macOS
The top-level mac key contains set of options instructing electron-builder on how it should build macOS targets. These options applicable for any macOS target.
macOS Target Overview
electron-builder supports several macOS distribution formats. Choose based on your distribution channel:
| Target | Best For | Signed? | Notarized? |
|---|---|---|---|
dmg | Standard consumer distribution | Yes | Yes |
zip | Update servers (electron-updater), minimal package | Yes | Yes |
pkg | System-level installs, kernel extensions, launch daemons | Yes | Yes |
mas | Mac App Store distribution | Yes (Mac App Distribution) | No (MAS handles it) |
mas-dev | Local testing of MAS builds | Yes (Apple Development / Mac Developer) | No |
7z, tar.* | Archive formats, custom CDN distribution | Optional | Optional |
dir | Development/debugging — unpacked app | No | No |
The default targets are zip and dmg (both are required for Squirrel.Mac auto-update).
Bundle ID
The appId property sets the CFBundleIdentifier for your macOS app. This is a critical identifier — set it explicitly:
appId: "com.mycompany.myapp"
- Use reverse-DNS format:
com.yourcompany.appname - Must be unique in the Mac App Store if you intend to submit there
- Changing it after first release will break existing user data paths (NSUserDefaults, sandboxed containers, etc.)
Architecture Support
electron-builder supports building for multiple CPU architectures:
| Architecture | CLI Flag | Description |
|---|---|---|
x64 | --x64 | Intel 64-bit (traditional Mac) |
arm64 | --arm64 | Apple Silicon (M1, M2, M3, M4) |
universal | --universal | Fat binary containing both x64 and arm64 |
Universal Binaries
A universal binary runs natively on both Intel and Apple Silicon Macs with no performance penalty:
mac:
target:
- target: dmg
arch: universal
Universal binary options:
mergeASARs— merge x64 and arm64 ASAR archives into a single universal ASAR (trueby default). Disable only if you have architecture-specific native modules that cannot be fat-binary merged.singleArchFiles— glob pattern for files that are single-arch and should NOT be merged (e.g., pre-built native binaries distributed only for one arch).x64ArchFiles— glob pattern for files that are x64-only. These are kept as x64 in the universal binary rather than being fat-binary merged.
mac:
mergeASARs: true
singleArchFiles: "**/*.node" # keep native modules as separate arch files
Recommended: Build Per-Arch on Correct Hardware
While cross-compilation is possible, the most reliable approach is to build arm64 on Apple Silicon and x64 on Intel (or use a matrix in CI). Universal builds work best when both arches are produced natively and then merged.
Code Signing
macOS apps must be signed to avoid Gatekeeper warnings. See Code Signing for full setup.
Certificate Identity
Use the identity option to specify the signing certificate by name:
mac:
identity: "Developer ID Application: My Company (TEAM1234AB)"
Or use environment variables — the recommended approach for CI:
export CSC_LINK=/path/to/certificate.p12
export CSC_KEY_PASSWORD=yourpassword
Set identity: null to skip signing entirely. Set identity: "-" to use an ad-hoc signature (app will only run on the machine that built it).
If you disable code signing, you should also disable Hardened Runtime (hardenedRuntime: false), as the combination of no signing and enabled Hardened Runtime may prevent the app from launching.
Hardened Runtime
hardenedRuntime: true (the default) is required for notarization on macOS 10.15+. It restricts what the app can do — you may need entitlements to allow capabilities.
Entitlements
Entitlements are required when using Hardened Runtime and for notarization. Create build/entitlements.mac.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- Required for JIT compilation (e.g., V8 in Electron) -->
<key>com.apple.security.cs.allow-jit</key>
<true/>
<!-- Required for unsigned executable memory (some Electron internals) -->
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<!-- Allow DYLD environment variables (debugging) — REMOVE for production -->
<!-- <key>com.apple.security.cs.allow-dyld-environment-variables</key> -->
<!-- <true/> -->
</dict>
</plist>
And build/entitlements.mac.inherit.plist for helper processes:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>
Common entitlements for Electron apps:
| Entitlement | When Needed |
|---|---|
com.apple.security.cs.allow-jit | Always — V8 requires JIT |
com.apple.security.cs.allow-unsigned-executable-memory | Some Electron internals |
com.apple.security.network.client | Outgoing network connections (sandboxed apps) |
com.apple.security.network.server | Listening for connections (sandboxed apps) |
com.apple.security.files.user-selected.read-write | Open/save panels (sandboxed apps) |
com.apple.security.device.camera | Camera access |
com.apple.security.device.microphone | Microphone access |
com.apple.security.app-sandbox | Required for Mac App Store — see MAS |
Notarization requires Hardened Runtime + appropriate entitlements. See Notarization for the complete notarization workflow.
