New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS codesign fails #446
Comments
Try: #372 (comment) Nexe relies on mangling the base binary which inherently breaks signing. Using the patch shown in that comment should allow you to embed your application fully. However, resources will not work. If you really need resources + signing.. I have a plan to implement them, but no bandwidth to work on it at the moment. |
Hi @calebboyd, Thank you for your feedback. {
build: true,
make: [ '-j4' ],
input: './dist/entrypoint.js',
targets: [ 'macos' ],
output: 'daemon',
patches: [
(x, next) => {
x.code = () => [x.shims.join(''), x.input].join(';')
return next()
},
async (compiler, next) => {
await compiler.setFileContentsAsync(
'lib/_third_party_main.js',
compiler.code()
)
compiler.options.empty = true // <-- ADDED THIS (hack)
return next()
}
]
} I would be glad to help on this feature but I fear my knowledge on this subject is very limited. |
Okay, I think I might know what the problem is. The executable is still mangled with metadata, setting |
It works! I don't understand what is going on but it works like a charm! Thank you very much for your help 👍 |
Glad it works! Here is the summary: Normally the binary looks like this:
The Patch does this
Setting empty: true at that point in time does this
|
Thank you for those details, it's clearer now. The only drawback with this hack is that you have to do a clean build (i.e. by deleting the |
Yes, This is (to my knowledge) an unavoidable side effect of creating a valid Mach-O binary. There is no way to change its contents and maintain validity without reconstructing it each time. Note: You can also pass |
@calebboyd do you have any ideas about getting this working? I tried the code above with the only modification being the path to my input file, but the executable is still not signable unfortunately. require('nexe').compile({
build: true,
input: './app/host/host.js',
patches: [
(x, next) => {
x.code = () => [x.shims.join(''), x.input].join(';')
return next()
},
(compiler, next) => {
return compiler.setFileContentsAsync(
'lib/_third_party_main.js',
compiler.code()
).then(next)
}
]
}) Edit: Trying again with the line |
Uh, wow.... My original code took 30 minutes to build and couldn't be signed. The code in the comment above took 1.85 seconds and can be signed. I don't know if that's thanks to caching or what, but: All glory to @calebboyd |
Could someone please show me how to run the nexe builder with the fix from comment above. Is this a configuration file you save it to your project root directory and use one of the nexe option to reference it? |
@brikendr I made this a build file and the build works. Does anyone have more information or example on how this can work? @calebboyd you also mentioned that this won't work with I am trying other options in the meantime. Node compilation takes an hour for me, so this is a slow process :) |
I'm in a similar situation as @brikendr I'm quite new to js and ts world and now have working sets for Windows and linux but the Mac notarization really does not like the executable coming out of nexe (nor any other similar tools). For me nexe calls have to be command-line so I'm trying to decipher how the --patches script.js would need to be formatted and what other arguments need to be given to be able to test this solution. Are there any .js patch examples anywhere on this? How should I list multiple patches etc. |
For people coming to this issue now, some of the Nexe API has changed but the core issue has not been documented so well. I thought I would add our config here that got both signing and notarization working on v4.0.0-beta.6 with Node 12.4.0. The configure option was just our build boxes not being up to date, but shouldn't matter. await compile({
build: true,
mangle: false,
configure: ['--openssl-no-asm'],
input: this.input,
output: this.output,
loglevel: 'verbose',
targets: [ target ],
patches: [
(compiler, next) => {
compiler.code = () => [ compiler.shims.join(''), compiler.startup ].join(';')
return next();
},
(compiler, next) => {
return compiler.setFileContentsAsync(
'lib/_third_party_main.js',
compiler.code()
).then(next);
}
]
}); The |
I just ended up ditching nexe for Mac builds. So just bundling node and my app as .js worked as the node executable seems to conform to Apples desires. ..just to make it clear Apples tools and documentation for signing and notarization are absolutely horrendous. A signing system where everyone is using workarounds, tips and tricks is not exactly reassuring ;) |
@calebboyd @durran compile({
build: true,
make: [ '-j10' ],
mangle: false,
configure: ['--openssl-no-asm'],
input: '../path/to/main/entry.js',
loglevel: 'verbose',
targets: [ 'macos-v12.16.3' ],
patches: [
(compiler, next) => {
compiler.code = () => [ compiler.shims.join(''), compiler.startup ].join(';')
return next();
},
(compiler, next) => {
return compiler.setFileContentsAsync(
'lib/_third_party_main.js',
compiler.code()
).then(next);
}
]
}); It seems that compilation errors were fixed in some version, so Node compiled and executable with source code is packed successfully. But for above config I get: I debugged that 'mangle: false' option causes it. After commenting it works just fine. But I can't sign code then (I suppose mangling is the most important factor here). Note that with mangle: false option I can sign the code (but as I said binary does not work) |
running |
Unfortunately node dropped support for _third_party_main.js in Node 12. So unless the version is less than 12 patching _third_party_main as described by the mangle docs, won't work. Lines 113 to 116 in 0a2e8db
I'll reopen this issue to track this case |
My binary comes out fine using the above. No compilation errors. But it still won't codesign. ℹ nexe 4.0.0-beta.6
✔ Downloading Node.jssource from: https://nodejs.org/dist/v12.4.0/node-v12.4.0.tar.gz
✔ Compiling Node...
✔ Node binary compiled
✔ Compiling result
✔ Writing result to file
✔ Entry: 'src/index.js' written to: bin/2famsg
✔ Finished in 2630.117s
bin/2famsg: main executable failed strict validation |
I just realised I got a false positive out of that - must have been on a lower version... I can confirm ours is now failing with the same error @maksymilianpiechota mentioned. Going to try again on 11.15.0. |
Is there any setup that is supposed to work? I've got the same issue as the others when using 12.18.2. When I use 10.15.3, 10.23.0 or 11.15.0 I get this error: #806 Every other symptom the same: if I enable |
آقا دمتون گرم کار کرد |
@durran I am afraid that this is the final mention of a successfully signed Nexe-build binary. May I ask you to attempt this again, or maybe go into some more details with what and how you managed to both build, run and sign? |
This is a
Codesigning the binary produced by nexe on macOS fails. I'm not sure if it's a bug or just that it is not handled by nexe, but I wish to have your point of view about this.
Steps to reproduce:
I also tried to codesign the raw build in
~/.nexe
directory. It works but, after building the code, the signature verification fails (obviously). If we try to force a resign, we get the same error as above.The text was updated successfully, but these errors were encountered: