Unable to use binaries option to sign additional binaries

[voldemortensen]

Preflight Checklist

• I have read the contribution documentation for this project.
• I agree to follow the code of conduct that this project follows, as appropriate.
• I have searched the issue tracker for a bug that matches the one I want to file, without success.

Issue Details

• Electron Packager Version:
  • Not relevant
• Electron Version:
  • Not relevant
• Operating System:
  • Not relevant
• Last Known Working Electron Packager version::
  • Not relevant

Expected Behavior

I should be able to use binaries in osxSign to sign additional binaries.

Actual Behavior

The TypeScript definition explicitly removes the binaries key using Omit which results in this error:

forge.config.ts:15:7 - error TS2322: Type '{ binaries: string[]; optionsForFile: () => { entitlements: string; }; }' is not assignable to type 'true | OsxSignOptions'.
  Object literal may only specify known properties, and 'binaries' does not exist in type 'OsxSignOptions'.

To Reproduce

const config: ForgeConfig = {
  ...
  packagerConfig: {
    osxSign: {
      binaries: ["./path/to/extra/binary"],
    },
  },
};

Additional Information

binaries has been omitted since the OsxSignOptions type was introduced in a2a3ae5

[welcome]

👋 Thanks for opening your first issue here! If you have a question about using Electron Packager, read the support docs. If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. Development and issue triage is community-driven, so please be patient and we will get back to you as soon as we can.

To help make it easier for us to investigate your issue, please follow the contributing guidelines.

[tniezurawski]

Up. The type explicitly omits the binaries:

In the other place the docs say something different:

I can't find it in the code but is binaries stripped somewhere? Even if I defined that array, I see in the logs (running DEBUG=electron-osx-sign* yarn electron-forge make --arch=universal) that it is not supplied:

2024-07-18T15:02:12.807Z electron-osx-sign Signing application... 
 > Application: /var/folders/6g/_ypptv3n2fs80_zc0xz8p1d40000gn/T/electron-packager/tmp-FbK8DD/[REDACTED].app 
 > Platform: darwin 
 > Additional binaries: undefined <--- HERE
 > Identity: ***

@voldemortensen Did you have any luck with this?

[tniezurawski]

For posterity.
I had problems with node-hid binaries. After a long investigation I found they were not signed and as shown on the screenshot from logs above, specifying osxSign.binaries didn't work. Somehow binaries are not passed to @electron/osx-sign as the type suggests. I did try to find where it happens in the source code but failed.

Anyway, I was able to sign the native binaries during the afterCopy hook:

const forgeConfig = {
  packagerConfig: {
    afterCopy: [
      (buildPath, electronVersion, platform, arch, callback) => {
        try {
          console.log('Build path:', buildPath);

          // Only run signing on macOS
          if (platform === 'darwin') {
            const binaries = [];

            if (arch === 'x64' || arch === 'universal') {
              binaries.push(
                path.join(
                  buildPath,
                  'node_modules/node-hid/bin/darwin-x64-123/node-hid.node',
                ),
                path.join(
                  buildPath,
                  'node_modules/node-hid/prebuilds/HID-darwin-x64/node-napi-v3.node',
                ),
              );
            }

            if (arch === 'arm64' || arch === 'universal') {
              binaries.push(
                path.join(
                  buildPath,
                  'node_modules/node-hid/bin/darwin-arm64-123/node-hid.node',
                ),
                path.join(
                  buildPath,
                  'node_modules/node-hid/prebuilds/HID-darwin-arm64/node-napi-v3.node',
                ),
              );
            }

            binaries.push(
              path.join(
                buildPath,
                'node_modules/node-hid/build/Release/HID.node',
              ),
            );

            binaries.forEach((binaryPath) => {
              if (fs.existsSync(binaryPath)) {
                console.log(`Signing binary: ${binaryPath}`);
                execSync(
                  `codesign --deep --force --verbose --sign "${process.env.SIGNING_IDENTITY}" "${binaryPath}"`,
                  {
                    stdio: 'inherit',
                  },
                );
              } else {
                console.error(`Binary not found: ${binaryPath}`);
              }
            });
          }

          callback();
        } catch (error) {
          callback(error);
        }
      },
    ],
  },
};

It still feels to me that I'm doing something wrong here 🙈 but at least that works. Otherwise, I was getting an error like this:

not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs

while interacting with node-hid in the app. The reality wasn't that the Team IDs were different. It's the node-hid binaries that were not signed at all.

[sbalay]

For posterity. I had problems with node-hid binaries. After a long investigation I found they were not signed and as shown on the screenshot from logs above, specifying osxSign.binaries didn't work. Somehow binaries are not passed to @electron/osx-sign as the type suggests. I did try to find where it happens in the source code but failed.

Anyway, I was able to sign the native binaries during the afterCopy hook:

const forgeConfig = {
packagerConfig: {
afterCopy: [
(buildPath, electronVersion, platform, arch, callback) => {
try {
console.log('Build path:', buildPath);

      // Only run signing on macOS
      if (platform === 'darwin') {
        const binaries = [];

        if (arch === 'x64' || arch === 'universal') {
          binaries.push(
            path.join(
              buildPath,
              'node_modules/node-hid/bin/darwin-x64-123/node-hid.node',
            ),
            path.join(
              buildPath,
              'node_modules/node-hid/prebuilds/HID-darwin-x64/node-napi-v3.node',
            ),
          );
        }

        if (arch === 'arm64' || arch === 'universal') {
          binaries.push(
            path.join(
              buildPath,
              'node_modules/node-hid/bin/darwin-arm64-123/node-hid.node',
            ),
            path.join(
              buildPath,
              'node_modules/node-hid/prebuilds/HID-darwin-arm64/node-napi-v3.node',
            ),
          );
        }

        binaries.push(
          path.join(
            buildPath,
            'node_modules/node-hid/build/Release/HID.node',
          ),
        );

        binaries.forEach((binaryPath) => {
          if (fs.existsSync(binaryPath)) {
            console.log(`Signing binary: ${binaryPath}`);
            execSync(
              `codesign --deep --force --verbose --sign "${process.env.SIGNING_IDENTITY}" "${binaryPath}"`,
              {
                stdio: 'inherit',
              },
            );
          } else {
            console.error(`Binary not found: ${binaryPath}`);
          }
        });
      }

      callback();
    } catch (error) {
      callback(error);
    }
  },
],

},
};
It still feels to me that I'm doing something wrong here 🙈 but at least that works. Otherwise, I was getting an error like this:

not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs

while interacting with node-hid in the app. The reality wasn't that the Team IDs were different. It's the node-hid binaries that were not signed at all.

@tniezurawski Thanks for sharing! This solution was super helpful. I agree though that it feels like there's something wrong... feels like the tool should support this feature and I'm missing some configuration.

Did you had any troubles with this approach? Did you find a better alternative?

btw, this is the place where binaries is stripped: https://github.com/electron/packager/blob/main/src/mac.ts#L478
here's the issue with more context about that decision: #285 (comment)