Asset validation failed (90284) Invalid Code Signing. The executable must be signed with the certificate that is contained in the provisioning profile

  • Electron-Builder Version: 24.12.0
  • Electron-Builder-notarize Version: 1.5.1
  • Node Version: v15.14.0
  • Electron Version: 11.3.0
  • Electron-updater version: ^4.3.5
  • Target: Mac Apple Store (mas)

Hello, I am trying to build and sign a new version of my electron app for the mac apple store (mas), but when I get to the final step of uploading the RenderTune.pkg file to the mac transporter app, I get a failed status with 22 errors all the same formatting like so:

Asset validation failed (90284)
Invalid Code Signing. The executable 'com.martinbarker.digifyunique.pkg/Payload/RenderTune.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/etc....dylib' must be signed with the certificate that is contained in the provisioning profile. (ID: abc-abc-abc-abc-abc)

In order to build and sign this RenderTune.pkg file, first I run the command npm run build-mas locally while on branch v1.1.5 ( code here )

Which runs the following command:

"build-mas": "electron-builder build --mac && sh signmasscript.sh",

So first it runs electron-builder build --mac and gives this output:

Martins-MacBook-Air:rendertune-v1.1.5-feb-24 martinbarker$ npm run build-mas

> rendertune@1.1.5 build-mas
> electron-builder build --mac && sh signmasscript.sh

  • electron-builder  version=24.12.0 os=20.6.0
  • loaded configuration  file=package.json ("build" field)
  • writing effective config  file=dist/builder-effective-config.yaml
  • packaging       platform=darwin arch=x64 electron=11.3.0 appOutDir=dist/mac
  • signing         file=dist/mac/RenderTune.app platform=darwin type=distribution identity=ACBACBACBACBACBACBACBACBACB provisioningProfile=none
  • skipped macOS notarization  reason=`notarize` options were not provided
  • building        target=DMG arch=x64 file=dist/RenderTune-mac.dmg
  • building        target=macOS zip arch=x64 file=dist/RenderTune-mac.zip
  • building block map  blockMapFile=dist/RenderTune-mac.dmg.blockmap
  • building block map  blockMapFile=dist/RenderTune-mac.zip.blockmap

Completes without issue. The next part is running the signmasscript.sh file, which does complete but gives these errors:

Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
productbuild: Adding component at /Users/martinbarker/Documents/projects/rendertune-v1.1.5-feb-24/dist/mas/RenderTune.app
productbuild: Signing product with identity "3rd Party Mac Developer Installer: Martin Barker (LV6WXG529F)" from keychain /Users/martinbarker/Library/Keychains/login.keychain-db
productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to /Users/martinbarker/Documents/projects/rendertune-v1.1.5-feb-24/RenderTune.pkg
productbuild: Supported OS versions: [10.10.0, )

The final output RenderTune.pkg file gives 22 error messages saying `` when I try to deliver it via the mac os transport app.

Asset validation failed (90284)
Invalid Code Signing. The executable must be signed with the certificate that is contained in the provisioning profile

Is my app even being signed correctly? Or is there just one file that I need to fix? Please help me out !

There are limits to how much I can help you with third-party tooling. I can explain what our system is complaining about, but if you need help fixing that I recommend that you raise this via the support channel for your tooling.

The error you’re getting is pretty clear once you understand what a provisioning profile does. I recommend that you read TN3125 Inside Code Signing: Provisioning Profiles. In short:

  1. Your tooling is embedding a provisioning profile for your app.

  2. That profile authorises a list of code-signing certificates.

  3. But your app is signed with a code-signing identity whose certificate is not on that list.


This is a serious concern:

Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1

It suggests that your tooling is passing an invalid entitlements file to codesign. I see that quite often with third-party tooling, which has a tendency to treat an entitlements file as text rather than as the complex structure it actually is. See Normalise the Entitlements Property List in Resolving Code Signing Crashes on Launch.

It’s possible that this error is the cause of your other error. If this error is causing to codesign to fail, and the tool you’re using doesn’t notice that failure, the copy of your app inside the installer package would still be signed with your development signing identity, which would trigger the App Store Connect failing you’re seeing when you submit it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for the information! I think my embedded.provisionprofile file is not correct, and I'm trying to use XCode to generate a fresh new provisionprofile, but am running into an issue.

My Xcode macos project keeps giving me an error saying:

Provisioning profile "BRandNewMebedded" doesn't include signing certificate "Apple Distribution: Martin Barker (LV6WXG529F)".

When I download the Provisioning Profile file "BRandNewMebedded" from online, I make sure it has "Mac App Distribution" checked, but even if i edit it to use the first option "Distribution" and re-download it, my XCode keeps saying the same error in red.

Can you explain more about your overall goal here?

The reason I ask is that, in the vast majority of cases, it’s best to leave automatic code signing enabled for both the Debug and Release configurations. You then build an Xcode archive and re-sign for your target environment when exporting from the archive. However, I’m not sure if that’ll work for your setup, and hence my question.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

My overall goal is to release a new version ( v1.1.5 ) of my electron app on the mac apple store.

I've been able to release multiple version in the past couple years, currently my app is sitting at v1.1.4 in the mac apple store.

Usually when I try to package, sign, and release a new mac / mas build, there's some difficulty with making sure all the entitlements and provision profiles are up to date and correct, like what I'm experiencing now.

And with coming back to release a new version after long periods of time It's always a little rusty on figuring out how to correctly setup my keys/profiles/certs so that a mas build can get signed and uploaded through transporter successfully.

So maybe xcode isn't needed at all in my case, and I shouldn't be trying to generate a provisioning profile on that page like in my last screenshot. I just know I've gotten through this process before successfully and a trying to do it again, while taking better notes, so I can release more upcomming versions faster and without troubleshooting like this.

Even after some more attempts I'm still facing the transporter error

Asset validation failed (90284)
Invalid Code Signing. The executable must be signed with the certificate that is contained in the provisioning profile

Does this mean that maybe my file embedded.provisionprofile contains the wrong certificate? I did just generate a new MAS Developer Cert, but have been struggling trying to move past this issue.

My overall goal is to release a new version … of my electron app on the mac apple store.

There are two paths towards that goal:

  • Working solely within Xcode

  • Doing your own thing


If you’re working solely within Xcode, I recommend that you:

  1. Enable automatic code signing in your project for all (Debug and Release) build configurations. This signs your day-to-day builds with an Apple Development code-signing identity.

  2. Use Product > Archive to create your release build. The resulting archive will also be Apple Development signed.

  3. Use the Xcode organiser for distribution. This re-signs your app based on the distribution channel you choose.

I’m not sure if this approach is compatible with your third-party tooling. For a definitive answer to that question, you’ll have to escalate this via its support channel.


Things get trickier if you’re doing your own thing. My advice is that you follow the same basic workflow, that is:

  • Use Apple Development signing for day-to-day development.

  • And for your release builds.

  • And then re-sign that for distribution.

For specific advice on how to manually re-sign and and then package an app, see:

This is a very involved process, but I suspect that your third-party tooling has a script to help you with it. Again, I can’t advise you on that front, other than to recommend that you check that this script follows the rules described in the above-mentioned docs.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Asset validation failed (90284) Invalid Code Signing. The executable must be signed with the certificate that is contained in the provisioning profile
 
 
Q