I’ve got no idea what to try now. The .app signs and verifies fine (using Developer ID, using the 3rd Party Mac Developer certs doesn’t work at all) but I can’t package it. I mean, I can, but spctl fails to verify it with any of the identities. I’ve tried using productbuild --sign, productbuild without the signing, then signing with productsign, all seem to create the pkg without error, but then fail spctl verification. The pkg will even run, and install, on a test mac, but the install will finish (with no errors, application successfully installed it says) and the app won’t actually be in the /Applications directory. When it was signed (but failed the cpctl -a -v --type install) it would install the app, I could load it up and the result would be a blank window, but no errors in the console.
So then I tried creating a Project with xcode, because maybe those tools will give me some useful errors. I put the newly created project in the same folder with my signed .app, then run the Archive process. This finds my .app, tells me that there are no entitlements in it (and that the executable should be sandboxed), and that it’s missing the 2x icns file. It then of course tells me that the process has failed, due to a general error. So no help there.
The installer was failing as I didn’t have the Developer ID Installer cert installed. So, I go back to the developer.apple.com page, request the cert, download that, add it to the keychain, and lo and behold, I can run productbuild with the --sign option, and spctl is happy - output is myapp.pkg: accepted source=Developer ID. Double click the pkg on my test machine, and it installs. Or claims to. Says the program was successfully installed, but nothing added to the Applications directory. sigh. Okay, let’s try again. productbuilt, this time without the --sign option, let’s use productsign to do that. Pkg created, signed, send it over to test machine, amazing - the app is now actually installed. Let’s load it up. Blank screen. Console has no errors. Well this is peculiar. Let’s try something, let’s tar this up and check if it’s still signed properly after the install. Hm, errors during the tar. I don’t have permission to access files. The installer wanted me to type in a password when installing, and looks like all the files are owned by root. chgrp to admin, and the app works. Looks like Electron will just sit there and not spit out any errors if it can’t access the files.
chmod -R 755 on the app files (prior to packaging them) address the file permissions, at least.