Autoupdater fails on MacOS X

[dafivius]

• Version: 3.0.3

• Electron updater: 3.1.2

• Target: mas

Updated to the latest version of Electron. Everything build and publishing good. We are using amazon s3 provider. Files are available.
But when i'm trying to update an application (it downloads it but can't install) - getting following error:
Error: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection. at /Applications/Our.app/Contents/Resources/app.asar/node_modules/graceful-fs/polyfills.js:287:18 at FSReqWrap.oncomplete (fs.js:183:5) From previous event: at Object.done (/Applications/Our.app/Contents/Resources/app.asar/node_modules/electron-updater/src/MacUpdater.ts:46:11) at /Applications/Our.app/Contents/Resources/app.asar/node_modules/electron-updater/src/AppUpdater.ts:530:25 at Generator.next (<anonymous>) at runCallback (timers.js:696:18) at tryOnImmediate (timers.js:667:5) at processImmediate (timers.js:649:5) at process.topLevelDomainCallback (domain.js:121:23)
...

It was OK on version 1.8.* but i can't migrate to 3.0.3 because of that issue. What can i do with it? Thanks.

[framerate]

I'm having this too. I'm building and failing update on Majave but both users that reported errors updating are on Sierra and High Sierra :(

[gseregni]

Adding this to package.json helps with the nsapp error

"extendInfo": {
       "NSAppTransportSecurity": {
          "NSAllowsArbitraryLoads": true
        },
        "NSExceptionDomains": {
          "localhost": {
            "NSTemporaryExceptionAllowsInsecureHTTPSLoads": false,
            "NSIncludesSubdomains": false,
            "NSTemporaryExceptionAllowsInsecureHTTPLoads": true,
            "NSTemporaryExceptionMinimumTLSVersion": "1.0",
            "NSTemporaryExceptionRequiresForwardSecrecy": false
          }
        }
      }

[dafivius]

@gseregni it must be in old app or in new? Because in new app it doest have effect. But if old - how to update already installed apps? No way?

[gseregni]

@dafivius Unfortunately i think you have now way to update automatically the old app if you already shipped it with electron updater 3.1.2 and electron 3.

[gseregni]

@dafivius the problem may exists only on some OSX versions.. here at Pingendo we reverted back to electron 2

[dafivius]

@gseregni yep. Reverted back to 1.8, all ok. Making two versions of package json for macos and (linux/windows). No another idea yet. Need to keep working of app with existed users.

[gseregni]

@dafivius i think it's not possible to have autoupdater back to work for users already updated, unless they dont' install your app again.

[framerate]

Any official word on the cause anywhere yet?

[gseregni]

@develar any news here ?

[juliocesaroliveira]

@dafivius I was having this problem and I solved using the following versions:

electron: 3.0.5
electron-builder: 20.20.4
electron-updater: 2.23.3

package.json:

"mac": {
    "type": "distribution",
    "extendInfo": {
        "NSAppTransportSecurity": {
            "NSAllowsArbitraryLoads": true
        }
    },
    "target": [
        "zip"
    ]
}

[framerate]

@juliocesaroliveira That didn't seem to solve mine...

@develar - Can you at least fill us in on why there's no official word on this? Did we miss something in an update note or readme somewhere?

[dafivius]

@framerate no info. We decided to migrate to newest electron version with @juliocesaroliveira notes. Everything works fine yet.

[develar]

Please try next pre-release versions:

• electron-updater 3.2.1
• electron-builder 20.33.1

[develar]

Please never use "NSAllowsArbitraryLoads": true. electron-builder 20.33.0 adds localhost to NSExceptionDomains by default now, so, you don't need it at all. But if you want to be really sure, you can set "NSAllowsLocalNetworking": true (but please, please test without it, to ensure that electron-builder default configuration is valid).

[develar]

Apple Transport Security doesn't make sense for Electron applications because restrictions are not enforced to both NodeJS and Electron net API.

As Squirrel.Mac doesn't support file urls now, electron-updater forced to use proxy to pipe local file to Squirrel.Mac.

I decided to set "NSAllowsLocalNetworking": true in addition to NSExceptionDomains to make sure that ATS will not affect auto update.

[framerate]

Is this confirmed fix? I updated my versions according to @develar but latest version didn't patch again... Probably user error but I'd love confirmation from somebody.

[develar]

electron-builder 20.36.2 and electron-updater 4.0.4 are latest versions that were tested and proven to be working. If not, please provide steps to reproduce.

[framerate]

Awesome. I think I'm using versions posted above

Please try next pre-release versions:
electron-updater 3.2.1
electron-builder 20.33.1

I'll update this weekend and verify. Thanks!

[develar]

@framerate To clarify — I fixed one bug, then discovered another one, then added another improvement, then I decided to require Electron 3 (to simplify testing and to use new Electron features). That's why so many electron-updater versions recently :)

[framerate]

I appreciate your work! I have enough on my plate without having to make building and updating tools myself :)

[framerate]

@develar Not sure if this helps you or if it's just user error but I updated using electron-builder 20.36.2 and electron-updater 4.0.4 twice (so the version on my computer and the one on the server were built with the same version) but still doesn't update

Here's the end of the log . that looks "failed" if it helps.

