"],
  "protocols": { "name": "SSO Redirect", "schemes": [ "..." ] },
  "publish": { "provider": "generic", "url": "http://localhost:8443/downloads/", "timeout": 30000 }
}

I believe in recent electron-builder, necessary settings such as, hardenedRuntime etc... are set by default.

And here is my entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>com.apple.security.cs.allow-jit</key>
		<true/>
	</dict>
</plist>

fyi, my app is custom openvpn GUI app. Is there anything weird in my settings that I can dig into?

[mmaietta]

Not sure what the name of your entitlements file is, so I felt it worth mentioning. If the entitlements file isn't located in your build resources (expecting <build resources dir>/entitlements.mac.plist), then it isn't automatically being used by electron-builder. You can configure the path manually via: https://www.electron.build/mac#entitlements

[AndrewEQ]

I had to add specific node_modules to my asarUnpack for my app to work as it couldn't find the node_modules: #6200 (comment)

For me specifically it was:

asarUnpack:
  - "**/node_modules/sharp/**"
  - "**/node_modules/semver/functions/coerce/**"
  - "**/node_modules/yargs/helpers/**"

Electron Version: 32.1.2
Electron-Builder Version: 25.0.5
Node Version: 22.1.0

[AndrewEQ]

...ok, upon further inspection, my "postinstall": "electron-builder install-app-deps", in the package.json was failing the rebuild, I fixed it by downgrading to the matching Node version for Electron 32.1.2 (https://www.electronjs.org/blog/electron-32-0) which is Node 20.16.0... after fixing it, I didn't have to specifically specify node_modules for asarUnpack 🥇

[AndrewEQ]

Sorry, false alarm; it works with electron-builder 24.13.3