From 1a92e122c766969c6bcb2fd0775bd32d2c4bafc1 Mon Sep 17 00:00:00 2001 From: NeoPlays <80448387+NeoPlays@users.noreply.github.com> Date: Mon, 18 May 2026 13:48:35 +0200 Subject: [PATCH 1/3] FIX: macos build --- launcher/afterPackMac.js | 23 +++++++++++++++++++++++ launcher/vue.config.js | 16 ++++++++++++++-- 2 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 launcher/afterPackMac.js diff --git a/launcher/afterPackMac.js b/launcher/afterPackMac.js new file mode 100644 index 000000000..edde54049 --- /dev/null +++ b/launcher/afterPackMac.js @@ -0,0 +1,23 @@ +const { execSync } = require("child_process"); +const path = require("path"); + +// electron-builder v26 no longer re-signs bundled frameworks when no certificate is +// provided. The Electron Framework ships pre-signed with the Electron project's Apple +// Team ID, causing macOS 26+ to reject the load because the main executable has no +// Team ID. Re-sign everything with ad-hoc ("-") so all binaries share a consistent +// (empty) Team ID and dyld's validation passes. +exports.default = async function afterPackMac(context) { + if (context.electronPlatformName !== "darwin") return; + + const appPath = path.join( + context.appOutDir, + `${context.packager.appInfo.productFilename}.app` + ); + + console.log(`[afterPackMac] Ad-hoc re-signing for macOS 26+ Team ID compatibility:`); + console.log(`[afterPackMac] ${appPath}`); + + execSync(`codesign --force --deep --sign - "${appPath}"`, { stdio: "inherit" }); + + console.log(`[afterPackMac] Done.`); +}; diff --git a/launcher/vue.config.js b/launcher/vue.config.js index ffaaeab85..614bb89ea 100755 --- a/launcher/vue.config.js +++ b/launcher/vue.config.js @@ -1,4 +1,5 @@ const shouldNotarize = process.env.NOTARIZE === "true"; +const isSigned = process.env.CSC_IDENTITY_AUTO_DISCOVERY !== "false"; module.exports = { parallel: false, pluginOptions: { @@ -12,6 +13,7 @@ module.exports = { appId: "com.stereum.launcher", productName: "Stereum-Launcher", ...(shouldNotarize ? { afterSign: "@sapien99/vue-cli-plugin-electron-builder-notarize" } : {}), + ...(!isSigned ? { afterPack: "./afterPackMac.js" } : {}), buildDependenciesFromSource: false, nodeGypRebuild: false, npmRebuild: false, @@ -27,8 +29,18 @@ module.exports = { artifactName: "Stereum-Launcher-${version}.${ext}", }, mac: { - hardenedRuntime: true, - entitlements: "./node_modules/@sapien99/vue-cli-plugin-electron-builder-notarize/entitlements.mac.inherit.plist", + // hardenedRuntime requires consistent Team IDs across all binaries; only enable + // when actually signing, otherwise the Electron Framework's pre-signed Team ID + // differs from the unsigned main binary and dyld refuses to load it (macOS 14.4+) + hardenedRuntime: isSigned, + ...(isSigned + ? { + entitlements: + "./node_modules/@sapien99/vue-cli-plugin-electron-builder-notarize/entitlements.mac.inherit.plist", + entitlementsInherit: + "./node_modules/@sapien99/vue-cli-plugin-electron-builder-notarize/entitlements.mac.inherit.plist", + } + : {}), gatekeeperAssess: false, artifactName: "Stereum-Launcher-${version}.${ext}", x64ArchFiles: "**/*.node", From cf552671bf17e362c4c731fa5e1a2b601b77bc44 Mon Sep 17 00:00:00 2001 From: NeoPlays <80448387+NeoPlays@users.noreply.github.com> Date: Mon, 18 May 2026 13:55:34 +0200 Subject: [PATCH 2/3] FIX: format --- launcher/afterPackMac.js | 5 +---- launcher/vue.config.js | 6 ++---- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/launcher/afterPackMac.js b/launcher/afterPackMac.js index edde54049..24998ee14 100644 --- a/launcher/afterPackMac.js +++ b/launcher/afterPackMac.js @@ -9,10 +9,7 @@ const path = require("path"); exports.default = async function afterPackMac(context) { if (context.electronPlatformName !