| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | # Mac App Store Submission Guide
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | This guide provides information on: | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | * How to sign Electron apps on macOS; | 
					
						
							|  |  |  |  | * How to submit Electron apps to Mac App Store (MAS); | 
					
						
							|  |  |  |  | * The limitations of the MAS build. | 
					
						
							| 
									
										
										
										
											2015-11-30 15:21:39 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | ## Requirements
 | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | To sign Electron apps, the following tools must be installed first: | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | * Xcode 11 or above. | 
					
						
							| 
									
										
										
										
											2023-01-16 01:22:49 -08:00
										 |  |  |  | * The [@electron/osx-sign][] npm module. | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | You also have to register an Apple Developer account and join the | 
					
						
							|  |  |  |  | [Apple Developer Program][developer-program]. | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | ## Sign Electron apps
 | 
					
						
							| 
									
										
										
										
											2016-05-19 11:13:09 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | Electron apps can be distributed through Mac App Store or outside it. Each way | 
					
						
							|  |  |  |  | requires different ways of signing and testing. This guide focuses on | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | distribution via Mac App Store. | 
					
						
							| 
									
										
										
										
											2016-05-19 11:13:09 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | The following steps describe how to get the certificates from Apple, how to sign | 
					
						
							|  |  |  |  | Electron apps, and how to test them. | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | ### Get certificates
 | 
					
						
							| 
									
										
										
										
											2016-05-19 11:13:09 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | The simplest way to get signing certificates is to use Xcode: | 
					
						
							| 
									
										
										
										
											2016-05-19 11:13:09 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | 1. Open Xcode and open "Accounts" preferences; | 
					
						
							|  |  |  |  | 2. Sign in with your Apple account; | 
					
						
							|  |  |  |  | 3. Select a team and click "Manage Certificates"; | 
					
						
							|  |  |  |  | 4. In the lower-left corner of the signing certificates sheet, click the Add | 
					
						
							|  |  |  |  |    button (+), and add following certificates: | 
					
						
							|  |  |  |  |    * "Apple Development" | 
					
						
							|  |  |  |  |    * "Apple Distribution" | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | The "Apple Development" certificate is used to sign apps for development and | 
					
						
							|  |  |  |  | testing, on machines that have been registered on Apple Developer website. The | 
					
						
							|  |  |  |  | method of registration will be described in | 
					
						
							|  |  |  |  | [Prepare provisioning profile](#prepare-provisioning-profile). | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Apps signed with the "Apple Development" certificate cannot be submitted to Mac | 
					
						
							|  |  |  |  | App Store. For that purpose, apps must be signed with the "Apple Distribution" | 
					
						
							|  |  |  |  | certificate instead. But note that apps signed with the "Apple Distribution" | 
					
						
							|  |  |  |  | certificate cannot run directly, they must be re-signed by Apple to be able to | 
					
						
							|  |  |  |  | run, which will only be possible after being downloaded from the Mac App Store. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | #### Other certificates
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | You may notice that there are also other kinds of certificates. | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | The "Developer ID Application" certificate is used to sign apps before | 
					
						
							|  |  |  |  | distributing them outside the Mac App Store. | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | The "Developer ID Installer" and "Mac Installer Distribution" certificates are | 
					
						
							|  |  |  |  | used to sign the Mac Installer Package instead of the app itself. Most Electron | 
					
						
							|  |  |  |  | apps do not use Mac Installer Package so they are generally not needed. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | The full list of certificate types can be found | 
					
						
							|  |  |  |  | [here](https://help.apple.com/xcode/mac/current/#/dev80c6204ec). | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Apps signed with "Apple Development" and "Apple Distribution" certificates can | 
					
						
							|  |  |  |  | only run under [App Sandbox][app-sandboxing], so they must use the MAS build of | 
					
						
							|  |  |  |  | Electron. However, the "Developer ID Application" certificate does not have this | 
					
						
							|  |  |  |  | restrictions, so apps signed with it can use either the normal build or the MAS | 
					
						
							|  |  |  |  | build of Electron. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | #### Legacy certificate names
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Apple has been changing the names of certificates during past years, you might | 
					