Info.plist Customization
Inject arbitrary Info.plist keys using extendInfo:
mac:
extendInfo:
NSMicrophoneUsageDescription: "This app uses the microphone for..."
NSCameraUsageDescription: "This app uses the camera for..."
LSMultipleInstancesProhibited: true
CFBundleURLTypes:
- CFBundleURLSchemes:
- myapp
CFBundleURLName: "com.mycompany.myapp"
Helper Bundle IDs
Electron spawns several helper processes, each with its own bundle ID. electron-builder sets these automatically based on your appId, but you can override them:
| Option | Default | Process |
|---|---|---|
helperBundleId | ${appId}.helper | Generic helper |
helperRendererBundleId | ${appId}.helper.Renderer | Renderer process |
helperPluginBundleId | ${appId}.helper.Plugin | Plugin helper |
helperGPUBundleId | ${appId}.helper.GPU | GPU process |
helperEHBundleId | ${appId}.helper.EH | Exception handler |
helperNPBundleId | ${appId}.helper.NP | NP helper |
You only need to override these if you have a specific naming requirement (e.g., for provisioning profiles that enumerate each helper ID explicitly).
Other Common Options
Dark mode: Set darkModeSupport: true if your app supports the system dark mode. This adds the NSRequiresAquaSystemAppearance: false key to Info.plist.
Minimum system version: minimumSystemVersion sets the LSMinimumSystemVersion in Info.plist. Electron itself has a minimum macOS version requirement — don't set this lower than Electron's requirement.
Signing additional binaries: Use binaries to list paths to additional native binaries within your app bundle that need to be signed (e.g., embedded CLIs, helper tools).
mac:
binaries:
- Contents/MacOS/my-native-helper
- Contents/Frameworks/MyFramework.framework/Versions/A/MyFramework
Configuration
Interface: MacConfiguration
Extends
Extended by
Properties
additionalArguments?
readonlyoptionaladditionalArguments?:string[] |null
Array of strings specifying additional arguments to pass to the codesign command used to sign a specific file.
Some subresources that you may include in your Electron app may need to be signed with --deep, this is not typically safe to apply to the entire Electron app and therefore should be applied to just your file.
Usage Example: ['--deep']
appId?
readonlyoptionalappId?:string|null
The application id. Used as CFBundleIdentifier for MacOS and as Application User Model ID for Windows (NSIS target only, Squirrel.Windows not supported). It is strongly recommended that an explicit ID is set.
Default
com.electron.${name}
Inherited from
PlatformSpecificBuildOptions.appId
artifactName?
readonlyoptionalartifactName?:string|null
The artifact file name template. Defaults to ${productName}-${version}.${ext} (some target can have other defaults, see corresponding options).
Inherited from
PlatformSpecificBuildOptions.artifactName
asar?
readonlyoptionalasar?:boolean|AsarOptions|null
Whether to package the application's source code into an archive, using Electron's archive format.
Node modules, that must be unpacked, will be detected automatically, you don't need to explicitly set asarUnpack - please file an issue if this doesn't work.
Default
true
Inherited from
PlatformSpecificBuildOptions.asar
asarUnpack?
readonlyoptionalasarUnpack?:string|string[] |null
A glob patterns relative to the app directory, which specifies which files to unpack when creating the asar archive.
Inherited from
PlatformSpecificBuildOptions.asarUnpack
binaries?
readonlyoptionalbinaries?:string[] |null
Paths of any extra binaries that need to be signed.
bundleShortVersion?
readonlyoptionalbundleShortVersion?:string|null
The CFBundleShortVersionString. Do not use it unless you need to.
bundleVersion?
readonlyoptionalbundleVersion?:string|null
The CFBundleVersion. Do not use it unless you need to.
category?
readonlyoptionalcategory?:string|null
The application category type, as shown in the Finder via View -> Arrange by Application Category when viewing the Applications directory.
