How to run a Mac app after signing & sandboxing?

sendstufftodanny

I have a Quasar / Electron Mac app which allows the user to click on a snippet and paste it into the last viewed app (e.g. Mail etc).

When I build the app for the mas (Mac App Store) platform without signing and sandboxing, with the following settings in quasar.conf.js

electron: {
    packager: {
        asar: false,
        appBundleId: '[app id]',
        platform: 'mas', 
        version: '1.0.0',
        buildVersion: '4'
    }
}

… and the following build command:

quasar build -m electron

Then the generated app file runs fine when I double click it.

However, if I sign and sandbox the app, with the following settings in quasar.conf.js:

electron: {
    packager: {
        asar: false,
        appBundleId: '[app id]',
        osxSign: {
            'entitlements': 'src-electron/default.entitlements.mas.plist'
        },
        platform: 'mas', 
        version: '1.0.0',
        buildVersion: '4'
    }
}

… with this default.entitlements.mas.plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.app-sandbox</key>
        <true/>
        <key>com.apple.security.network.client</key>
        <true/>
    </dict>
</plist>

… and the same build command:

quasar build -m electron

Then, when I double click the generated app file, it quits straight away with the following message:

Edit: Clicking Report reveals the following message:

PROCESS:               Email Snippets [90262]
Path:                  /Applications/MAMP/*/Email Snippets.app/Contents/MacOS/Email Snippets
Identifier:            com.dannyconnell.emailsnippets
Version:               ???
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           Email Snippets [90262]
User ID:               501

Date/Time:             2018-11-03 21:14:01.171 +0000
OS Version:            Mac OS X 10.13.6 (17G65)
Report Version:        12
Anonymous UUID:        E00B5535-E6DC-B81E-1DCC-43B629EDC468

Sleep/Wake UUID:       B3B79D2B-F30B-47B0-A980-0822EFC30745

Time Awake Since Boot: 90000 seconds
Time Since Wake:       480 seconds

System Integrity Protection: enabled

Crashed Thread:        0

Exception Type:        EXC_CRASH (Code Signature Invalid)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x1

kernel messages:

VM Regions Near 0 (cr2):
--> 
    __TEXT                 0000000103992000-0000000103993000 [    4K] r-x/rwx SM=COW  

Thread 0 Crashed:
0   ???                           	0x000000011127d19c _dyld_start + 0

Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x0000000000000000  rcx: 0x0000000000000000  rdx: 0x0000000000000000
  rdi: 0x0000000000000000  rsi: 0x0000000000000000  rbp: 0x0000000000000000  rsp: 0x00007ffeec26db20
   r8: 0x0000000000000000   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000000
  r12: 0x0000000000000000  r13: 0x0000000000000000  r14: 0x0000000000000000  r15: 0x0000000000000000
  rip: 0x000000011127d19c  rfl: 0x0000000000000200  cr2: 0x0000000000000000
  
Logical CPU:     0
Error Code:      0x00000000
Trap Number:     0


Binary Images:
       0x103992000 -        0x103992ff7 +??? (0) <447A1052-3F46-3E1B-BAC8-64F49EDE036E> (null)
       0x11127c000 -        0x1112c6acf +??? (551.4) <8A72DE9C-A136-3506-AA02-4BA2B82DCAF3> (null)

External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 58409
    thread_create: 0
    thread_set_state: 54

VM Region Summary:
ReadOnly portion of Libraries: Total=432K resident=0K(0%) swapped_out_or_unallocated=432K(100%)
Writable regions: Total=8404K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8404K(100%)
 
                                VIRTUAL   REGION 
REGION TYPE                        SIZE    COUNT (non-coalesced) 
===========                     =======  ======= 
STACK GUARD                       56.0M        2 
Stack                             8192K        2 
__DATA                             228K        4 
__LINKEDIT                         128K        3 
__TEXT                             304K        3 
shared memory                        8K        3 
===========                     =======  ======= 
TOTAL                             64.7M       11 

Model: MacBookPro12,1, BootROM MBP121.0177.B00, 2 processors, Intel Core i5, 2.7 GHz, 8 GB, SMC 2.28f7
Graphics: Intel Iris Graphics 6100, Intel Iris Graphics 6100, Built-In
Memory Module: BANK 0/DIMM0, 4 GB, DDR3, 1867 MHz, 0x80AD, 0x483943434E4E4E424C54414C41522D4E5544
Memory Module: BANK 1/DIMM0, 4 GB, DDR3, 1867 MHz, 0x80AD, 0x483943434E4E4E424C54414C41522D4E5544
AirPort: spairport_wireless_card_type_airport_extreme (0x14E4, 0x133), Broadcom BCM43xx 1.0 (7.77.37.31.1a9)
Bluetooth: Version 6.0.7f10, 3 services, 27 devices, 1 incoming serial ports
Network Service: Wi-Fi, AirPort, en0
Serial ATA Device: APPLE SSD SM0256G, 251 GB
USB Device: USB 3.0 Bus
USB Device: Internal Memory Card Reader
USB Device: Bluetooth USB Host Controller
Thunderbolt Bus: MacBook Pro, Apple Inc., 27.1

If I then package the app using electron-osx-flat:

electron-osx-flat "dist/electron-mat/[app name]-mas-x64/[app name].app" --verbose

… and double click the pkg file to install it, then the app installs successfully. But when I click the app in Applications, it again quits straight away with the message in the image above.

Edit: Also, if I run the executable within the .app file in Terminal, I just get the message:

Killed: 9

However, when I submit this generated pkg file for review, the app basically works for the reviewer, but the copy and paste functionality is not working.

I believe this is to do with missing entitlements in the default.entitlements.mas.plist file.

However, I would like to be able to test for these kinds of issues myself, before submitting to the app store.

How can I run and test my app once it is signed and sandboxed?

Thanks.

sendstufftodanny

Thanks to @miadz on Stack Overflow for pointing me in the right direction.

Here’s what you need to do to run your Electron app fully sandboxed (as it will appear to the Apple Review Team, with all entitlements applied):

1. Firstly, you need a 2nd Mac on which to test your app

2. Add your 2nd Mac as a listed device on the Apple Developer site (Account > Certificates, IDs and Profiles > macOS > Devices > all). You will need your Mac’s UUID which you can find from your menu bar in Apple > About This Mac > Overview > System Report…

3. Generate a Mac Development Provisioning profile for your app on the Apple Developer site (Account > Certificates, IDs and Profiles > macOS > Provisioning Profiles > Development) and make sure you select your 2nd Mac as a device. If you already have a development provisioning profile, then edit it and select your 2nd Mac under Devices.

4. Download your provisioning profile and place it in the root of your Quasar / Electron project

5. On your development Mac, build your app for the mas platform without signing, e.g.

   electron: {
   packager: {
   asar: false,
   appBundleId: ‘[app id]’,
   platform: ‘mas’,
   version: ‘1.0.0’,
   buildVersion: ‘4’
   }
   }
   then…

   quasar build -m electron

6. Sign your generated app for development with electron-osx-sign (you may need to npm install electron-osx-sign -g first):

   electron-osx-sign “dist/electron-mat/[app name]-mas-x64/[app name].app” --platform=mas --type=development --entitlements=“src-electron/default.entitlements.mas.plist” --provisioning-profile="[app name]_Mac_Development.provisionprofile"

7. Send the generated .app file to your 2nd Mac and run