						
							|  |  |  |  | encounter them when reading old documentations, and some utilities are still | 
					
						
							|  |  |  |  | using one of the old names. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | * The "Apple Distribution" certificate was also named as "3rd Party Mac | 
					
						
							|  |  |  |  |   Developer Application" and "Mac App Distribution". | 
					
						
							|  |  |  |  | * The "Apple Development" certificate was also named as "Mac Developer" and | 
					
						
							|  |  |  |  |   "Development". | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ### Prepare provisioning profile
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | If you want to test your app on your local machine before submitting your app to | 
					
						
							|  |  |  |  | the Mac App Store, you have to sign the app with the "Apple Development" | 
					
						
							|  |  |  |  | certificate with the provisioning profile embedded in the app bundle. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | To [create a provisioning profile](https://help.apple.com/developer-account/#/devf2eb157f8), | 
					
						
							|  |  |  |  | you can follow the below steps: | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | 1. Open the "Certificates, Identifiers & Profiles" page on the | 
					
						
							|  |  |  |  |    [Apple Developer](https://developer.apple.com/account) website. | 
					
						
							|  |  |  |  | 2. Add a new App ID for your app in the "Identifiers" page. | 
					
						
							|  |  |  |  | 3. Register your local machine in the "Devices" page. You can find your | 
					
						
							|  |  |  |  |    machine's "Device ID" in the "Hardware" page of the "System Information" app. | 
					
						
							|  |  |  |  | 4. Register a new Provisioning Profile in the "Profiles" page, and download it | 
					
						
							|  |  |  |  |    to `/path/to/yourapp.provisionprofile`. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ### Enable Apple's App Sandbox
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Apps submitted to the Mac App Store must run under Apple's | 
					
						
							|  |  |  |  | [App Sandbox][app-sandboxing], and only the MAS build of Electron can run with | 
					
						
							|  |  |  |  | the App Sandbox. The standard darwin build of Electron will fail to launch | 
					
						
							|  |  |  |  | when run under App Sandbox. | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-11-11 11:42:27 -08:00
										 |  |  |  | When signing the app with `@electron/osx-sign`, it will automatically add the | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | necessary entitlements to your app's entitlements. | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | <details> | 
					
						
							|  |  |  |  | <summary>Extra steps without `electron-osx-sign`</summary> | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-11-11 11:42:27 -08:00
										 |  |  |  | If you are signing your app without using `@electron/osx-sign`, you must ensure | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | the app bundle's entitlements have at least following keys: | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | ```xml title='entitlements.plist' | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | <?xml version="1.0" encoding="UTF-8"?> | 
					
						
							|  |  |  |  | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | 
					
						
							|  |  |  |  | <plist version="1.0"> | 
					
						
							|  |  |  |  |   <dict> | 
					
						
							|  |  |  |  |     <key>com.apple.security.app-sandbox</key> | 
					
						
							|  |  |  |  |     <true/> | 
					
						
							| 
									
										
										
										
											2016-05-18 16:48:22 +09:00
										 |  |  |  |     <key>com.apple.security.application-groups</key> | 
					
						
							| 
									
										
										
										
											2019-04-16 02:02:06 +02:00
										 |  |  |  |     <array> | 
					
						
							|  |  |  |  |       <string>TEAM_ID.your.bundle.id</string> | 
					
						
							|  |  |  |  |     </array> | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  |   </dict> | 
					
						
							|  |  |  |  | </plist> | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | The `TEAM_ID` should be replaced with your Apple Developer account's Team ID, | 
					
						
							|  |  |  |  | and the `your.bundle.id` should be replaced with the App ID of the app. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | And the following entitlements must be added to the binaries and helpers in | 
					
						
							|  |  |  |  | the app's bundle: | 
					
						
							| 
									
										
										
										
											2017-10-21 20:52:20 +09:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  | ```xml | 
					
						
							|  |  |  |  | <?xml version="1.0" encoding="UTF-8"?> | 
					
						
							|  |  |  |  | <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | 
					
						
							|  |  |  |  | <plist version="1.0"> | 
					
						
							|  |  |  |  |   <dict> | 
					
						
							|  |  |  |  |     <key>com.apple.security.app-sandbox</key> | 
					
						
							|  |  |  |  |     <true/> | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  |     <key>com.apple.security.inherit</key> | 
					
						
							|  |  |  |  |     <true/> | 
					
						
							| 
									
										
										