For example, "category": "public.app-category.developer-tools" will set the application category to Developer Tools.
Valid values are listed in Apple's documentation.
compression?
readonlyoptionalcompression?:CompressionLevel|null
The compression level. If you want to rapidly test build, store can reduce build time significantly. maximum doesn't lead to noticeable size difference, but increase build time.
Default
normal
Inherited from
PlatformSpecificBuildOptions.compression
darkModeSupport?
readonlyoptionaldarkModeSupport?:boolean
Whether a dark mode is supported. If your app does have a dark mode, you can make your app follow the system-wide dark mode setting.
Default
false
defaultArch?
readonlyoptionaldefaultArch?:string
The default architecture to build for when no --arch flag is specified.
Defaults to the current machine's architecture.
Inherited from
PlatformSpecificBuildOptions.defaultArch
detectUpdateChannel?
readonlyoptionaldetectUpdateChannel?:boolean
Whether to infer update channel from application version pre-release components. e.g. if version 0.12.1-alpha.1, channel will be set to alpha. Otherwise to latest.
This does not apply to github publishing, which will never auto-detect the update channel.
Default
true
Inherited from
PlatformSpecificBuildOptions.detectUpdateChannel
disableDefaultIgnoredFiles?
optionaldisableDefaultIgnoredFiles?:boolean|null
Whether to exclude all default ignored files(https://www.electron.build/contents#files) and options. Defaults to false.
Default
false
Inherited from
PlatformSpecificBuildOptions.disableDefaultIgnoredFiles
electronLanguages?
readonlyoptionalelectronLanguages?:string|string[]
The electron locales to keep. By default, all Electron locales used as-is.
Inherited from
PlatformSpecificBuildOptions.electronLanguages
electronUpdaterCompatibility?
readonlyoptionalelectronUpdaterCompatibility?:string|null
The electron-updater compatibility semver range.
Inherited from
PlatformSpecificBuildOptions.electronUpdaterCompatibility
entitlements?
readonlyoptionalentitlements?:string|null
The path to entitlements file for signing the app. build/entitlements.mac.plist will be used if exists (it is a recommended way to set).
MAS entitlements is specified in the mas.
See this folder in osx-sign's repository for examples.
Be aware that your app may crash if the right entitlements are not set like com.apple.security.cs.allow-jit for example on arm64 builds with Electron 20+.
See Signing and Notarizing macOS Builds from the Electron documentation for more information.
entitlementsInherit?
readonlyoptionalentitlementsInherit?:string|null
The path to child entitlements which inherit the security settings for signing frameworks and bundles of a distribution. build/entitlements.mac.inherit.plist will be used if exists (it is a recommended way to set).
See this folder in osx-sign's repository for examples.
This option only applies when signing with entitlements provided.
entitlementsLoginHelper?
readonlyoptionalentitlementsLoginHelper?:string|null
Path to login helper entitlement file.
When using App Sandbox, the the com.apple.security.inherit key that is normally in the inherited entitlements cannot be inherited since the login helper is a standalone executable.
Defaults to the value provided for entitlements. This option only applies when signing with entitlements provided.
executableName?
readonlyoptionalexecutableName?:string|null
The executable name. Defaults to productName
Note: Except for Linux, where this would constitute a breaking change in previous behavior and lead to both invalid executable names and Desktop files. Ref comments in: https://github.com/electron-userland/electron-builder/pull/9068
Inherited from
PlatformSpecificBuildOptions.executableName
extendInfo?
readonlyoptionalextendInfo?:any
The extra entries for Info.plist.
extraDistFiles?
readonlyoptionalextraDistFiles?:string|string[] |null
Extra files to put in archive. Not applicable for tar.*.
extraFiles?
optionalextraFiles?:string|FileSet| (string|FileSet)[] |null
The same as extraResources but copy into the app's content directory (Contents for MacOS, root directory for Linux and Windows).
