main executable failed strict validation when signing binary on macOS

FWIW I’ve tried all of them and none of them generate executables that can be signed. I’m skipping the middle man now and just building Node from source (which is what all of these npm packages do), using webpack to compile my app to a single file and dropping it in lib/_third_party_main.js (there are a few C++/JS changes required). Anyway, now I can create an executable that can be properly signed and can add the executable to a .pkg installer and notarize.

Here’s my fork of Node that I’m using.

Like I said, I copy the file generated by webpack to lib/_third_party_main.js and run the following from the node source root:

mkargs=("-j4")
cpu_count=`sysctl hw.physicalcpu | grep -Eo '[0-9]'`

if [ "$cpu_count" -gt "4" ]; then
  mkargs=("-j8")
fi

configure_args=("--without-npm" "--without-inspector")
./configure "${configure_args[@]}" && make "${mkargs[@]}" > /dev/null

Which produces out/Release/node. That file is then moved to my-executable-name for signing. You will also need an entitlements.xml file so you can use the hardened runtime option, here’s mine:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
  </dict>
</plist>

Here is my codesign command:

codesign \
  --options runtime \
  --entitlements "$START/entitlements.xml" \
  --timestamp \
  --keychain "$KEYCHAIN" \
  --sign "$APP_CERT_NAME" \
  --force \
  --verbose \
  $out_exe

Nearly two years on from when this issue was first logged, I’m wondering can someone tell us please if there is any progress on this code signing issue with PKG? (I’m getting the same “main executable failed strict validation” issue.)

It’s not an option for us to distribute and install pkg components on client machines without having them code signed, which effectively renders PKG useless for our needs, as far as I can tell.

Is there a valid workaround for this issue? The suggestion by @gimdongwoo to change the extension allows you to code sign an app containing PKG components, but because they’re renamed, they can’t be executed as far as I can tell, as they’re no longer regarded as Unix executables but as documents (which presumably is why they’re now passing validation as the validation rules are different for documents vs executables?).

Is there a way to rename a pkg package and still execute it? In our case, our pkg components are installed inside the application package contents (i.e. show package contents, then within contents\services\<pkg packages here>) so we can’t rename those back to remove the extension after installing. Note that trying to execute them after renaming to include an extension pops up a mac dialogue saying there’s nothing associated with that extension, as the system thinks they’re ‘documents’ rather than an executables.

So, can you at least tell us please if a viable fix is going to be released soon? Or is this an issue that can’t or won’t be fixed, in which case our only option is to look for an alternative packaging system for our node components?