I'm going to spend some time this week setting up a test update server to really dive deep. I haven't had one setup because updates have been rock solid for almost 2 years!

[develar]

Strange URL in your logs — do you really use electron-updater or native directly?

…

On Tuesday, November 20, 2018, Justin Reynard ***@***.***> wrote: @develar <https://github.com/develar> Not sure if this helps you or if it's just user error but I updated using electron-builder 20.36.2 and electron-updater 4.0.4 twice (so the version on my computer and the one on the server were built with the same version) but still doesn't update Here's the end of the log . that looks "failed" if it helps. [image: image] <https://user-images.githubusercontent.com/74291/48796428-74a46780-ecb4-11e8-9537-59b3add3abcf.png> I'm going to spend some time this week setting up a test update server to really dive deep. I haven't had one setup because updates have been rock solid for almost 2 years! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3377 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAVZ3kWaJ_crJEBgiuKfBsjeyKh1bc8pks5uxFOsgaJpZM4XVM0G> .

[framerate]

Hmm. Honestly that's a good question. I have it set up based on your read me files from about 2 years ago and have never had to change anything.

It worked perfectly through to electron 3.0 update.

I serve my updates through my CDN. Sounds like I may have to revisit my setup?

[framerate]

@develar thanks for pointing that out. I update to latest electron-updater and it works WAY better!

[alexdrimbe]

Please never use "NSAllowsArbitraryLoads": true. electron-builder 20.33.0 adds localhost to NSExceptionDomains by default now, so, you don't need it at all. But if you want to be really sure, you can set "NSAllowsLocalNetworking": true (but please, please test without it, to ensure that electron-builder default configuration is valid).

According to Apple documentation (https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW35) NSAllowsLocalNetworking is not available for macOS 10.12 and older.

The workaround for Supporting Older Operating Systems:
Version-specific ATS behavior: In a current operating system, the presence of a fine-grained transport security key (NSAllowsArbitraryLoadsForMedia, NSAllowsArbitraryLoadsInWebContent, or NSAllowsLocalNetworking) overrides the value of the NSAllowsArbitraryLoads key to NO. This allows you to set NSAllowsArbitraryLoads to YES if needed for your app in older operating systems, without disabling ATS generally in current operating systems.

[aguynamedben]

I think @alexdrimbe is right, also discussed at #3525 (comment)

[aguynamedben]

electron-builder 20.33.0 adds localhost to NSExceptionDomains by default now, so, you don't need ["NSAllowsArbitraryLoads": true] at all.

Apple docs:

However, this fine-grained control [NSAllowsLocalNetworking] is not available in older operating systems (iOS 10.0 and older, or macOS 10.12 and older). To maintain backward-compatibility when you use any of these keys, you must also set the value of the NSAllowsArbitraryLoads key to YES, taking advantage of its version-specific behavior.

https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW35

[develar]

@aguynamedben Thanks for donation, electron-builder 20.38.3 is released. 930dc8d

[aguynamedben]

👏🙏Thank you for the hard work on electron-builder. It's truly great.

[apurvaSynerzip]

@develar Can you provide stable versions of electron-builder and electron-updater to be used in order to get over this issue?

When I use

"electron-updater": "4.0.5"
"electron-builder": "20.38.3"

while building App I am getting
• signing file=dist/mac/Test App.app identityName=NYC, Inc. identityHash=7F34811EEF4215A5EBE21459CD8E8DB37D2E9488 provisioningProfile=none

Does this mean It is not signing the application?

[makeitcount]

I am facing the same issue, and neither it is fixed in latest version nor by using NSAllowsArbitraryLoads and NSExceptionDomains in plist

My download url is on http. I see the ATS error in logs

The resource could not be loaded because of the App Tranbsport Security Policy requires the use of secure connection

I change the plist via mac.extendInfo config.

"extendInfo": {
       "NSAppTransportSecurity": {
          "NSAllowsArbitraryLoads": true
        },
        "NSExceptionDomains": {
          "download.mydomain.com": {
            "NSTemporaryExceptionAllowsInsecureHTTPLoads": true,
            "NSTemporaryExceptionRequiresForwardSecrecy": false
          }
        }
      }

More info to debug

• I test the final executable contents/Info.plist, it's OK plutil /Applications/Myapp.app/Contents/Info.plist -> OK
• Versions: electron-builder@22.8.0, electron@9.x

[lichkessel]

@makeitcount If your app has been built with electron-builder and you use built-in autoUpdater (the one bundled in electron, not electron-updater) then soon you will get that NSAppTransportSecurity is not properly configured for allowing connections to external Http update endpoints (for electron prebuilts with macOS SDK 10.12+) due to the fact that NSAllowsArbitraryLoads and NSAllowsLocalNetworking are set to YES simultaneously, and that's, according to App Transport Security Reference resets NSAllowsArbitraryLoads to default value (NO).

You must explicitly define domains which are allowed to be requested via non-secure HTTP protocol.

"extendInfo": {
    "NSAppTransportSecurity" : {
      "NSExceptionDomains": {
        "your.domain": {
          "NSIncludesSubdomains": true,
          "NSExceptionAllowsInsecureHTTPLoads": true
        }
      }
    }
}

By the way, thank you, @develar , for your efforts on maintaining this project.