Hi,
I built an Electron app that uses puppeteer-cluster to open a bundled version of Chrome. Everything works before packaging/signing with electron builder. Transporter does not report any issues and the app opens in TestFlight.
- the Chrome.app is signed separately before running builder
- hardenedRuntime = false
However, a permission error occurs when cluster attempts to launch Chrome:
Error: Unable to launch browser, error message: Failed to launch the browser process! [0601/152740.225314:ERROR:bootstrap.cc(65)] bootstrap_check_in org.chromium.crashpad.child_port_handshake.9915.63117.BUEXLMXFWPLCEONM: Permission denied (1100) [0601/152740.226091:ERROR:file_io.cc(94)] ReadExactly: expected 4, observed 0 [0601/152740.229808:ERROR:bootstrap.cc(65)] bootstrap_check_in org.chromium.crashpad.child_port_handshake.9913.63115.VVKELOQUCWUYPFMQ: Permission denied (1100) [0601/152740.230244:ERROR:file_io.cc(94)] ReadExactly: expected 4, observed 0 [9911:45571:0601/152740.506968:ERROR:named_platform_channel_mac.cc(44)] bootstrap_check_in com.google.chrome.for.testing.apps.52995c87946bbcc94fc9a27df1478a13: Permission denied (1100) [9911:62467:0601/152740.507564:FATAL:mach_port_rendezvous.cc(281)] Check failed: kr == KERN_SUCCESS. bootstrap_check_in com.google.chrome.for.testing.MachPortRendezvousServer.9911: Permission denied (1100)
at Cluster.<anonymous> (/Applications/MyApp.app/Contents/Resources/app.asar/node_modules/puppeteer-cluster/dist/Cluster.js:119:23)
at Generator.throw (<anonymous>)
at rejected (/Applications/MyApp.app/Contents/Resources/app.asar/node_modules/puppeteer-cluster/dist/Cluster.js:6:65)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
I'm wondering if it's an issue with entitlements, or something more.
The entitlements.mas.plist (aside from identifiers):
<key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory<key> <true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection<key> <true/> <key>com.apple.security.files.user-selected.executable</key> <true/>
I've spent many hours searching for a solution. Any help or insight would be greatly appreciated.
Unfortunately I don’t have an easy answer for you here. This error is coming from deep within the third-party code that you’re using. There are two ways you can approach that:
-
Debug it yourself.
-
Escalate it via the support channel for that code.
Either way, I have some hints below. Even if you don’t try to debug this yourself, these hints might be good search engine fodder.
If I had to guess, I’d say that the code is using Mach messaging and it’s failing when you sandbox the app. The App Sandbox limits your app’s usage of Mach messaging. While you’re able to access many system services, any custom service name must be a ‘child’ of an app group. The App Groups Entitlement docs explain that.
Note I have a lot more info about app groups in App Groups: macOS vs iOS: Working Towards Harmony.
A good diagnostic here is to create a Development-signed but sandboxed version of your app. If that fails in this way, but the Development-signed unsandboxed version works, that’s strong evidence that sandboxing is the issue.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"