										
											2017-10-21 20:52:20 +09:00
										 |  |  |  |   </dict> | 
					
						
							|  |  |  |  | </plist> | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | And the app bundle's `Info.plist` must include `ElectronTeamID` key, which has | 
					
						
							|  |  |  |  | your Apple Developer account's Team ID as its value: | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```xml | 
					
						
							|  |  |  |  | <plist version="1.0"> | 
					
						
							|  |  |  |  | <dict> | 
					
						
							|  |  |  |  |   ... | 
					
						
							|  |  |  |  |   <key>ElectronTeamID</key> | 
					
						
							|  |  |  |  |   <string>TEAM_ID</string> | 
					
						
							|  |  |  |  | </dict> | 
					
						
							|  |  |  |  | </plist> | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-11-11 11:42:27 -08:00
										 |  |  |  | When using `@electron/osx-sign` the `ElectronTeamID` key will be added | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | automatically by extracting the Team ID from the certificate's name. You may | 
					
						
							| 
									
										
										
										
											2022-11-11 11:42:27 -08:00
										 |  |  |  | need to manually add this key if `@electron/osx-sign` could not find the correct | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | Team ID. | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | </details> | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  | ### Sign apps for development
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | To sign an app that can run on your development machine, you must sign it with | 
					
						
							|  |  |  |  | the "Apple Development" certificate and pass the provisioning profile to | 
					
						
							| 
									
										
										
										
											2022-11-11 11:42:27 -08:00
										 |  |  |  | `@electron/osx-sign`. | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | ```js @ts-nocheck | 
					
						
							|  |  |  |  | const { signAsync } = require('@electron/osx-sign') | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | signAsync({ | 
					
						
							|  |  |  |  |   app: '/path/to/your.app', | 
					
						
							|  |  |  |  |   identity: 'Apple Development', | 
					
						
							|  |  |  |  |   provisioningProfile: '/path/to/your.provisionprofile' | 
					
						
							|  |  |  |  | }) | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | ``` | 
					
						
							| 
									
										
										
										
											2015-10-21 15:03:12 -05:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-11-11 11:42:27 -08:00
										 |  |  |  | If you are signing without `@electron/osx-sign`, you must place the provisioning | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | profile to `YourApp.app/Contents/embedded.provisionprofile`. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | The signed app can only run on the machines that registered by the provisioning | 
					
						
							|  |  |  |  | profile, and this is the only way to test the signed app before submitting to | 
					
						
							|  |  |  |  | Mac App Store. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ### Sign apps for submitting to the Mac App Store
 | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | To sign an app that will be submitted to Mac App Store, you must sign it with | 
					
						
							|  |  |  |  | the "Apple Distribution" certificate. Note that apps signed with this | 
					
						
							|  |  |  |  | certificate will not run anywhere, unless it is downloaded from Mac App Store. | 
					
						
							| 
									
										
										
										
											2016-06-07 10:26:53 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | ```js @ts-nocheck | 
					
						
							|  |  |  |  | const { signAsync } = require('@electron/osx-sign') | 
					
						
							| 
									
										
										
										
											2016-06-07 10:26:53 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | signAsync({ | 
					
						
							|  |  |  |  |   app: 'path/to/your.app', | 
					
						
							|  |  |  |  |   identity: 'Apple Distribution' | 
					
						
							|  |  |  |  | }) | 
					
						
							| 
									
										
										
										
											2016-06-07 10:26:53 +09:00
										 |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | ## Submit apps to the Mac App Store
 | 
					
						
							| 
									
										
										
