Fix MAS: Remove App Groups entitlement

.github/workflows/release.yml

@@ -168,7 +168,49 @@ jobs:
           set -o pipefail
           # Build MAS package (notarization disabled by unsetting APPLE_API_KEY* vars above)
           npm run build:desktop:mas 2>&1 | tee /tmp/electron-builder-mas.log
-          exit ${PIPESTATUS[0]}
+          BUILD_EXIT=$?
+
+          # Verify and fix PKG signing if needed
+          PKG_FILE=$(find dist -name "*.pkg" -type f | head -1)
+          if [ -n "$PKG_FILE" ] && [ -f "$PKG_FILE" ]; then
+            echo "Checking PKG signature: $PKG_FILE"
+
+            # Check if PKG is signed with installer certificate
+            if ! pkgutil --check-signature "$PKG_FILE" 2>&1 | grep -q "3rd Party Mac Developer Installer"; then
+              echo "⚠️  PKG not signed with installer certificate, re-signing..."
+
+              # Find installer identity
+              INSTALLER_IDENTITY=$(security find-identity -v -p basic | grep "3rd Party Mac Developer Installer" | head -1 | sed 's/.*"\(.*\)".*/\1/')
+
+              if [ -n "$INSTALLER_IDENTITY" ]; then
+                echo "Found installer identity: $INSTALLER_IDENTITY"
+
+                # Re-sign the PKG with installer certificate
+                TEMP_PKG="${PKG_FILE}.temp"
+                productsign --sign "$INSTALLER_IDENTITY" "$PKG_FILE" "$TEMP_PKG"
+
+                if [ -f "$TEMP_PKG" ]; then
+                  mv "$TEMP_PKG" "$PKG_FILE"
+                  echo "✅ PKG re-signed with installer certificate"
+
+                  # Verify the signature
+                  pkgutil --check-signature "$PKG_FILE"
+                else
+                  echo "❌ Failed to re-sign PKG"
+                  exit 1
+                fi
+              else
+                echo "❌ Could not find 3rd Party Mac Developer Installer certificate"
+                exit 1
+              fi
+            else
+              echo "✅ PKG already signed with installer certificate"
+            fi
+          else
+            echo "⚠️  No PKG file found"
+          fi
+
+          exit $BUILD_EXIT
         env:
           # Enable signing for MAS builds (but NOT notarization)
           CI: true

desktop/entitlements.mas.plist

@@ -4,10 +4,6 @@
 <dict>
   <key>com.apple.security.app-sandbox</key>
   <true/>
-  <key>com.apple.security.application-groups</key>
-  <array>
-    <string>4MSL3T2696.com.iandmiller.visualtimer</string>
-  </array>
   <key>com.apple.security.network.client</key>
   <true/>
   <key>com.apple.security.files.user-selected.read-write</key>

package.json

@@ -70,7 +70,7 @@
     "mas": {
       "category": "public.app-category.productivity",
       "icon": "desktop/assets/icon.icns",
-      "hardenedRuntime": true,
+      "hardenedRuntime": false,
       "gatekeeperAssess": false,
       "entitlements": "desktop/entitlements.mas.plist",
       "entitlementsInherit": "desktop/entitlements.mas.inherit.plist",

scripts/fix-mas-icon.js

@@ -118,7 +118,8 @@ exports.default = async function(context) {
               const helperPath = path.join(helpersPath, helper);
               if (fs.statSync(helperPath).isFile() && !helper.endsWith('.plist')) {
                 try {
-                  execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${helperPath}"`, {
+                  // Don't use --options runtime for MAS builds (that's for Developer ID only)
+                  execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${helperPath}"`, {
                     stdio: 'inherit'
                   });
                   console.log(`✅ Re-signed helper: ${helper}`);
@@ -133,8 +134,8 @@ exports.default = async function(context) {
           helperApps.sort((a, b) => b.split(path.sep).length - a.split(path.sep).length);
           for (const helperApp of helperApps) {
             try {
-              // Sign the helper app
-              execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${helperApp}"`, {
+              // Sign the helper app (no --options runtime for MAS builds)
+              execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${helperApp}"`, {
                 stdio: 'inherit'
               });
 
@@ -154,25 +155,25 @@ exports.default = async function(context) {
           const electronFrameworkPath = path.join(frameworksPath, 'Electron Framework.framework');
           const electronFrameworkExecutable = path.join(electronFrameworkPath, 'Versions', 'A', 'Electron Framework');
           if (fs.existsSync(electronFrameworkExecutable)) {
-            // Sign the executable inside the framework first
-            execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${electronFrameworkExecutable}"`, {
+            // Sign the executable inside the framework first (no --options runtime for MAS)
+            execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${electronFrameworkExecutable}"`, {
               stdio: 'inherit'
             });
             // Then sign the framework bundle
-            execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${electronFrameworkPath}"`, {
+            execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${electronFrameworkPath}"`, {
               stdio: 'inherit'
             });
             console.log('✅ Re-signed Electron Framework (executable and bundle)');
           } else if (fs.existsSync(electronFrameworkPath)) {
             // Fallback: sign the framework bundle if executable path doesn't exist
-            execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" --options runtime "${electronFrameworkPath}"`, {
+            execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${electronFrameworkPath}"`, {
               stdio: 'inherit'
             });
             console.log('✅ Re-signed Electron Framework (bundle only)');
           }
 
-          // Sign main app bundle last
-          execSync(`codesign --force --sign "${identity}" --entitlements "${entitlements}" --options runtime "${appBundlePath}"`, {
+          // Sign main app bundle last (no --options runtime for MAS builds)
+          execSync(`codesign --force --sign "${identity}" --entitlements "${entitlements}" "${appBundlePath}"`, {
             stdio: 'inherit'
           });
           console.log('✅ App bundle re-signed successfully');