Using electron-forge, app signed with codesign fails to verify with spctl

First, I'm building an Electron app, using the node / electron tool chain, not XCode (and not VSCode -- Terminal only.) I did have to download and start XCode and click through the dialog boxes, else this process would fail with some missing tools (altool I think?) (So, for anyone else in the same boat, start there!) Running Monterey 12.1 on a Apple M1 Pro MacBook Pro, with OS and XCode updates downloaded and updated yesterday to whatever was latest at the time.

I'm trying to get my .dmg (initial install) and .zip (update) files signed, so that the Electron auto-updater will install auto-updates, which doesn't work if the update isn't signed. Given that this build tooling is pretty deep, and I wrote none of it myself, I'm trying to distill the failure to a root cause, as follows.

This whole process fails, with a mysterious source=Unnotarized Developer ID error printed from spctl. I am not particularly well versed in how modern macOS notarization/signing works, but as far as I can tell, the process is as follows:

  • electron-builder (a node-based module/tool) builds the appropriate app folder in a temp location
  • electron-builder calls electron-osx-sign (another node-based module/tool)
  • electron-osx-sign calls codesign (an Apple-supplied tool) for each file in the folder
  • electron-osx-sign then attempts to verify that codesign worked, by using spctl (another Apple-supplied tool) to --assess the execution of the app
  • this spctl --assess invocation tells me that it's not executable, because source=Unnotarized Developer ID

And now I'm stuck. codesign does not print any error messages; it seems to work fine. The error message source=Unnotarized Developer ID from spctl is not documented anywhere I can find, so I can't figure out what I'm supposed to do to make this work. In fact, this error message is confusing, because the documentation says you're supposed to notarize applications, not developer IDs.

I have two concrete questions:

  1. Is electron-osx-sign missing doing something it should be doing? (See log pasted below)
  2. What does the mysterious, undocumented error source=Unnotarized Developer ID from spctl mean, and where should I look to follow that error backwards to a root cause I can fix?

Excerpts from the build logs, cutting out a bunch of similar codesign invocations that all seem the same (but for different files):

see answer below

Nothing like a public question to un-wedge the debugging muscle.

Debugging this some more, I found that I had not run with DEBUG=electron-notarizer, and turning that on, shows the following output:


2021-12-23T19:09:25.522Z electron-notarize notarizing using the legacy notarization system, this will be slow

An unhandled rejection has occurred inside Forge:
Error: Failed to upload app to Apple's notarization servers

*** Error: Notarization failed for '/var/folders/w8/hsj6918d0fsb8hxb127hqgp00000gn/T/electron-notarize-JveOtm/CloudInstance.zip'.
*** Error: Unable to upload your app for notarization. Failed to get authorization for username 'jwatte@observeinc.com' and password. (
    "Error Domain=NSCocoaErrorDomain Code=0 \"Status code: 0\" UserInfo={NSLocalizedDescription=Status code: 0, NSLocalizedFailureReason=The auth server returned a bad status code.}"
) (-1011)
 {
    NSLocalizedDescription = "Unable to upload your app for notarization.";
    NSLocalizedFailureReason = "Failed to get authorization for username 'jwatte@observeinc.com' and password. (\n    \"Error Domain=NSCocoaErrorDomain Code=0 \\\"Status code: 0\\\" UserInfo={NSLocalizedDescription=Status code: 0, NSLocalizedFailureReason=The auth server returned a bad status code.}\"\n)";
}```

Googling around for this, I find a mention on an article saying "Application Specific Password for your Developer account" https://scriptingosx.com/2021/07/notarize-a-command-line-tool-with-notarytool/

So, all the documentation for this process previously has suggested using my appleID password in the notarization config, but apparently that has now changed to be an application-specific password (OR this has been the case for a while, but been "so obvious" that none of the scarce details I've found online, related to electron-forge, have mentioned it -- although the key name is "appleIdPassword" ...)

This is somewhat documented on the electron-notarizer package page, but that's not linked to from any of the electron-forge pages, and the error messages you get when running here are not mentioned on that page, so googling finds nothing. Here's hoping that people in the future googling for "Unnotarized Developer ID" will find this thread, and the pointer to https://support.apple.com/en-us/HT204397 and https://github.com/electron/electron-notarize

Using electron-forge, app signed with codesign fails to verify with spctl
 
 
Q