										
											2016-06-07 10:26:53 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | After signing the app with the "Apple Distribution" certificate, you can | 
					
						
							|  |  |  |  | continue to submit it to Mac App Store. | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | However, this guide do not ensure your app will be approved by Apple; you | 
					
						
							|  |  |  |  | still need to read Apple's [Submitting Your App][submitting-your-app] guide on | 
					
						
							|  |  |  |  | how to meet the Mac App Store requirements. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ### Upload
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2022-11-01 23:07:50 +02:00
										 |  |  |  | [Apple Transporter][apple-transporter] should be used to upload the signed app to App Store | 
					
						
							| 
									
										
										
										
											2015-10-16 17:50:41 -05:00
										 |  |  |  | Connect for processing, making sure you have [created a record][create-record] | 
					
						
							| 
									
										
										
										
											2016-04-19 16:08:37 +09:00
										 |  |  |  | before uploading. | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | If you are seeing errors like private APIs uses, you should check if the app is | 
					
						
							|  |  |  |  | using the MAS build of Electron. | 
					
						
							| 
									
										
										
										
											2016-04-19 16:08:37 +09:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | ### Submit for review
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | After uploading, you should [submit your app for review][submit-for-review]. | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-10-16 17:50:41 -05:00
										 |  |  |  | ## Limitations of MAS Build
 | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-10-21 15:03:12 -05:00
										 |  |  |  | In order to satisfy all requirements for app sandboxing, the following modules | 
					
						
							| 
									
										
										
										
											2015-10-16 18:25:30 -05:00
										 |  |  |  | have been disabled in the MAS build: | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | * `crashReporter` | 
					
						
							|  |  |  |  | * `autoUpdater` | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-10-16 17:50:41 -05:00
										 |  |  |  | and the following behaviors have been changed: | 
					
						
							| 
									
										
										
										
											2015-10-16 17:15:23 +08:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  | * Video capture may not work for some machines. | 
					
						
							|  |  |  |  | * Certain accessibility features may not work. | 
					
						
							|  |  |  |  | * Apps will not be aware of DNS changes. | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-10-16 18:25:30 -05:00
										 |  |  |  | Also, due to the usage of app sandboxing, the resources which can be accessed by | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | the app are strictly limited; you can read [App Sandboxing][app-sandboxing] for | 
					
						
							|  |  |  |  | more information. | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | ### Additional entitlements
 | 
					
						
							| 
									
										
										
										
											2016-06-14 15:20:29 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | Every app running under the App Sandbox will run under a limited set of permissions, | 
					
						
							|  |  |  |  | which limits potential damage from malicious code. | 
					
						
							| 
									
										
										
										
											2016-06-14 15:20:29 -07:00
										 |  |  |  | Depending on which Electron APIs your app uses, you may need to add additional | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | entitlements to your app's entitlements file. Otherwise, the App Sandbox may | 
					
						
							|  |  |  |  | prevent you from using them. | 
					
						
							| 
									
										
										
										
											2016-06-14 15:20:29 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | Entitlements are specified using a file with format like | 
					
						
							|  |  |  |  | property list (`.plist`) or XML. You must provide an entitlement file for the | 
					
						
							|  |  |  |  | application bundle itself and a child entitlement file which basically describes | 
					
						
							|  |  |  |  | an inheritance of properties, specified for all other enclosing executable files | 
					
						
							|  |  |  |  | like binaries, frameworks (`.framework`), and dynamically linked libraries (`.dylib`). | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | A full list of entitlements is available in the [App Sandbox][app-sandboxing] | 
					
						
							|  |  |  |  | documentation, but below are a few entitlements you might need for your | 
					
						
							|  |  |  |  | MAS app. | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | With `@electron/osx-sign`, you can set custom entitlements per file as such: | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```js @ts-nocheck | 
					
						
							|  |  |  |  | const { signAsync } = require('@electron/osx-sign') | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | function getEntitlementsForFile (filePath) { | 
					
						
							|  |  |  |  |   if (filePath.startsWith('my-path-1')) { | 
					
						
							|  |  |  |  |     return './my-path-1.plist' | 
					
						
							|  |  |  |  |   } else { | 
					
						
							|  |  |  |  |     return './alternate.plist' | 
					
						
							|  |  |  |  |   } | 
					
						
							|  |  |  |  | } | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | signAsync({ | 
					
						
							|  |  |  |  |   optionsForFile: (filePath) => ({ | 
					
						
							|  |  |  |  |     // Ensure you return the right entitlements path here based on the file being signed. | 
					
						
							|  |  |  |  |     entitlements: getEntitlementsForFile(filePath) | 
					
						
							|  |  |  |  |   }) | 
					
						
							|  |  |  |  | }) | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2021-05-13 11:01:36 +09:00
										 |  |  |  | #### Network access
 | 
					
						
							| 
									
										
										