== "darwin") return; - const appPath = path.join( - context.appOutDir, - `${context.packager.appInfo.productFilename}.app` - ); + const appPath = path.join(context.appOutDir, `${context.packager.appInfo.productFilename}.app`); console.log(`[afterPackMac] Ad-hoc re-signing for macOS 26+ Team ID compatibility:`); console.log(`[afterPackMac] ${appPath}`); diff --git a/launcher/vue.config.js b/launcher/vue.config.js index 614bb89ea..4c6b236d2 100755 --- a/launcher/vue.config.js +++ b/launcher/vue.config.js @@ -35,10 +35,8 @@ module.exports = { hardenedRuntime: isSigned, ...(isSigned ? { - entitlements: - "./node_modules/@sapien99/vue-cli-plugin-electron-builder-notarize/entitlements.mac.inherit.plist", - entitlementsInherit: - "./node_modules/@sapien99/vue-cli-plugin-electron-builder-notarize/entitlements.mac.inherit.plist", + entitlements: "./node_modules/@sapien99/vue-cli-plugin-electron-builder-notarize/entitlements.mac.inherit.plist", + entitlementsInherit: "./node_modules/@sapien99/vue-cli-plugin-electron-builder-notarize/entitlements.mac.inherit.plist", } : {}), gatekeeperAssess: false, From 55ebf2037f7eafedd23a7231be0c36995ddeab50 Mon Sep 17 00:00:00 2001 From: NeoPlays <80448387+NeoPlays@users.noreply.github.com> Date: Mon, 18 May 2026 14:31:30 +0200 Subject: [PATCH 3/3] FIX: workflow build --- launcher/{afterPackMac.js => afterSignMac.js} | 14 ++++++++++---- launcher/vue.config.js | 7 +++++-- 2 files changed, 15 insertions(+), 6 deletions(-) rename launcher/{afterPackMac.js => afterSignMac.js} (54%) diff --git a/launcher/afterPackMac.js b/launcher/afterSignMac.js similarity index 54% rename from launcher/afterPackMac.js rename to launcher/afterSignMac.js index 24998ee14..91df3b4ce 100644 --- a/launcher/afterPackMac.js +++ b/launcher/afterSignMac.js @@ -6,15 +6,21 @@ const path = require("path"); // Team ID, causing macOS 26+ to reject the load because the main executable has no // Team ID. Re-sign everything with ad-hoc ("-") so all binaries share a consistent // (empty) Team ID and dyld's validation passes. -exports.default = async function afterPackMac(context) { +// +// This must be afterSign (not afterPack) for --universal builds: afterPack fires once +// per arch on the temporary per-arch outputs before @electron/universal merges them. +// Re-signing those temps makes CodeResources differ between architectures, causing the +// merge to fail with "non-binary files have different SHAs". afterSign fires once on +// the final merged universal .app, after the merge succeeds. +exports.default = async function afterSignMac(context) { if (context.electronPlatformName !== "darwin") return; const appPath = path.join(context.appOutDir, `${context.packager.appInfo.productFilename}.app`); - console.log(`[afterPackMac] Ad-hoc re-signing for macOS 26+ Team ID compatibility:`); - console.log(`[afterPackMac] ${appPath}`); + console.log(`[afterSignMac] Ad-hoc re-signing for macOS 26+ Team ID compatibility:`); + console.log(`[afterSignMac] ${appPath}`); execSync(`codesign --force --deep --sign - "${appPath}"`, { stdio: "inherit" }); - console.log(`[afterPackMac] Done.`); + console.log(`[afterSignMac] Done.`); }; diff --git a/launcher/vue.config.js b/launcher/vue.config.js index 4c6b236d2..bef4fdf0f 100755 --- a/launcher/vue.config.js +++ b/launcher/vue.config.js @@ -12,8 +12,11 @@ module.exports = { }, appId: "com.stereum.launcher", productName: "Stereum-Launcher", - ...(shouldNotarize ? { afterSign: "@sapien99/vue-cli-plugin-electron-builder-notarize" } : {}), - ...(!isSigned ? { afterPack: "./afterPackMac.js" } : {}), + ...(shouldNotarize + ? { afterSign: "@sapien99/vue-cli-plugin-electron-builder-notarize" } + : !isSigned + ? { afterSign: "./afterSignMac.js" } + : {}), buildDependenciesFromSource: false, nodeGypRebuild: false, npmRebuild: false,