Inherited from
PlatformSpecificBuildOptions.extraFiles
extraResources?
optionalextraResources?:string|FileSet| (string|FileSet)[] |null
A glob patterns relative to the project directory, when specified, copy the file or directory with matching names directly into the app's resources directory (Contents/Resources for MacOS, resources for Linux and Windows).
File patterns (and support for from and to fields) the same as for files.
Inherited from
PlatformSpecificBuildOptions.extraResources
fileAssociations?
readonlyoptionalfileAssociations?:FileAssociation|FileAssociation[]
The file associations.
Inherited from
PlatformSpecificBuildOptions.fileAssociations
files?
optionalfiles?:string|FileSet| (string|FileSet)[] |null
A glob patterns relative to the app directory, which specifies which files to include when copying files to create the package.
Defaults to:
[
"**/*",
"!**/node_modules/*/{CHANGELOG.md,README.md,README,readme.md,readme}",
"!**/node_modules/*/{test,__tests__,tests,powered-test,example,examples}",
"!**/node_modules/*.d.ts",
"!**/node_modules/.bin",
"!**/*.{iml,o,hprof,orig,pyc,pyo,rbc,swp,csproj,sln,xproj}",
"!.editorconfig",
"!**/._*",
"!**/{.DS_Store,.git,.hg,.svn,CVS,RCS,SCCS,.gitignore,.gitattributes}",
"!**/{__pycache__,thumbs.db,.flowconfig,.idea,.vs,.nyc_output}",
"!**/{appveyor.yml,.travis.yml,circle.yml}",
"!**/{npm-debug.log,yarn.lock,.yarn-integrity,.yarn-metadata.json}"
]
Development dependencies are never copied in any case. You don't need to ignore it explicitly. Hidden files are not ignored by default, but all files that should be ignored, are ignored by default.
Default pattern **/* is not added to your custom if some of your patterns is not ignore (i.e. not starts with !). package.json and **/node_modules/**/* (only production dependencies will be copied) is added to your custom in any case. All default ignores are added in any case — you don't need to repeat it if you configure own patterns.
May be specified in the platform options (e.g. in the mac).
You may also specify custom source and destination directories by using FileSet objects instead of simple glob patterns.
[
{
"from": "path/to/source",
"to": "path/to/destination",
"filter": ["**/*", "!foo/*.js"]
}
]
You can use file macros in the from and to fields as well. from and to can be files and you can use this to rename a file while packaging.
Inherited from
PlatformSpecificBuildOptions.files
forceCodeSigning?
readonlyoptionalforceCodeSigning?:boolean
Whether to fail if app will be not code signed.
Default
false
Inherited from
PlatformSpecificBuildOptions.forceCodeSigning
gatekeeperAssess?
readonlyoptionalgatekeeperAssess?:boolean
Whether to let @electron/osx-sign validate the signing or not.
Default
false
generateUpdatesFilesForAllChannels?
readonlyoptionalgenerateUpdatesFilesForAllChannels?:boolean
Please see Building and Releasing using Channels.
Default
false
Inherited from
PlatformSpecificBuildOptions.generateUpdatesFilesForAllChannels
hardenedRuntime?
readonlyoptionalhardenedRuntime?:boolean
Whether your app has to be signed with hardened runtime.
Default
true
helperBundleId?
readonlyoptionalhelperBundleId?:string|null
The bundle identifier to use in the application helper's plist.
Default
${appBundleIdentifier}.helper
helperEHBundleId?
readonlyoptionalhelperEHBundleId?:string|null
The bundle identifier to use in the EH helper's plist.
Default
${appBundleIdentifier}.helper.EH
helperGPUBundleId?
readonlyoptionalhelperGPUBundleId?:string|null
The bundle identifier to use in the GPU helper's plist.
Default
${appBundleIdentifier}.helper.GPU
helperNPBundleId?
readonlyoptionalhelperNPBundleId?:string|null
The bundle identifier to use in the NP helper's plist.
Default
${appBundleIdentifier}.helper.NP
helperPluginBundleId?
readonlyoptionalhelperPluginBundleId?:string|null
The bundle identifier to use in the Plugin helper's plist.
Default
${appBundleIdentifier}.helper.Plugin
helperRendererBundleId?
readonlyoptionalhelperRendererBundleId?:string|null
The bundle identifier to use in the Renderer helper's plist.