										
											2016-09-09 13:55:32 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  | Enable outgoing network connections to allow your app to connect to a server: | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```xml | 
					
						
							|  |  |  |  | <key>com.apple.security.network.client</key> | 
					
						
							|  |  |  |  | <true/> | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | Enable incoming network connections to allow your app to open a network | 
					
						
							|  |  |  |  | listening socket: | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```xml | 
					
						
							|  |  |  |  | <key>com.apple.security.network.server</key> | 
					
						
							|  |  |  |  | <true/> | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | See the [Enabling Network Access documentation][network-access] for more | 
					
						
							|  |  |  |  | details. | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-14 15:20:29 -07:00
										 |  |  |  | #### dialog.showOpenDialog
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```xml | 
					
						
							|  |  |  |  | <key>com.apple.security.files.user-selected.read-only</key> | 
					
						
							|  |  |  |  | <true/> | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-14 15:24:05 -07:00
										 |  |  |  | See the [Enabling User-Selected File Access documentation][user-selected] for | 
					
						
							|  |  |  |  | more details. | 
					
						
							| 
									
										
										
										
											2016-06-14 15:20:29 -07:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  | #### dialog.showSaveDialog
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							|  |  |  |  | ```xml | 
					
						
							|  |  |  |  | <key>com.apple.security.files.user-selected.read-write</key> | 
					
						
							|  |  |  |  | <true/> | 
					
						
							|  |  |  |  | ``` | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-06-14 15:24:05 -07:00
										 |  |  |  | See the [Enabling User-Selected File Access documentation][user-selected] for | 
					
						
							|  |  |  |  | more details. | 
					
						
							| 
									
										
										
										
											2016-06-14 15:20:29 -07:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | ## Cryptographic Algorithms Used by Electron
 | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2019-04-16 02:02:06 +02:00
										 |  |  |  | Depending on the countries in which you are releasing your app, you may be | 
					
						
							|  |  |  |  | required to provide information on the cryptographic algorithms used in your | 
					
						
							|  |  |  |  | software. See the [encryption export compliance docs][export-compliance] for | 
					
						
							|  |  |  |  | more information. | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | 
 | 
					
						
							|  |  |  |  | Electron uses following cryptographic algorithms: | 
					
						
							|  |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2018-01-12 12:24:48 -03:00
										 |  |  |  | * AES - [NIST SP 800-38A](https://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf), [NIST SP 800-38D](https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf), [RFC 3394](https://www.ietf.org/rfc/rfc3394.txt) | 
					
						
							|  |  |  |  | * HMAC - [FIPS 198-1](https://csrc.nist.gov/publications/fips/fips198-1/FIPS-198-1_final.pdf) | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | * ECDSA - ANS X9.62–2005 | 
					
						
							|  |  |  |  | * ECDH - ANS X9.63–2001 | 
					
						
							| 
									
										
										
										
											2018-01-12 12:24:48 -03:00
										 |  |  |  | * HKDF - [NIST SP 800-56C](https://csrc.nist.gov/publications/nistpubs/800-56C/SP-800-56C.pdf) | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | * PBKDF2 - [RFC 2898](https://tools.ietf.org/html/rfc2898) | 
					
						
							| 
									
										
										
										
											2020-11-02 01:58:14 -08:00
										 |  |  |  | * RSA - [RFC 3447](https://www.ietf.org/rfc/rfc3447) | 
					
						
							| 
									
										
										
										
											2018-01-12 12:24:48 -03:00
										 |  |  |  | * SHA - [FIPS 180-4](https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf) | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | * Blowfish - https://www.schneier.com/cryptography/blowfish/ | 
					
						
							|  |  |  |  | * CAST - [RFC 2144](https://tools.ietf.org/html/rfc2144), [RFC 2612](https://tools.ietf.org/html/rfc2612) | 
					
						
							| 
									
										
										
