Mandeep Singh Blog

code sign in electron js

Mandeep Singh's photo
Mandeep Singh
·

3 min read

The error messages you're seeing suggest a few different issues related to the code signing process. Let's break it down:

1. code object is not signed at all:

  • This error message indicates that the app bundle or one of its subcomponents (such as Track-360 Helper (GPU).app) hasn't been signed at all. In this case, the Track-360.app itself or some of its helper applications like Track-360 Helper (GPU).app are not signed correctly.

2. replacing existing signature:

  • The message replacing existing signature tells you that the chrome_crashpad_handler file has already been signed previously, and you're replacing its signature with a new one. This is normal and indicates that the signing process for that file worked.

3. codesign --verify Results:

  • The command codesign --verify --deep --strict --verbose=2 is used to verify that all the components in the app bundle have been signed correctly.

  • The result /Users/rvsmedia/Documents/build/screenshort-app/dist/mac-universal/Track-360.app: code object is not signed at all confirms that some components within your app (such as Track-360.app for the x86_64 architecture) are not signed.

4. sudo codesign --remove-signature:

  • The codesign --remove-signature command removes any previous code signatures from the app. You successfully removed the signature from the app, so now you can start fresh with the signing process.

What’s Going On and What You Can Do:

It looks like the app bundle and some of its subcomponents aren't properly signed, which is why the verification step fails. To fix this:

Steps to Resolve:

  1. Sign the Entire App: You need to sign the entire .app bundle (not just individual files). Here's how to do that:

     codesign --sign "Developer ID Application: Rajeev Nar (2J85YK8GXQ)" \
   --force \
   --timestamp \
   --options runtime \
   --entitlements entitlements.mac.plist \
   --deep \
   /Users/rvsmedia/Documents/build/screenshort-app/dist/mac-universal/Track-360.app

    • The --deep option ensures that all nested components (including helper apps, frameworks, etc.) are signed.

    • The --force option will overwrite any existing signatures.

    • The --timestamp option adds a timestamp to the signature, ensuring it is valid even after the certificate expires.

  2. Verify the Signature: After signing the entire app with --deep, you can verify the signature using the codesign --verify command:

     codesign --verify --deep --strict --verbose=2 /Users/rvsmedia/Documents/build/screenshort-app/dist/mac-universal/Track-360.app

    This will show you whether the app and all its components have been signed correctly.

  3. Test the App: Once the signing is successful, you can also try launching the app to see if it works without any "unidentified developer" warnings or errors.

  4. Check the Identity: You confirmed that your signing identity is valid by running security find-identity. The output shows that the identity Developer ID Application: Rajeev Nar (2J85YK8GXQ) is available and valid, so there’s no issue with the certificate itself.

Try signing the entire app bundle using the --deep flag and then verifying the signature again. Let me know how it goes!

Did you find this article valuable?

Support Mandeep Singh Blog by becoming a sponsor. Any amount is appreciated!

ElectronmacOS