Default
${appBundleIdentifier}.helper.Renderer
icon?
readonlyoptionalicon?:string|null
The path to application icon.
Accepts .icns (legacy) or .icon (Icon Composer asset).
If a .icon asset is provided, it will be preferred and compiled to an asset catalog.
Default
build/icon.icns
Overrides
PlatformSpecificBuildOptions.icon
identity?
readonlyoptionalidentity?:string|null
The name of certificate to use when signing. Consider using environment variables CSC_LINK or CSC_NAME instead of specifying this option. MAS installer identity is specified in the mas.
Set to - to use an ad-hoc identity for signing. Set to null to skip signing entirely.
mergeASARs?
readonlyoptionalmergeASARs?:boolean
Whether to merge ASAR files for different architectures or not.
This option has no effect unless building for "universal" arch.
Default
true
minimumSystemVersion?
readonlyoptionalminimumSystemVersion?:string|null
The minimum version of macOS required for the app to run. Corresponds to LSMinimumSystemVersion.
notarize?
readonlyoptionalnotarize?:boolean
Whether to disable electron-builder's @electron/notarize integration.
Note: In order to activate the notarization step You MUST specify one of the following via environment variables:
APPLE_API_KEY,APPLE_API_KEY_IDandAPPLE_API_ISSUER.APPLE_ID,APPLE_APP_SPECIFIC_PASSWORD, andAPPLE_TEAM_IDAPPLE_KEYCHAINandAPPLE_KEYCHAIN_PROFILE
For security reasons it is recommended to use the first option (see https://github.com/electron-userland/electron-builder/issues/7859)
preAutoEntitlements?
readonlyoptionalpreAutoEntitlements?:boolean
Whether to enable entitlements automation from @electron/osx-sign.
Default
true
protocols?
The URL protocol schemes.
Inherited from
PlatformSpecificBuildOptions.protocols
provisioningProfile?
readonlyoptionalprovisioningProfile?:string|null
The path to the provisioning profile to use when signing, absolute or relative to the app root.
publish?
optionalpublish?:Publish
Publisher configuration. See Auto Update for more information.
Inherited from
PlatformSpecificBuildOptions.publish
releaseInfo?
readonlyoptionalreleaseInfo?:ReleaseInfo
The release info. Intended for command line usage:
-c.releaseInfo.releaseNotes="new features"
Inherited from
PlatformSpecificBuildOptions.releaseInfo
requirements?
readonlyoptionalrequirements?:string|null
Path of requirements file used in signing. Not applicable for MAS.
sign?
readonlyoptionalsign?:string|CustomMacSign|null
The custom function (or path to file or module id) to sign an app bundle.
signIgnore?
readonlyoptionalsignIgnore?:string|string[] |null
Regex or an array of regex's that signal skipping signing a file.
singleArchFiles?
readonlyoptionalsingleArchFiles?:string|null
Minimatch pattern of paths that are allowed to be present in one of the ASAR files, but not in the other.
This option has no effect unless building for "universal" arch and applies
only if mergeASARs is true.
strictVerify?
readonlyoptionalstrictVerify?:boolean
Whether to let @electron/osx-sign verify the contents or not.
Default
true
target?
readonlyoptionaltarget?:TargetConfiguration|MacOsTargetName| TargetConfiguration | MacOsTargetName[] |null
The target package type: list of default, dmg, mas, mas-dev, pkg, 7z, zip, tar.xz, tar.lz, tar.gz, tar.bz2, dir.
Note: Squirrel.Mac auto update mechanism requires both dmg and zip to be enabled, even when only dmg is used. Disabling zip will break auto update in dmg packages.
Default
default (dmg and zip for Squirrel.Mac)
Overrides
PlatformSpecificBuildOptions.target
timestamp?
readonlyoptionaltimestamp?:string|null
Specify the URL of the timestamp authority server
type?
readonlyoptionaltype?:"distribution"|"development"|null
Whether to sign app for development or for distribution.
Default
distribution
x64ArchFiles?
readonlyoptionalx64ArchFiles?:string|null
Minimatch pattern of paths that are allowed to be x64 binaries in both ASAR files
This option has no effect unless building for "universal" arch and applies
only if mergeASARs is true.