										
											2018-01-12 12:24:48 -03:00
										 |  |  |  | * DES - [FIPS 46-3](https://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf) | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | * DH - [RFC 2631](https://tools.ietf.org/html/rfc2631) | 
					
						
							| 
									
										
										
										
											2018-01-12 12:24:48 -03:00
										 |  |  |  | * DSA - [ANSI X9.30](https://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.30-1%3A1997) | 
					
						
							| 
									
										
										
										
											2020-11-02 01:58:14 -08:00
										 |  |  |  | * EC - [SEC 1](https://www.secg.org/sec1-v2.pdf) | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | * IDEA - "On the Design and Security of Block Ciphers" book by X. Lai | 
					
						
							| 
									
										
										
										
											2018-01-12 12:24:48 -03:00
										 |  |  |  | * MD2 - [RFC 1319](https://tools.ietf.org/html/rfc1319) | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | * MD4 - [RFC 6150](https://tools.ietf.org/html/rfc6150) | 
					
						
							|  |  |  |  | * MD5 - [RFC 1321](https://tools.ietf.org/html/rfc1321) | 
					
						
							| 
									
										
										
										
											2018-01-12 12:24:48 -03:00
										 |  |  |  | * MDC2 - [ISO/IEC 10118-2](https://wiki.openssl.org/index.php/Manual:Mdc2(3)) | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | * RC2 - [RFC 2268](https://tools.ietf.org/html/rfc2268) | 
					
						
							|  |  |  |  | * RC4 - [RFC 4345](https://tools.ietf.org/html/rfc4345) | 
					
						
							| 
									
										
										
										
											2020-11-02 01:58:14 -08:00
										 |  |  |  | * RC5 - https://people.csail.mit.edu/rivest/Rivest-rc5rev.pdf | 
					
						
							| 
									
										
										
										
											2018-01-12 12:24:48 -03:00
										 |  |  |  | * RIPEMD - [ISO/IEC 10118-3](https://webstore.ansi.org/RecordDetail.aspx?sku=ISO%2FIEC%2010118-3:2004) | 
					
						
							| 
									
										
										
										
											2016-01-29 12:38:50 +08:00
										 |  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-11-30 15:21:39 +08:00
										 |  |  |  | [developer-program]: https://developer.apple.com/support/compare-memberships/ | 
					
						
							| 
									
										
										
										
											2023-04-15 21:20:59 -07:00
										 |  |  |  | [@electron/osx-sign]: https://github.com/electron/osx-sign | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | [app-sandboxing]: https://developer.apple.com/documentation/security/app_sandbox | 
					
						
							|  |  |  |  | [submitting-your-app]: https://help.apple.com/xcode/mac/current/#/dev067853c94 | 
					
						
							|  |  |  |  | [create-record]: https://developer.apple.com/help/app-store-connect/create-an-app-record/add-a-new-app | 
					
						
							| 
									
										
										
										
											2022-11-01 23:07:50 +02:00
										 |  |  |  | [apple-transporter]: https://help.apple.com/itc/transporteruserguide/en.lproj/static.html | 
					
						
							| 
									
										
										
										
											2024-06-12 10:58:21 -07:00
										 |  |  |  | [submit-for-review]: https://developer.apple.com/help/app-store-connect/manage-submissions-to-app-review/submit-for-review | 
					
						
							| 
									
										
										
										
											2019-04-16 02:02:06 +02:00
										 |  |  |  | [export-compliance]: https://help.apple.com/app-store-connect/#/devc3f64248f | 
					
						
							| 
									
										
										
										
											2016-06-14 15:24:05 -07:00
										 |  |  |  | [user-selected]: https://developer.apple.com/library/mac/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW6 | 
					
						
							| 
									
										
										
										
											2016-09-09 13:55:32 -07:00
										 |  |  |  | [network-access]: https://developer.apple.com/library/ios/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/EnablingAppSandbox.html#//apple_ref/doc/uid/TP40011195-CH4-SW9 |